From 878b445abb45a4ff400666c767dc312f152a6184 Mon Sep 17 00:00:00 2001
From: Laszlo Valko <valko@linux.karinthy.hu>
Date: Wed, 18 Jul 2018 04:10:02 +0200
Subject: [PATCH] Added web frontend, added nginx proxy.

---
 docker-compose.yml | 39 ++++++++++++++++-----
 nginx/nginx.conf   | 85 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 116 insertions(+), 8 deletions(-)
 create mode 100644 nginx/nginx.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index f79beb6..297ed1d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,19 +1,42 @@
 ---
-version: '3.2'
+version: '3.5'
 services:
   registry:
     image: registry:2
     container_name: registry
     environment:
-      REGISTRY_HTTP_ADDR: 0.0.0.0:${WEB_HTTPS_PORT}
-      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/fullchain.pem
-      REGISTRY_HTTP_TLS_KEY: /certs/privkey.pem
-#      REGISTRY_AUTH: htpasswd
-#      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
-#      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
+      REGISTRY_HTTP_ADDR: 0.0.0.0:${REGISTRY_PORT}
     volumes:
       - /var/lib/registry:/var/lib/registry
-      - /admin/src/docker-registry/ssl:/certs
+    networks:
+      - ldap.proxy
+    restart: unless-stopped
+  frontend:
+    image: konradkleine/docker-registry-frontend:v2
+    container_name: registry.frontend
+    environment:
+      ENV_DOCKER_REGISTRY_HOST: docker-registry
+      ENV_DOCKER_REGISTRY_PORT: ${REGISTRY_PORT}
+      ENV_REGISTRY_PROXY_FQDN: registry.karinthy.hu
+      ENV_REGISTRY_PROXY_PORT: ${FRONTEND_PORT}
+    links:
+      - registry:docker-registry
+    networks:
+      - ldap.proxy
+    restart: unless-stopped
+  nginx:
+    image: confirm/nginx-ldap
+    container_name: registry.nginx
+    volumes:
+      - /admin/src/docker-registry/nginx:/etc/nginx:ro
     ports:
       - "${EXTERNAL_IP}:${EXTERNAL_PORT}:${WEB_HTTPS_PORT}"
+    links:
+      - registry:docker-registry
+      - frontend:docker-frontend
+    networks:
+      - ldap.proxy
     restart: unless-stopped
+networks:
+  ldap.proxy:
+    name: ldap.proxy.net
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
new file mode 100644
index 0000000..b5f0033
--- /dev/null
+++ b/nginx/nginx.conf
@@ -0,0 +1,85 @@
+error_log /dev/stdout info;
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	server_tokens off;
+	default_type application/octet-stream;
+
+	upstream docker-registry {
+		server docker-registry:5000;
+	}
+
+	upstream docker-frontend {
+		server docker-frontend:80;
+	}
+
+	map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+		'' 'registry/2.0';
+	}
+
+	ldap_server ldap {
+		url ldap://ldap.proxy/dc=karinthy,dc=hu?uid?sub?(objectClass=posixAccount);
+		group_attribute memberUid;
+		group_attribute_is_dn off;
+		require group "cn=ciuser,ou=Groups,dc=karinthy,dc=hu"
+		require valid_user;
+	}
+
+	auth_ldap_cache_enabled on;
+	auth_ldap_cache_expiration_time 10;
+	auth_ldap_cache_size 512;
+
+	server {
+		listen 443 ssl;
+		server_name registry.karinthy.hu;
+
+		ssl_certificate /etc/nginx/ssl/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+		ssl_protocols TLSv1.1 TLSv1.2;
+		ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!PSK:!EXPORT:!RC4:!MD5:!DES:!ADK:!CAMELLIA';
+		ssl_prefer_server_ciphers on;
+		ssl_session_cache shared:SSL:10m;
+
+		client_max_body_size 0;
+		chunked_transfer_encoding on;
+
+		location / {
+			auth_ldap "Karinthy Docker Registry";
+			auth_ldap_servers ldap;
+
+			proxy_pass                          http://docker-frontend;
+			proxy_set_header  Host              $http_host;
+			proxy_set_header  X-Real-IP         $remote_addr;
+			proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+			proxy_set_header  X-Forwarded-Proto $scheme;
+			proxy_read_timeout                  900;
+		}
+
+		location /v2 {
+			if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+				return 404;
+			}
+
+			add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
+
+			auth_ldap "Karinthy Docker Registry";
+			auth_ldap_servers ldap;
+
+			proxy_pass                          http://docker-registry;
+			proxy_set_header  Host              $http_host;
+			proxy_set_header  X-Real-IP         $remote_addr;
+			proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+			proxy_set_header  X-Forwarded-Proto $scheme;
+			proxy_read_timeout                  900;
+		}
+	}
+}