mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-05-02 06:20:26 +08:00
9a22870dd7
This apache config is needed in order to allow auth to upload to the candidate registry. Without it, skopeo just gives a perm denied. Anytime the datacenter networks change this will also need updated. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
58 lines
1.4 KiB
Plaintext
58 lines
1.4 KiB
Plaintext
RequestHeader set X-Forwarded-Scheme https early
|
|
RequestHeader set X-Scheme https early
|
|
RequestHeader set X-Forwarded-Proto https early
|
|
ProxyPreserveHost On
|
|
|
|
RewriteEngine on
|
|
# redirect the top / level to the catalog.
|
|
RewriteRule ^/$ https://%{SERVER_NAME}/v2/_catalog [R]
|
|
|
|
ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
|
|
ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
|
|
|
|
# Only pull from v1
|
|
<Location /v1/>
|
|
<Limit GET HEAD>
|
|
Require all granted
|
|
</Limit>
|
|
<Limit POST PUT DELETE>
|
|
Require all denied
|
|
</Limit>
|
|
</Location>
|
|
|
|
# And disallow the fallback for v1 auth
|
|
<Location /v1/users/>
|
|
Require all denied
|
|
</Location>
|
|
|
|
# We require auth on /v2/ exactly to make sure that docker realizes it needs to
|
|
# send a username/password.
|
|
<Location /v2/>
|
|
AuthName "Candidate Registry Authentication"
|
|
AuthType Basic
|
|
AuthUserFile /etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd
|
|
|
|
<RequireAny>
|
|
Require valid-user
|
|
<RequireAll>
|
|
Require not ip 10.16
|
|
# This require is because otherwise apache thinks the Require not ip is useless
|
|
Require method GET
|
|
</RequireAll>
|
|
</RequireAny>
|
|
</Location>
|
|
|
|
# But we allow random pulling by anyone without auth
|
|
<LocationMatch "/v2/.+">
|
|
# Anyone can read
|
|
<Limit GET HEAD>
|
|
Require all granted
|
|
</Limit>
|
|
|
|
# Write access to docker-deployer only
|
|
<Limit POST PUT DELETE>
|
|
Require valid-user
|
|
</Limit>
|
|
|
|
</LocationMatch>
|