Allow push (#59)

Introduce ALLOW_PUSH, if set to true, allows non-GET methods through the proxy
rpardini · Dec 2, 2020 · 536f0fc · 536f0fc
1 parent dfb6a5d
commit 536f0fc
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -94,5 +94,8 @@ ENV MANIFEST_CACHE_SECONDARY_TIME="60d"
 # In the default config, :latest and other frequently-used tags will get this value.
 ENV MANIFEST_CACHE_DEFAULT_TIME="1h"
 
+# Should we allow actions different than pull, default to false.
+ENV ALLOW_PUSH="false"
+
 # Did you want a shell? Sorry, the entrypoint never returns, because it runs nginx itself. Use 'docker exec' if you need to mess around internally.
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -121,6 +121,29 @@ echo "Manifest caching config: ---"
 cat /etc/nginx/nginx.manifest.caching.config.conf
 echo "---"
 
+if [[ "a${ALLOW_PUSH}" == "atrue" ]]; then
+    cat <<EOF > /etc/nginx/conf.d/allowed.methods.conf
+    # allow to upload big layers
+    client_max_body_size 0;
+
+    # only cache GET requests
+    proxy_cache_methods GET;
+EOF
+else
+    cat << 'EOF' > /etc/nginx/conf.d/allowed.methods.conf
+    # Block POST/PUT/DELETE. Don't use this proxy for pushing.
+    if ($request_method = POST) {
+        return 405 "POST method is not allowed";
+    }
+    if ($request_method = PUT) {
+        return 405 "PUT method is not allowed";
+    }
+    if ($request_method = DELETE) {
+        return 405  "DELETE method is not allowed";
+    }
+EOF
+fi
+
 # normally use non-debug version of nginx
 NGINX_BIN="/usr/sbin/nginx"
 

diff --git a/nginx.conf b/nginx.conf
@@ -219,16 +219,8 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
         # Docker needs this. Don't ask.
         chunked_transfer_encoding on;
 
-        # Block POST/PUT/DELETE. Don't use this proxy for pushing.
-        if ($request_method = POST) {
-            return 405 "POST method is not allowed";
-        }
-        if ($request_method = PUT) {
-            return 405 "PUT method is not allowed";
-        }
-        if ($request_method = DELETE) {
-            return 405  "DELETE method is not allowed";
-        }
+        # configuration of the different allowed methods
+        include "/etc/nginx/conf.d/allowed.methods.conf";
 
         proxy_read_timeout 900;