fix: for SCAR

Author: mickael-garrido

Dockerfile.openresty

@@ -6,32 +6,37 @@ ARG NGX_HTTP_PROXY_CONNECT_MODULE_VERSION=0.0.7
 ARG OPENRESTY_VERSION=1.27.1.2
 ARG PATCH_VERSION=proxy_connect_rewrite_102101.patch
 
+ARG OPENRESTY_HASH=74f076f7e364b2a99a6c5f9bb531c27610c78985abe956b442b192a2295f7548
+ARG NGX_HTTP_PROXY_CONNECT_MODULE_HASH=b1502309b0afc3e24bdfb02aa8e7028014d06f3f4e3c99a4a867de81d9c0e47d
+
 RUN apk add --no-cache --update --virtual .build-deps gcc libc-dev make openssl-dev pcre-dev zlib-dev linux-headers patch curl git perl \
   && curl -fSL https://github.com/chobits/ngx_http_proxy_connect_module/archive/refs/tags/v${NGX_HTTP_PROXY_CONNECT_MODULE_VERSION}.tar.gz -o ngx_http_proxy_connect_module.tar.gz \
+  && (echo "${NGX_HTTP_PROXY_CONNECT_MODULE_HASH} ngx_http_proxy_connect_module.tar.gz" | sha256sum -c -s) \
   && mkdir -p /usr/src \
   && tar zxC /usr/src/ -f ngx_http_proxy_connect_module.tar.gz \
   && curl -fSL https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz -o openresty.tar.gz \
+  && (echo "${OPENRESTY_HASH} openresty.tar.gz" | sha256sum -c -s) \
   && tar zxC /usr/src/ -f openresty.tar.gz \
   && patch -d /usr/src/openresty-${OPENRESTY_VERSION}/bundle/nginx-${OPENRESTY_VERSION%.*}/ -p 1 < /usr/src/ngx_http_proxy_connect_module-${NGX_HTTP_PROXY_CONNECT_MODULE_VERSION}/patch/${PATCH_VERSION} \
   && cd /usr/src/openresty-${OPENRESTY_VERSION} \
   && ./configure --prefix=/opt/openresty \
-    --without-http_ssi_module \
-    --without-http_userid_module \
-    --without-mail_pop3_module \
-    --without-mail_imap_module \
-    --without-mail_smtp_module \
-    --with-http_sub_module \
-    --with-http_ssl_module \
-    --with-http_v2_module \
-    --with-http_gzip_static_module \
-    --with-http_gunzip_module \
-    --with-http_realip_module \
-    --with-http_stub_status_module \
-    --with-select_module \
-    --with-poll_module \
-    --with-file-aio \
-    --with-pcre-jit \
-    --add-module=/usr/src/ngx_http_proxy_connect_module-${NGX_HTTP_PROXY_CONNECT_MODULE_VERSION} \
+  --without-http_ssi_module \
+  --without-http_userid_module \
+  --without-mail_pop3_module \
+  --without-mail_imap_module \
+  --without-mail_smtp_module \
+  --with-http_sub_module \
+  --with-http_ssl_module \
+  --with-http_v2_module \
+  --with-http_gzip_static_module \
+  --with-http_gunzip_module \
+  --with-http_realip_module \
+  --with-http_stub_status_module \
+  --with-select_module \
+  --with-poll_module \
+  --with-file-aio \
+  --with-pcre-jit \
+  --add-module=/usr/src/ngx_http_proxy_connect_module-${NGX_HTTP_PROXY_CONNECT_MODULE_VERSION} \
   && make install \
   && strip /opt/openresty/nginx/sbin/nginx \
   && ln -sf /dev/stdout /opt/openresty/nginx/logs/access.log \

nginx.conf

@@ -24,6 +24,9 @@ http {
     scgi_temp_path         "/opt/openresty/nginx/tmp/scgi" 1 2;
     uwsgi_temp_path        "/opt/openresty/nginx/tmp/uwsgi" 1 2;
 
+    server_tokens off;
+    more_clear_headers Server;
+
     # Use a debug-oriented logging format.
     log_format debugging escape=json
       '{'
@@ -135,20 +138,6 @@ http {
         default "$connect_addr"; # $connect_addr is 'IP address and port of the remote host, e.g. "192.168.1.5:12345". IP address is resolved from host name of CONNECT request line.'
     }
 
-
-    # These maps parse the original Host and URI from a /forcecache redirect.
-    map $request_uri $realHost {
-        ~/forcecacheinsecure/([^:/]+)/originalwas(/.+) $1;
-        ~/forcecachesecure/([^:/]+)/originalwas(/.+) $1;
-        default "DID_NOT_MATCH_HOST";
-    }
-
-    map $request_uri $realPath {
-        ~/forcecacheinsecure/([^:/]+)/originalwas(/.+) $2;
-        ~/forcecachesecure/([^:/]+)/originalwas(/.+) $2;
-        default "DID_NOT_MATCH_PATH";
-    }
-
     map $interceptedHost $loggable {
         default 1;
         127.0.0.1:8443 0;
@@ -181,10 +170,9 @@ http {
 
         include /opt/openresty/nginx/conf/forbid_unknown_registries.conf;
 
-        # forward proxy for non-CONNECT request
+        # Unauthorized
         location / {
-            add_header "Content-type" "text/plain" always;
-            return 200 "docker-registry-proxy: The docker caching proxy is working!";
+            return 401;
         }
     } # end server
 
@@ -255,14 +243,16 @@ http {
         }
 
         # For blob requests by digest, do cache, and treat redirects.
-        location ~ ^/v2/(.*)/blobs/sha256:(.*) {
+        #location ~ ^/v2/(.*)/blobs/sha256:(.*) {
+        location ~ ^/v2/([\w\-]+(?:(?:\/[\w\-]+)+|(?:[\w\-]+)+))/blobs/sha256:([0-9a-f]+) {
             set $docker_proxy_request_type "blob-by-digest";
             include "/opt/openresty/nginx/conf/nginx.manifest.common.conf";
         }
 
         # For manifest requests by digest, do cache, and treat redirects.
         # These are some of the requests that DockerHub will throttle.
-        location ~ ^/v2/(.*)/manifests/sha256:(.*) {
+        #location ~ ^/v2/(.*)/manifests/sha256:([0-9a-f])*(.*) {
+        location ~ ^/v2/([\w\-]+(?:(?:\/[\w\-]+)+|(?:[\w\-]+)+))/manifests/sha256:([0-9a-f]+) {
             set $docker_proxy_request_type "manifest-by-digest";
             include "/opt/openresty/nginx/conf/nginx.manifest.common.conf";
         }
@@ -274,7 +264,7 @@ http {
 
         # Cache blobs requests that are not by digest
         # Since these are mutable, we invalidate them immediately and keep them only in case the backend is down
-        location ~ ^/v2/(.*)/blobs/ {
+        location ~ ^/v2/([\w\-]+(?:(?:\/[\w\-]+)+|(?:[\w\-]+)+))/blobs/ {
             set $docker_proxy_request_type "blob-mutable";
             proxy_cache_valid 0s;
             include "/opt/openresty/nginx/conf/nginx.manifest.stale.conf";
@@ -305,11 +295,15 @@ http {
             proxy_cache_key $original_uri;
         }
 
-        # by default, dont cache anything.
-        location / {
+        location ~ ^\/v2(\/|\/_catalog)?$ {
             # nosemgrep
             proxy_pass $targetScheme://$targetHost;
             proxy_cache off;
         }
+
+        location / {
+            add_header "Content-type" "text/plain" always;
+            return 406 "docker-registry-proxy: request not acceptable!";
+        }
     }
 }

tests/docker_test.sh

@@ -1,5 +1,27 @@
 #!/usr/bin/env bash
 
+function test_failed_docker_login_with_wrong_creds() {
+  function foo() {
+    return 0
+  }
+
+  # nosemgrep
+  docker login my-registry.local:443 -u test -p test
+
+  assert_unsuccessful_code
+}
+
+function test_success_docker_login() {
+  function foo() {
+    return 0
+  }
+
+  # nosemgrep
+  docker login my-registry.local:443 -u user1 -p password1
+
+  assert_successful_code
+}
+
 function test_success_docker_debian_pull() {
   function foo() {
     return 0
@@ -65,6 +87,7 @@ function test_failed_curl_request_to_unknwon_registry_through_proxy() {
     return 0
   }
 
+  # nosemgrep
   assert_equals "403" "$(curl -I -x https://user1:password1@my-proxy.local:3128 https://my-registry-x.local:443/v2/_catalog 2> /dev/null | head -n 1 | cut -d' ' -f2)"
 }
 
@@ -73,6 +96,7 @@ function test_failed_curl_request_to_proxy_without_user() {
     return 0
   }
 
+  # nosemgrep
   assert_equals "407" "$(curl -I -x https://my-proxy.local:3128 https://my-registry.local:443/v2/_catalog 2> /dev/null | head -n 1 | cut -d' ' -f2)"
 }
 
@@ -81,5 +105,52 @@ function test_failed_curl_request_to_proxy_with_wrong_creds() {
     return 0
   }
 
+  # nosemgrep
   assert_equals "401" "$(curl -I -x https://user1:dummy@my-proxy.local:3128 https://my-registry.local:443/v2/_catalog 2> /dev/null | head -n 1 | cut -d' ' -f2)"
 }
+
+function test_failed_curl_request_to_proxy_without_tls() {
+  function foo() {
+    return 0
+  }
+
+  # nosemgrep
+  assert_equals "400" "$(curl -I -x http://user1:dummy@my-proxy.local:3128 https://my-registry.local:443/v2/_catalog 2> /dev/null | head -n 1 | cut -d' ' -f2)"
+}
+
+function test_failed_curl_request_to_registry_for_unauthorized_uri() {
+  function foo() {
+    return 0
+  }
+
+  # nosemgrep
+  assert_equals "406" "$(curl -s -w "%{http_code}\n" -o /dev/null -x https://user1:password1@my-proxy.local:3128 https://my-registry.local:443/test)"
+}
+
+function test_failed_curl_request_to_registry_v1() {
+  function foo() {
+    return 0
+  }
+
+  # nosemgrep
+  assert_equals "405" "$(curl -s -w "%{http_code}\n" -o /dev/null -x https://user1:password1@my-proxy.local:3128 https://my-registry.local:443/v1)"
+}
+
+function test_success_curl_request_to_registry_v2_catalog() {
+  function foo() {
+    return 0
+  }
+
+  # nosemgrep
+  assert_equals "200" "$(curl -u 'user1:password1' -s -w "%{http_code}\n" -o /dev/null -x https://user1:password1@my-proxy.local:3128 https://my-registry.local:443/v2/_catalog)"
+}
+
+function test_success_docker_logout() {
+  function foo() {
+    return 0
+  }
+
+  docker logout my-registry.local:443
+
+  assert_successful_code
+}

tests/vagrant-deploy.sh

@@ -2,6 +2,7 @@
 
 # Vars
 CERTS_PATH="/root/certs"
+HTPASSWD_PATH="/root/htpasswd"
 DOCKER_PATH="/var/lib/docker"
 DOCKER_MIRROR_CACHE_PATH="/docker_mirror_cache"
 
@@ -23,6 +24,13 @@ apt-get install -y docker.io docker-compose docker-buildx apache2-utils
 systemctl is-active --quiet docker || systemctl enable docker
 systemctl is-active --quiet docker || systemctl start docker
 
+if [ ! -f ${HTPASSWD_PATH}/htpasswd ]; then
+  # Generate htpasswd for local registry
+  mkdir -p ${HTPASSWD_PATH}
+  # nosemgrep
+  htpasswd -bnB user1 password1 > ${HTPASSWD_PATH}/htpasswd
+fi
+
 if [ ! -f ${CERTS_PATH}/custom_ca.key ]; then
   # Generate certificates
   mkdir -p ${CERTS_PATH}
@@ -70,11 +78,16 @@ docker network inspect registry >/dev/null 2>&1 || docker network create registr
 if [ ! "$(docker ps -a -q -f name=my-registry)" ]; then
   docker run -dit --name my-registry \
     --hostname my-registry.local \
+    --restart always \
     -v ${CERTS_PATH}:/certs \
     -v ${DOCKER_MIRROR_CACHE_PATH}/docker-registry:/var/lib/registry \
+    -v ${HTPASSWD_PATH}/htpasswd:/auth/htpasswd \
     -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
     -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
     -e REGISTRY_HTTP_TLS_KEY=/certs/server.key \
+    -e REGISTRY_AUTH=htpasswd \
+    -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
+    -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
     --network registry \
     registry:2
 fi
@@ -85,6 +98,7 @@ if [ ! "$(docker ps -a -q -f name=openresty_docker_registry_proxy)" ]; then
   chown 1001:1001 ${DOCKER_MIRROR_CACHE_PATH}/docker-cache/
   chown 1001:1001 ${CERTS_PATH}/*server.{crt,key}
   docker run -dit --name openresty_docker_registry_proxy \
+    --restart always \
     -p 3128:3128 \
     -v ${DOCKER_MIRROR_CACHE_PATH}/docker-cache/:/docker_mirror_cache \
     -v ${CERTS_PATH}:/certs \