fedora-infra_ansible/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf

RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early
ProxyPreserveHost On

RewriteEngine on
RewriteRule ^/signatures/(.*) /srv/web/registry-signatures/$1 [L]

{% if env == "production" %}
RewriteCond %{HTTP:VIA} !cdn77
RewriteCond %{REQUEST_METHOD} !^(PATCH|POST|PUT|DELETE|HEAD)$
RewriteRule ^/v2/(.*)/blobs/([a-zA-Z0-9:]*) https://cdn.registry.fedoraproject.org/v2/$1/blobs/$2 [R]
{% endif %}

# This is terible, but Docker.
RewriteCond %{REQUEST_METHOD} ^(PATCH|POST|PUT|DELETE)$
RewriteRule ^/(.*)$ http://localhost:10048/$1 [P,L]
RewriteRule ^/(.*)$ http://localhost:6081/$1 [P,L]

SSLVerifyClient optional
SSLVerifyDepth 1
SSLCACertificateFile /etc/pki/httpd/fedora-server-ca.cert
SSLOptions +FakeBasicAuth

<Directory /srv/web/registry-signatures>
    Require all granted
</Directory>


<Location /v2>
  Order deny,allow
  Allow from all
  AuthName "Registry Authentication"
  AuthType Basic
  AuthUserFile /etc/httpd/conf.d/registry.fedoraproject.org/passwd

  # Anyone can read
  <Limit GET HEAD>
    Require all granted
  </Limit>

  # Write access to docker-deployer only
  <Limit POST PUT DELETE>
    Require valid-user
  </Limit>

</Location>