File tree Expand file tree Collapse file tree 3 files changed +29
-7
lines changed Expand file tree Collapse file tree 3 files changed +29
-7
lines changed Original file line number Diff line number Diff line change @@ -94,5 +94,8 @@ ENV MANIFEST_CACHE_SECONDARY_TIME="60d"
9494# In the default config, :latest and other frequently-used tags will get this value.
9595ENV MANIFEST_CACHE_DEFAULT_TIME="1h"
9696
97+ # Should we allow actions different than pull, default to false.
98+ ENV ALLOW_PUSH="false"
99+
97100# Did you want a shell? Sorry, the entrypoint never returns, because it runs nginx itself. Use 'docker exec' if you need to mess around internally.
98101ENTRYPOINT ["/entrypoint.sh" ]
Original file line number Diff line number Diff line change @@ -121,6 +121,29 @@ echo "Manifest caching config: ---"
121121cat /etc/nginx/nginx.manifest.caching.config.conf
122122echo " ---"
123123
124+ if [[ " a${ALLOW_PUSH} " == " atrue" ; then
125+ cat << EOF > /etc/nginx/conf.d/allowed.methods.conf
126+ # allow to upload big layers
127+ client_max_body_size 0;
128+
129+ # only cache GET requests
130+ proxy_cache_methods GET;
131+ EOF
132+ else
133+ cat << EOF > /etc/nginx/conf.d/allowed.methods.conf
134+ # Block POST/PUT/DELETE. Don't use this proxy for pushing.
135+ if ($request_method = POST) {
136+ return 405 "POST method is not allowed";
137+ }
138+ if ($request_method = PUT) {
139+ return 405 "PUT method is not allowed";
140+ }
141+ if ($request_method = DELETE) {
142+ return 405 "DELETE method is not allowed";
143+ }
144+ EOF
145+ fi
146+
124147# normally use non-debug version of nginx
125148NGINX_BIN=" /usr/sbin/nginx"
126149
Original file line number Diff line number Diff line change @@ -201,9 +201,6 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
201201 include /etc/nginx/caching.layer.listen;
202202 server_name _;
203203
204- # allow to upload big layers
205- client_max_body_size 0 ;
206-
207204 # Do some tweaked logging.
208205 access_log /var/log/nginx/access.log tweaked;
209206 set $docker_proxy_request_type "unknown" ;
@@ -222,6 +219,9 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
222219 # Docker needs this. Don't ask.
223220 chunked_transfer_encoding on ;
224221
222+ # configuration of the different allowed methods
223+ include "/etc/nginx/conf.d/allowed.methods.conf"
224+
225225 proxy_read_timeout 900 ;
226226
227227 # Use cache locking, with a huge timeout, so that multiple Docker clients asking for the same blob at the same time
@@ -232,10 +232,6 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
232232 # Cache all 200, 206 for 60 days.
233233 proxy_cache_valid 200 206 60d ;
234234
235- proxy_cache_convert_head off;
236- proxy_cache_methods GET;
237- proxy_cache_key $scheme$request_method$proxy_host$request_uri ;
238-
239235 # Some extra settings to maximize cache hits and efficiency
240236 proxy_force_ranges on;
241237 proxy_ignore_client_abort on ;
You can’t perform that action at this time.
0 commit comments