add support for SSL

Author: mqasimsarfraz

.gitignore

@@ -0,0 +1,2 @@
+/dev
+/*.retry

files/nginx.conf

@@ -18,8 +18,6 @@ http {
   # this is necessary for us to be able to disable request buffering in all cases
   proxy_http_version 1.1;
 
-  #SSLCONFIG
-
   # will run before forking out nginx worker processes
   init_by_lua_block { require "cjson" }
 
@@ -29,9 +27,9 @@ http {
   }
 
   server {
-    listen LISTEN default_server;
+    listen PORT SSL_LISTEN default_server;
 
-    #AUTHCONFIG
+    SSL_INCLUDE
 
     # Cache
     add_header X-Cache-Status   $upstream_cache_status;
@@ -52,28 +50,21 @@ http {
 
     # disable proxy request buffering
     proxy_request_buffering off;
-    proxy_cache            cache;
-    proxy_cache_key        $scheme$uri$args$request_method;
-    proxy_cache_valid      200  1s;
-    proxy_cache_use_stale  error timeout invalid_header updating
-                           http_500 http_502 http_503 http_504;
-    proxy_cache_lock       on;
 
     add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
     add_header "Access-Control-Allow-Origin" "*";
 
     location / {
       set $url        UPSTREAM;
       proxy_pass      $url;
-      proxy_redirect  $url http://$host:PORT;
+      proxy_redirect  $url SCHEME://$host:PORT;
 
       # Add AWS ECR authentication headers
       proxy_set_header  X-Real-IP          $remote_addr;
       proxy_set_header  X-Forwarded-For    $remote_addr;
       proxy_set_header  X-Forwarded-User   "Basic $http_authorization";
       proxy_set_header  Authorization      "Basic $http_authorization";
       proxy_set_header  X-Forwarded-Proto  $scheme;
-      proxy_set_header  Authorization      "";
 
     }
 
@@ -82,15 +73,14 @@ http {
     location ~ ^/v2/.*/blobs/[a-z0-9]+:[a-f0-9]+$ {
       set $url        UPSTREAM;
       proxy_pass      $url;
-      proxy_redirect  $url http://$host:PORT;
+      proxy_redirect  $url SCHEME://$host:PORT;
 
       # Add AWS ECR authentication headers
       proxy_set_header  X-Real-IP          $remote_addr;
       proxy_set_header  X-Forwarded-For    $remote_addr;
       proxy_set_header  X-Forwarded-User   "Basic $http_authorization";
       proxy_set_header  Authorization      "Basic $http_authorization";
       proxy_set_header  X-Forwarded-Proto  $scheme;
-      proxy_set_header  Authorization      "";
 
       # When accessing image blobs using HTTP GET AWS ECR redirects with
       # s3 buckets uri to download the image. This needs to handled by
@@ -106,7 +96,7 @@ http {
       set                    $saved_redirect_location '$upstream_http_location';
       proxy_pass             $saved_redirect_location;
       proxy_cache            cache;
-      proxy_cache_key        $scheme$uri$args$request_method;
+      proxy_cache_key        CACHE_KEY;
       proxy_cache_valid      200  1y;
       proxy_cache_use_stale  error timeout invalid_header updating
                              http_500 http_502 http_503 http_504;
@@ -115,7 +105,6 @@ http {
 
     location ~ ^/v2/.*/.*/tags/list+$ {
       # get paginated list of tags
-      proxy_set_header  Authorization      "";
       content_by_lua_block {
         local location, tags, cjson = ngx.var.uri, {}, require "cjson"
         while true do
@@ -147,7 +136,6 @@ http {
       internal;
       set_unescape_uri      $req_uri $arg_req_uri;
       proxy_pass            UPSTREAM$req_uri;
-      proxy_set_header  Authorization      "";
 
       # Add AWS ECR authentication headers
       proxy_set_header  X-Real-IP          $remote_addr;

files/ssl.conf

@@ -6,4 +6,3 @@ ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECD
 ssl_prefer_server_ciphers on;
 
 add_header Strict-Transport-Security max-age=31536000;
-

files/startup.sh

@@ -34,31 +34,30 @@ echo Using resolver $RESOLVER and $UPSTREAM [$(dig +short  ${UPSTREAM_WITHOUT_PO
 CACHE_MAX_SIZE=${CACHE_MAX_SIZE:-75g}
 echo Using cache max size $CACHE_MAX_SIZE
 
-CONFIG=/usr/local/openresty/nginx/conf/nginx.conf
+CACHE_KEY=${CACHE_KEY:='$scheme$uri$request_method'}
+echo Using cache key $CACHE_KEY
 
-ENABLESSL=''
-SSLINCLUDE=''
-SSLCONFIG=/usr/local/openresty/nginx/conf/ssl.conf
-if [ ! -z "$REGISTRY_HTTP_TLS_CERTIFICATE" ] && [ ! -z "$REGISTRY_HTTP_TLS_KEY" ]; then
-  sed -i -e s!REGISTRY_HTTP_TLS_CERTIFICATE!"$REGISTRY_HTTP_TLS_CERTIFICATE"!g $SSLCONFIG
-  sed -i -e s!REGISTRY_HTTP_TLS_KEY!"$REGISTRY_HTTP_TLS_KEY"!g $SSLCONFIG
-  ENABLESSL='ssl'
-  SSLINCLUDE="include $SSLCONFIG;"
-fi
+SCHEME=http
+CONFIG=/usr/local/openresty/nginx/conf/nginx.conf
+SSL_CONFIG=/usr/local/openresty/nginx/conf/ssl.conf
 
-AUTHCONFIG=''
-if [ ! -z "$REGISTRY_AUTH_HTPASSWD_PATH" ] && [ ! -z "$REGISTRY_AUTH_HTPASSWD_REALM" ]; then
-  AUTHCONFIG="auth_basic  ${REGISTRY_AUTH_HTPASSWD_REALM};\n    auth_basic_user_file ${REGISTRY_AUTH_HTPASSWD_PATH};"
+if [ "$ENABLE_SSL" ]; then
+  sed -i -e s!REGISTRY_HTTP_TLS_CERTIFICATE!"$REGISTRY_HTTP_TLS_CERTIFICATE"!g $SSL_CONFIG
+  sed -i -e s!REGISTRY_HTTP_TLS_KEY!"$REGISTRY_HTTP_TLS_KEY"!g $SSL_CONFIG
+  SSL_LISTEN="ssl"
+  SSL_INCLUDE="include $SSL_CONFIG;"
+  SCHEME="https"
 fi
 
 # Update nginx config
 sed -i -e s!UPSTREAM!"$UPSTREAM"!g $CONFIG
-sed -i -e s!LISTEN!"$PORT $ENABLESSL"!g $CONFIG
 sed -i -e s!PORT!"$PORT"!g $CONFIG
 sed -i -e s!RESOLVER!"$RESOLVER"!g $CONFIG
 sed -i -e s!CACHE_MAX_SIZE!"$CACHE_MAX_SIZE"!g $CONFIG
-sed -i -e s!#SSLCONFIG!"$SSLINCLUDE"!g $CONFIG
-sed -i -e s!#AUTHCONFIG!"$AUTHCONFIG"!g $CONFIG
+sed -i -e s!CACHE_KEY!"$CACHE_KEY"!g $CONFIG
+sed -i -e s!SCHEME!"$SCHEME"!g $CONFIG
+sed -i -e s!SSL_INCLUDE!"$SSL_INCLUDE"!g $CONFIG
+sed -i -e s!SSL_LISTEN!"$SSL_LISTEN"!g $CONFIG
 
 # setup ~/.aws directory
 AWS_FOLDER='/root/.aws'

hosts

@@ -1,2 +1,2 @@
 [docker-registry-proxy]
-registry-proxy.example.com
+localhost ansible_connection=local

roles/docker-registry-proxy/defaults/main.yml

@@ -8,3 +8,7 @@ docker_proxy_backend_resolver: "8.8.8.8"
 docker_proxy_ecr_access_id:
 docker_proxy_ecr_secret_key:
 docker_proxy_ecr_region:
+
+docker_proxy_ssl_enabled:
+docker_proxy_ssl_host_path: /registry
+docker_proxy_ssl_container_path: /opt/nginx

roles/docker-registry-proxy/files/certificate.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFcTCCA1mgAwIBAgIJALWdZASytQRkMA0GCSqGSIb3DQEBCwUAME8xCzAJBgNV
+BAYTAkRFMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxFTATBgNVBAoMDGVTYWlsb3Jz
+IExURDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDkwMjA4NTYzNloXDTI5MDgz
+MDA4NTYzNlowTzELMAkGA1UEBhMCREUxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEV
+MBMGA1UECgwMZVNhaWxvcnMgTFREMRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCrznLzCWlKJO4fXD/E8hx4cXUqbd9U
+VwpcAzWq3xGjC6gettYSp171elDXj23ddDJ1wwOl2U0bjN/DceRCl4Tnb3O86fzt
+Bwj8xA/stYGvZQqOvEhSfFh85qvDf1niu2uW1Zx4kMemUvNdhpXsqa9RPSu0Mb0G
+ZeHnCQkuz3KTjUMhQqwomg/6BY4G7tDmCZYsZezGSgAgoa+Q4vffW+H8S9nuKi8o
+EXUf9NuJHUTjtdgcVcCihPj54jXAQsqS9JzWSWxDnKxTaOZuRWEkG+vqGoKEL5+q
+PeH8x8aAM7wErsdxTqTV4XCJU0nS9om1Z6sz0Lrva/loyKciulTO8jYWqZIuBL8J
+GVeizcoYl9KcW8I66XkeuYWlNWCsWhGii7zEWVcXDdSuLCv1wLagRE9MJHoT64nd
+KAR2UQml/MSPlz8419K4r87hcVmNU6FFBP2RZO7UGW5eHbbKT+whhDdBTaig2NNL
+Ml7pVFq6ciemNr6IVsTuzS0VPJpuOoZa86+6UPqgw49jg4cBlKxgJxanDy2a2Hbm
+zx2dPAkbz3kMKDeBmgFzk3xt10czPXvIXUSnJdhi8NdQUCBHdu9yjT3s7Cc12NCQ
+3H0NPWUklHlqJrPY9IbGnNrmJblwZ7hyrI3eISV9njQf3etL2QdDXksLJpgeQsv7
+vcXEBje+aluNqQIDAQABo1AwTjAdBgNVHQ4EFgQUyBLOw8nyo6W4BJWI9L24TTta
+RbcwHwYDVR0jBBgwFoAUyBLOw8nyo6W4BJWI9L24TTtaRbcwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAgEAkYdRTaZuVAcxY1MI7V8PVnvTDxJ1izAWsr2W
+aQMSX0UxAZ/Aed+Q056Ya50/x5ffSigHY5Dap4eP36i/4+dhIeoaMpRjlz/sWCb5
+fE6judBvrMlMwrnKpi/eN0QC1KiCptPbPVPyonRj1ydrvQTPPDxLSeqgzCn3q5kf
+Gb6VlPDhj/CmIoVXkA9gYNlCwSpZ49DJJ2gTmI+MXolXnlZCvXuR+VsgTsjn96vH
+j0AczAZ+g7gD8XTl/K9Z/gcs06DcmMonYrgOGuaFDDiEuBwgABo8gajCFg4xwxi2
+bw7B+opMrOXH9ZGhaoF2eySDGXXgw7TLRqkGXDghZNzWajnGuN7vSaiQfnr0EmW+
+020gJDDUZyc9Ky165SQe3Bfin1cLc2W6mZYmV9lDtUYw80Gth52L9uOiEBIbV6mI
+ZBZFyslxQ7IYWOxseoU9xrxzscTtxa+MGs47w6Hzxh38zYPe/I0Yt62yMRtUmJJ7
+ebQZti7qLeW+QOZAruUzei7fpOZOrq8vy4GBUm0pkg8eOVdDaCAQAWMwaGaHH9/5
+q+AvDLjvR6zvJdV2dxA3XsVmcIA45zOA2mZkRrcTWyf5DZ7bDcQvSnd7R4anv3hG
+YJXeKyzcI7SWfMxo0hU6p9fv66xYn6x9d5oA/ZU/5XRn1bFL7kuKj7BmB+LcS0BE
+XipqaCA=
+-----END CERTIFICATE-----

roles/docker-registry-proxy/files/key.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCrznLzCWlKJO4f
+XD/E8hx4cXUqbd9UVwpcAzWq3xGjC6gettYSp171elDXj23ddDJ1wwOl2U0bjN/D
+ceRCl4Tnb3O86fztBwj8xA/stYGvZQqOvEhSfFh85qvDf1niu2uW1Zx4kMemUvNd
+hpXsqa9RPSu0Mb0GZeHnCQkuz3KTjUMhQqwomg/6BY4G7tDmCZYsZezGSgAgoa+Q
+4vffW+H8S9nuKi8oEXUf9NuJHUTjtdgcVcCihPj54jXAQsqS9JzWSWxDnKxTaOZu
+RWEkG+vqGoKEL5+qPeH8x8aAM7wErsdxTqTV4XCJU0nS9om1Z6sz0Lrva/loyKci
+ulTO8jYWqZIuBL8JGVeizcoYl9KcW8I66XkeuYWlNWCsWhGii7zEWVcXDdSuLCv1
+wLagRE9MJHoT64ndKAR2UQml/MSPlz8419K4r87hcVmNU6FFBP2RZO7UGW5eHbbK
+T+whhDdBTaig2NNLMl7pVFq6ciemNr6IVsTuzS0VPJpuOoZa86+6UPqgw49jg4cB
+lKxgJxanDy2a2Hbmzx2dPAkbz3kMKDeBmgFzk3xt10czPXvIXUSnJdhi8NdQUCBH
+du9yjT3s7Cc12NCQ3H0NPWUklHlqJrPY9IbGnNrmJblwZ7hyrI3eISV9njQf3etL
+2QdDXksLJpgeQsv7vcXEBje+aluNqQIDAQABAoICAQCjIxe3expFUyfhE2FiC1vJ
+akKNFWNY3IVztYCCTeqbXXg4IfjIIbFjes/Ev+bcv3cipxiRpPM4092t4jmSmfmT
+IRtPKQgHsgRwr2NHq1oHR/RscJBj8rq7bvVuX0DksH6K7S70tNU/M8ju59r4rG9S
+vrj/E7OfnaKSFNxpXIY5YYt6y6pZq2C8UgX4w1AM/tFgOzBHYQEZ+y2QcFRZ/Q9q
+2EOJiPjaHSmQPJsxaV9+sa8RyMNwDr+z136en01nmWpLd9CbqutfEF6uGqcQ+Ipc
+8us3xVjg+H3b3363QWipMaUkDD8s8DJB05pn/b3pSRUh0HOQ4IAlZVJ/AVuCXi/I
+amEVq5hClLL16OhyM4u/50BxSn673jNCi3uRPxcJlnR0cFy8u6XEs8rbU1ezxlz3
+SJBpTfXyvvWhNdvEQzNy+AOf8XQLzKgcnoLYYx9nhFUBv3pSU+7hW11RKmjHSu9v
+0NNcUGq+Ig3QTB/4CTM1YJ/usL9kVdJY+tK1wVKHiIm0O58fcyrfN05kUpqJ5NMg
+4ByeXkm8JR8A9jiNmJy/bBuFEIXTsxalsQjonGw4WHcRZCke0eqMSOgzp50CNad2
+NIRqNWD0EInTatXtjTQ+zbCkDoUdgW4NhCnmf4OxVLEpKIYFw/y1271mVZp9zbYU
+aAfaTXi/mZ+hAspQlTOPAQKCAQEA3BhyO90ACUtKbbBPwUVgEHxtsKZ1lyIgyGMQ
+D8PDh+ixdvRYD4m4rewTzY346kaEPcWzjKUp2sU0G1/moBQWLBb9gKyBll8LKSNG
+yA5MAMENyI9rIFpzOoJkkTrnu8iwIPXjVgAShrRqBa+eKAa5XEOR6x+L5UhIEZIQ
+mfCqyPAKKieODiykqqmDURCadRC3LrIbjDSdnX6VEMS7Sun6pNRz7s1u5CYnLQGZ
+QhZeRMkcdmYuAThfwWpX/GdtIxqM08jWX9RFKpMiSisKX8YsXv0W0IbesuDj/bkc
+4BQou03sEUJxC6P8O+jiKtOkygwTdqmjIpDRf1EHiPGibv+f+QKCAQEAx9VfJ/5e
+zmLWwEEqSxpwWpMQdB5ir68VjnnvFNDVms/XVHr/EV7TuI092cXJdntqqynCZGBA
+IP1Wv2eSqGibIyOXdbTXv1qWmSxZdeECIj11vtRQ5etK977/F0llNYav6WAn3pDp
+0IRzofaD6SEFhTJKoGiv86gFcqm2tO4lrTU1B30KnqKfYER6mUdBwto///Rwrpoy
+B5+EWbrjJmKOqKuXP+M/YnlQXeBtyVHlQlaog2sea9OSCJEbTrmkZqJ1ZXmBH8T+
+D91QOF+5rxPVKLG5Ybnfen7Fu3dHAotD8WM77iQR+EDmffvrxS+ddZUXzINS9jml
+kKkaG9zOvEcnMQKCAQEAyIo1u7nYSJ+jh2I4qT9PEnZtc6GYT0a3XB53CgYzaOhq
+mpp0imPQNBiAyrBrdvsdjzNOL/5lroI0wiSVfJIQyceA3/dOc/bRsoAEBFCSi7Vb
+m7yhvW7swwkAHRvw/bcUVFP2+etC9h345Ilpr8rApgKjN/sceqNrlybhnYId+sxM
+VrCHzP58Y0vk7L4WHkhGwHNkilF+s3wc0pSOmumqiPlTUOk5+wOQen+UZxT+e+pK
+1s6vaEk3ZoJA/Sg31t5gJrA+ND6zbuF1QuMIps9oqnwsh3/79jzXP92lI776hf+v
+8uH5IsQeFXBScvc4lSh/q4VRsTMGz9zC4tJYUI718QKB/3qNYM4mMf5gn1NIo6dr
+j3v8tRqBiAQ2XAIExZr+eAF5dZVZ2RPOFAoalNP5eJQxHDncYlssrCePNqQr4MVn
+Yb0rFrgZMDcqVzGZAURJugVFq/BcRUC8DD3j5I1jda5d64Q0dD8KoFpA4KlzhXJz
+ze7h6OJ3UXEcmjq32lUbt/+BogP1q42eLh/b31QhXzMgph9SychKyGPkcEaXVrcz
+ukm28gs8UqMRwzfPa4ULtI36l14BU6bNGcInO5gMQcav209gNNBG/4i7MXdhPX8h
+qphKZmaIl4WIObu+as4kmoZvVVG2zU5yfujEltNXYDm8Ndw2rapTsDYHfvuXbzII
+cQKCAQBW3LAfFAkmu1+NJBXYt86rftOF+VSNWkN1/YkPwIMX1y647aVMGMegr7yF
+xUh1DSQQAuD2ACzII1ufoUWRrhdCMsgr3o9b0ApCXQwTaaFsZjGIr33bsnqNHW3e
+FJEfTrNW5PLTkkEjJQH0N/6W0TRowjpYSpgRz/fpJjdFLmQ1A+RLVoyHCVq/Qhzj
+Ywk6hsYjI432aebdFH8pqWl8Hhcq6DW9jAyKkuVnX/p60OZ6tp6cZ75nIj7bdB7W
+zcrUs4/igRY8HUwZlQJK5X2D+LWuN1Ag8DBbbjOmqziKDBikV/GmOcuCRgltckrT
+UFg2hiaXvnBuMgGHodqIzeQarqKv
+-----END PRIVATE KEY-----

roles/docker-registry-proxy/tasks/main.yaml

@@ -2,6 +2,16 @@
   become: true
   file: path={{ docker_proxy_cache_path  }} state=directory mode=0755 recurse=true
 
+- name: Copy the ssl certificates
+  become: true
+  copy:
+    src: "{{ item }}"
+    dest: "{{ docker_proxy_ssl_host_path }}/{{ item }}"
+  with_items:
+    - certificate.pem
+    - key.pem
+  when: docker_proxy_ssl_enabled | bool
+
 - name: Print current cache directory size information
   become: true
   command: du -hs {{ docker_proxy_cache_path  }}
@@ -10,6 +20,8 @@
   become: true
   command: >
     docker pull esailors/aws-ecr-http-proxy:{{ docker_proxy_version }}
+  tags:
+    - pull-image
 
 - name: Remove previous proxy container
   become: true
@@ -29,11 +41,21 @@
       --net host
       --restart=unless-stopped
 
-      -v {{ docker_proxy_cache_path  }}:/cache
+      -v {{ docker_proxy_cache_path }}:/cache
+
+      {% if docker_proxy_ssl_enabled | bool %}
+      -v {{ docker_proxy_ssl_host_path }}/certificate.pem:{{ docker_proxy_ssl_container_path }}/certificate.pem
+      -v {{ docker_proxy_ssl_host_path }}/key.pem:{{ docker_proxy_ssl_container_path }}/key.pem
+
+      -e ENABLE_SSL=true
+      -e REGISTRY_HTTP_TLS_KEY={{ docker_proxy_ssl_container_path }}/key.pem
+      -e REGISTRY_HTTP_TLS_CERTIFICATE={{ docker_proxy_ssl_container_path }}/certificate.pem
+      {% endif %}
+
       -e RESOLVER={{ docker_proxy_backend_resolver }}
       -e PORT=5000
       -e UPSTREAM={{ docker_proxy_backend_schema }}://{{ docker_proxy_backend }}
-      -e CACHE_MAX_SIZE={{ docker_proxy_cache_limit }} 
+      -e CACHE_MAX_SIZE={{ docker_proxy_cache_limit }}
       -e AWS_ACCESS_KEY_ID={{ docker_proxy_ecr_access_id }}
       -e AWS_SECRET_ACCESS_KEY={{ docker_proxy_ecr_secret_key }}
       -e AWS_REGION={{ docker_proxy_ecr_region }}