Merge pull request #5 from coreweave/bj/update-branches

brandonrjacobs · web-flow · commit 2611cd992a3a · 2022-05-11T13:56:40.000-06:00
fix(proxy): fixing branch history
diff --git a/Dockerfile b/Dockerfile
@@ -102,6 +102,13 @@ ENV ALLOW_PUSH="false"
 # Default is true to not change default behavior.
 ENV PROXY_REQUEST_BUFFERING="true"
 
+# Should we allow overridding with own authentication, default to false.
+ENV ALLOW_OWN_AUTH="false"
+
+# Should we allow push only with own authentication, default to false.
+ENV ALLOW_PUSH_WITH_OWN_AUTH="false"
+
+
 # Timeouts
 # ngx_http_core_module
 ENV SEND_TIMEOUT="60s"
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -25,12 +25,12 @@ echo "DEBUG, determined RESOLVERS from /etc/resolv.conf: '$RESOLVERS'"
 conf=""
 for ONE_RESOLVER in ${RESOLVERS}; do
 	echo "Possible resolver: $ONE_RESOLVER"
-	conf="resolver $ONE_RESOLVER; "
+	conf="resolver $ONE_RESOLVER ipv6=off; "
 done
 
 echo "Final chosen resolver: $conf"
 confpath=/etc/nginx/resolvers.conf
-if [ ! -e $confpath ]
+if [ ! -e $confpath ] || [ "$conf" != "$(cat $confpath)" ]
 then
     echo "Using auto-determined resolver '$conf' via '$confpath'"
     echo "$conf" > $confpath
@@ -147,6 +147,17 @@ echo -e "\nManifest caching config: ---\n"
 cat /etc/nginx/nginx.manifest.caching.config.conf
 echo "---"
 
+if [[ "a${ALLOW_OWN_AUTH}" == "atrue" ]]; then
+    cat << 'EOF' > /etc/nginx/conf.d/allowed_override_auth.conf
+    if ($http_authorization != "") {
+        # override with own authentication if provided
+        set $finalAuth $http_authorization;
+    }
+EOF
+else
+    echo '' > /etc/nginx/conf.d/allowed_override_auth.conf
+fi
+
 if [[ "a${ALLOW_PUSH}" == "atrue" ]]; then
     cat <<EOF > /etc/nginx/conf.d/allowed.methods.conf
     # allow to upload big layers
@@ -155,6 +166,31 @@ if [[ "a${ALLOW_PUSH}" == "atrue" ]]; then
     # only cache GET requests
     proxy_cache_methods GET;
 EOF
+elif [[ "a${ALLOW_PUSH_WITH_OWN_AUTH}" == "atrue" ]]; then
+    cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf
+    # Block POST/PUT/DELETE if own authentication is not provided.
+    set $combined_ha_rm "$http_authorization$request_method";
+    if ($combined_ha_rm = POST) {
+        return 405 "POST method is not allowed";
+    }
+    if ($combined_ha_rm = PUT) {
+        return 405 "PUT method is not allowed";
+    }
+    if ($combined_ha_rm = DELETE) {
+        return 405  "DELETE method is not allowed";
+    }
+
+    if ($http_authorization != "") {
+        # override with own authentication if provided
+        set $finalAuth $http_authorization;
+    }
+
+    # allow to upload big layers
+    client_max_body_size 0;
+
+    # only cache GET requests
+    proxy_cache_methods GET;
+EOF
 else
     cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf
     # Block POST/PUT/DELETE. Don't use this proxy for pushing.
diff --git a/nginx.conf b/nginx.conf
@@ -249,6 +249,7 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
         proxy_ignore_headers   X-Accel-Expires Expires Cache-Control Set-Cookie;
 
         # Add the authentication info, if the map matched the target domain.
+        include "/etc/nginx/conf.d/allowed_override_auth.conf";
         proxy_set_header Authorization $finalAuth;
 
         # Use SNI during the TLS handshake with the upstream.
