Update README.md

Author: mqasimsarfraz

README.md

@@ -1,27 +1,50 @@
-aws-ecr-http-proxy
-===========
-
-A very simple nginx proxy that forwards requests to AWS ECR and caches the responses locally.
-
-Run it like this, replace UPSTREAM with your target address with following required params:
-- `AWS_REGION`
-- `AWS_ACCESS_KEY_ID`
-- `AWS_SECRET_ACCESS_KEY`
-
-It is also possible to define `CACHE_MAX_SIZE` env to limit maximum cache size on provided volume
-
-For example:
+<p align="left">
+    <a href="https://hub.docker.com/r/esailors/aws-ecr-http-proxy/builds" alt="Build">
+        <img src="https://img.shields.io/docker/build/esailors/aws-ecr-http-proxy" /></a>
+    <a href="https://hub.docker.com/r/esailors/aws-ecr-http-proxy" alt="Pulls">
+        <img src="https://img.shields.io/docker/pulls/esailors/aws-ecr-http-proxy" /></a>
+    <a href="https://www.esailors.de" alt="Maintained">
+        <img src="https://img.shields.io/maintenance/yes/2019.svg" /></a>
+
+</p>
+
+# aws-ecr-http-proxy
+
+A very simple nginx push/pull proxy that forwards requests to AWS ECR and caches the responses locally.
+
+### Configuration:
+The proxy is packaged in a docker container and can be configured with following environment variables:
+
+| Environment Variable                | Description                                    | Status                            | Default    |
+| :---------------------------------: | :--------------------------------------------: | :-------------------------------: | :--------: |
+| `AWS_REGION`                        | AWS Region for AWS ECR                         | Required                          |            |
+| `AWS_ACCESS_KEY_ID`                 | AWS Account Access ID                          | Required                          |            |
+| `AWS_SECRET_ACCESS_KEY`             | AWS Account Secret Key                         | Required                          |            |
+| `RESOLVER`                          | DNS server to used by proxy                    | Required                          |            |
+| `PORT`                              | Port on which proxy listens                    | Required                          |            |
+| `CACHE_MAX_SIZE`                    | Maximum size for cache volume                  | Optional                          |  `75g`     |
+| `CACHE_KEY`                         | Key to be used for images content/blobs        | Optional                          |  `$uri`    |
+| `ENABLE_SSL`                        | Used to enable SSL/TLS for proxy               | Optional                          | `false`    |
+| `REGISTRY_HTTP_TLS_KEY`             | Path to TLS key in the container               | Required with TLS                 |            |
+| `REGISTRY_HTTP_TLS_CERTIFICATE`     | Path to TLS cert in the container              | Required with TLS                 |            |
+
+### Example:
 
 ```sh
 docker run --rm --name docker-registry-proxy --net=host \
-  -v /local-storage/cache:/cache \
+  -v /registry/local-storage/cache:/cache \
+  -v /registry/certificate.pem:/opt/ssl/certificate.pem
+  -v /registry/key.pem:/opt/ssl/key.pem
   -e PORT=5000 \
   -e RESOLVER=8.8.8.8 \
   -e UPSTREAM=https://XXXXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com \
   -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
   -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
   -e AWS_REGION=${AWS_DEFAULT_REGION} \
   -e CACHE_MAX_SIZE=100g \
+  -e ENABLE_SSL=true \
+  -e REGISTRY_HTTP_TLS_KEY=/opt/ssl/key.pem \
+  -e REGISTRY_HTTP_TLS_CERTIFICATE=/opt/ssl/certificate.pem
   esailors/aws-ecr-http-proxy:latest
 ```
 
@@ -32,7 +55,9 @@ Modify the ansible role variables according to your need and run the playbook as
 ```sh
 ansible-playbook -i hosts playbook-docker-registry-proxy.yaml
 ```
-The docker registry for project is available [here](https://hub.docker.com/r/esailors/aws-ecr-http-proxy)
+In case you want to enable SSL/TLS please replace the SSL certificates with the valid ones in `roles/docker-registry-proxy/files/*.pem`
 
-### Note
-The proxy has `HTTP` endpoint so in order to avoid docker client complaining about it either mark the registry host as insecure in your [deamon config](https://docs.docker.com/registry/insecure/) or add [SSL/TLS termination](https://docs.docker.com/registry/recipes/nginx)
+### Note on SSL/TLS
+The proxy is using `HTTP` (plain text) as default protocol for now. So in order to avoid docker client complaining either:
+ - (**Recommended**) Enable SSL/TLS using `ENABLE_SSL` configuration. For that you will have to mount your **valid** certificate/key in the container and pass the paths using  `REGISTRY_HTTP_TLS_*` variables.
+ - Mark the registry host as insecure in your [deamon config](https://docs.docker.com/registry/insecure/).

files/startup.sh

@@ -34,7 +34,7 @@ echo Using resolver $RESOLVER and $UPSTREAM [$(dig +short  ${UPSTREAM_WITHOUT_PO
 CACHE_MAX_SIZE=${CACHE_MAX_SIZE:-75g}
 echo Using cache max size $CACHE_MAX_SIZE
 
-CACHE_KEY=${CACHE_KEY:='$scheme$uri$request_method'}
+CACHE_KEY=${CACHE_KEY:='$uri'}
 echo Using cache key $CACHE_KEY
 
 SCHEME=http