Merge pull request #9 from Scalingo/feat/target_scheme

feat: multiple fixes and features

Author: mickael-garrido

.github/workflows/docker-image.yml

@@ -1,9 +1,9 @@
-name: CI
+name: "build-docker-image"
 
 on:
   push:
     tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+*'
+      - "v[0-9]+.[0-9]+.[0-9]+*"
 
 jobs:
   bake:

.github/workflows/tests.yml

@@ -0,0 +1,15 @@
+name: "tests"
+
+on:
+  pull_request_target: # Use pull_request_target
+    branches: [main]
+
+jobs:
+  run-specs:
+    name: run specs
+    runs-on: ubuntu-22.04
+    steps:
+      - name: deploy
+        run: ./vagrant-deploy.sh
+      - name: tests
+        run: ./vagrant-tests.sh

.markdownlint.yaml

@@ -0,0 +1,6 @@
+# Default state for all rules
+default: true
+
+# MD013/line-length - Line length
+MD013:
+  line_length: 200

Dockerfile

@@ -2,13 +2,13 @@ ARG BASE_IMAGE="openresty-proxy-connect"
 
 FROM ${BASE_IMAGE}
 
-ADD generate-certificate.sh /generate-certificate.sh
-ADD entrypoint.sh /entrypoint.sh
+COPY generate-certificate.sh /generate-certificate.sh
+COPY entrypoint.sh /entrypoint.sh
 
-ADD nginx.conf /opt/openresty/nginx/conf/nginx.conf
-ADD nginx.manifest.common.conf /opt/openresty/nginx/conf/nginx.manifest.common.conf
-ADD nginx.manifest.stale.conf /opt/openresty/nginx/conf/nginx.manifest.stale.conf
-ADD proxy_auth.lua /opt/openresty/nginx/conf/proxy_auth.lua
+COPY nginx.conf /opt/openresty/nginx/conf/nginx.conf
+COPY nginx.manifest.common.conf /opt/openresty/nginx/conf/nginx.manifest.common.conf
+COPY nginx.manifest.stale.conf /opt/openresty/nginx/conf/nginx.manifest.stale.conf
+COPY proxy_auth.lua /opt/openresty/nginx/conf/proxy_auth.lua
 
 RUN apk add --no-cache --update bash openssl \
   && mkdir -p /docker_mirror_cache /certs /opt/openresty/nginx/tmp \
@@ -79,6 +79,9 @@ ENV PROXY_CONNECT_SEND_TIMEOUT="60s"
 # Allow disabling IPV6 resolution, default to false
 ENV DISABLE_IPV6="false"
 
+# Forbid unknown registries
+ENV ALLOW_UNKNOWN_REGISTRIES="false"
+
 USER 1001
 
 # Did you want a shell? Sorry, the entrypoint never returns, because it runs nginx itself. Use 'docker exec' if you need to mess around internally.

Dockerfile.openresty

@@ -6,32 +6,37 @@ ARG NGX_HTTP_PROXY_CONNECT_MODULE_VERSION=0.0.7
 ARG OPENRESTY_VERSION=1.27.1.2
 ARG PATCH_VERSION=proxy_connect_rewrite_102101.patch
 
+ARG OPENRESTY_HASH=74f076f7e364b2a99a6c5f9bb531c27610c78985abe956b442b192a2295f7548
+ARG NGX_HTTP_PROXY_CONNECT_MODULE_HASH=b1502309b0afc3e24bdfb02aa8e7028014d06f3f4e3c99a4a867de81d9c0e47d
+
 RUN apk add --no-cache --update --virtual .build-deps gcc libc-dev make openssl-dev pcre-dev zlib-dev linux-headers patch curl git perl \
   && curl -fSL https://github.com/chobits/ngx_http_proxy_connect_module/archive/refs/tags/v${NGX_HTTP_PROXY_CONNECT_MODULE_VERSION}.tar.gz -o ngx_http_proxy_connect_module.tar.gz \
+  && (echo "${NGX_HTTP_PROXY_CONNECT_MODULE_HASH} ngx_http_proxy_connect_module.tar.gz" | sha256sum -c -s) \
   && mkdir -p /usr/src \
   && tar zxC /usr/src/ -f ngx_http_proxy_connect_module.tar.gz \
   && curl -fSL https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz -o openresty.tar.gz \
+  && (echo "${OPENRESTY_HASH} openresty.tar.gz" | sha256sum -c -s) \
   && tar zxC /usr/src/ -f openresty.tar.gz \
   && patch -d /usr/src/openresty-${OPENRESTY_VERSION}/bundle/nginx-${OPENRESTY_VERSION%.*}/ -p 1 < /usr/src/ngx_http_proxy_connect_module-${NGX_HTTP_PROXY_CONNECT_MODULE_VERSION}/patch/${PATCH_VERSION} \
   && cd /usr/src/openresty-${OPENRESTY_VERSION} \
   && ./configure --prefix=/opt/openresty \
-    --without-http_ssi_module \
-    --without-http_userid_module \
-    --without-mail_pop3_module \
-    --without-mail_imap_module \
-    --without-mail_smtp_module \
-    --with-http_sub_module \
-    --with-http_ssl_module \
-    --with-http_v2_module \
-    --with-http_gzip_static_module \
-    --with-http_gunzip_module \
-    --with-http_realip_module \
-    --with-http_stub_status_module \
-    --with-select_module \
-    --with-poll_module \
-    --with-file-aio \
-    --with-pcre-jit \
-    --add-module=/usr/src/ngx_http_proxy_connect_module-${NGX_HTTP_PROXY_CONNECT_MODULE_VERSION} \
+  --without-http_ssi_module \
+  --without-http_userid_module \
+  --without-mail_pop3_module \
+  --without-mail_imap_module \
+  --without-mail_smtp_module \
+  --with-http_sub_module \
+  --with-http_ssl_module \
+  --with-http_v2_module \
+  --with-http_gzip_static_module \
+  --with-http_gunzip_module \
+  --with-http_realip_module \
+  --with-http_stub_status_module \
+  --with-select_module \
+  --with-poll_module \
+  --with-file-aio \
+  --with-pcre-jit \
+  --add-module=/usr/src/ngx_http_proxy_connect_module-${NGX_HTTP_PROXY_CONNECT_MODULE_VERSION} \
   && make install \
   && strip /opt/openresty/nginx/sbin/nginx \
   && ln -sf /dev/stdout /opt/openresty/nginx/logs/access.log \

README.md

@@ -1,15 +1,20 @@
-# Build with bake
+# Docker registry proxy
+
+## Build with bake
+
 ```bash
 docker buildx bake --file docker-bake.hcl
 ```
 
-# Create .env file
+## Create .env file
+
 ```bash
 cp .env.sample .env
 vim .env
 ```
 
-# Run with docker
+## Run with docker
+
 ```bash
 docker run --name openresty_docker_registry_proxy \
   --rm -it \
@@ -20,31 +25,48 @@ docker run --name openresty_docker_registry_proxy \
   docker-registry-proxy-cache:latest
 ```
 
-# Run with docker compose
+## Run with docker compose
+
 ```bash
 docker compose up
 ```
 
 The `HTPASSWD` environment variable activates basic authentication. In this example, we define two users:
-* user1:user1
-* user2:user2
+
+* user1:password1
+* user2:password2
 
 The `HTPASSWD_DELIMITER` environment variable can be used to specify a custom delimiter. By default, a `space` is used.
 
 By default, `generate-certificate.sh` generates a self-signed certificate. You can override this by mounting a volume with your own certificates at `/certs`.
+
 * server.crt
 * server.key
+* proxy_server.crt
+* proxy_server.key
+
+## Configure docker to use a proxy
 
-# Configure docker to use a proxy
 ```json
 {
   ...
   "proxies": {
-    "http-proxy": "http://user1:user1@127.0.0.1:3128",
-    "https-proxy": "http://user1:user1@127.0.0.1:3128"
+    "https-proxy": "https://user1:user1@127.0.0.1:3128"
   },
   "insecure-registries" : ["own-registry.sample.com:443"]
 }
 ```
 
 The `insecure-registries` setting should be configured if your proxy is using an invalid or self-signed certificate.
+
+## Run a test environment
+
+Vagrant will create a VM and will run 2 scripts:
+
+* vagrant-deploy.sh => Execute the complete deployment process, including package installation, certificate generation, Docker image builds, and container execution.
+* vagrant-tests.sh => Run integration tests
+
+```bash
+vagrant up --provision docker-registry-cache
+vagrant ssh docker-registry-cache
+```

Vagrantfile

@@ -0,0 +1,12 @@
+Vagrant.configure('2') do |config|
+  config.vm.box = 'ubuntu/focal64'
+
+  config.vm.define 'docker-registry-cache' do |node|
+    node.vm.hostname = 'docker-registry-cache'
+    node.vm.provision 'shell', inline: '/vagrant/tests/vagrant-deploy.sh'
+    node.vm.provision 'shell', inline: '/vagrant/tests/vagrant-tests.sh', run: 'always'
+    node.vm.provider 'virtualbox' do |v|
+      v.memory = 2048
+    end
+  end
+end

entrypoint.sh

@@ -90,8 +90,39 @@ if [[ ${AUTH_REGISTRIES+x} ]]; then
   done
 fi
 
-# create default config for the caching layer to listen on 8443.
-echo "        listen 8443 ssl default_server;" >/opt/openresty/nginx/conf/caching.layer.listen
+# Target scheme interception. Used to force the http scheme of a registry host
+echo -n "" >/opt/openresty/nginx/conf/docker.targetScheme.map
+
+if [[ ${FORCE_HTTP_REGISTRIES+x} ]]; then
+  for ONEREGISTRYIN in ${FORCE_HTTP_REGISTRIES}; do
+    ONEREGISTRY=$(echo ${ONEREGISTRYIN} | xargs) # Remove whitespace
+    echo "${ONEREGISTRY} http;" >>/opt/openresty/nginx/conf/docker.targetScheme.map
+  done
+fi
+
+# Enforce ssl
+echo -n "" > /opt/openresty/nginx/conf/ssl.conf
+if [[ ${SSL_CIPHERS_LIST+x} ]]; then
+  # Most secured
+  echo "ssl_ciphers ${SSL_CIPHERS_LIST};" >> /opt/openresty/nginx/conf/ssl.conf
+fi
+if [[ ${SSL_PROTOCOLS_LIST+x} ]]; then
+  # Most secured
+  echo "ssl_protocols ${SSL_PROTOCOLS_LIST};" >> /opt/openresty/nginx/conf/ssl.conf
+fi
+
+# Forbid unknown registries
+echo -n "" > /opt/openresty/nginx/conf/forbid_unknown_registries.conf
+if [[ "a${ALLOW_UNKNOWN_REGISTRIES}" != "atrue" ]]; then
+  echo 'if ($interceptedHost != "127.0.0.1:8443") {' >> /opt/openresty/nginx/conf/forbid_unknown_registries.conf
+  echo '  return 403 "docker-registry-proxy: remote request not authorized!";' >> /opt/openresty/nginx/conf/forbid_unknown_registries.conf
+  echo '}' >> /opt/openresty/nginx/conf/forbid_unknown_registries.conf
+  #cat >> /opt/openresty/nginx/conf/forbid_unknown_registries.conf <<-"EOF"
+  #if ($interceptedHost != '127.0.0.1:8443') {
+  #  return 403 "docker-registry-proxy: remote request not authorized!";
+  #}
+  #EOF
+fi
 
 # Set Docker Registry cache size, by default, 32 GB ('32g')
 CACHE_MAX_SIZE=${CACHE_MAX_SIZE:-32g}

generate-certificate.sh

@@ -8,3 +8,12 @@ if [ ! -f /certs/server.crt ]; then
     -subj "/C=FR/ST=Grand-Est/L=Strasbourg/O=Scalingo/OU=IT Department/CN=scalingo.com"
   openssl x509 -req -days 365 -in /certs/server.csr -signkey /certs/server.key -out /certs/server.crt
 fi
+
+if [ ! -f /certs/proxy_server.crt ]; then
+  openssl genrsa -des3 -passout pass:x -out /certs/proxy_server.pass.key 2048
+  openssl rsa -passin pass:x -in /certs/proxy_server.pass.key -out /certs/proxy_server.key
+  rm /certs/proxy_server.pass.key
+  openssl req -new -key /certs/proxy_server.key -out /certs/proxy_server.csr \
+    -subj "/C=FR/ST=Grand-Est/L=Strasbourg/O=Scalingo/OU=IT Department/CN=scalingo.com"
+  openssl x509 -req -days 365 -in /certs/proxy_server.csr -signkey /certs/proxy_server.key -out /certs/proxy_server.crt
+fi