Improve Caddyfile and use registry config file

2025-07-13 10:53:33 -04:00 · 2025-07-13 10:53:33 -04:00 · a43f2003d0
commit a43f2003d0
parent 03dac72b90
4 changed files with 98 additions and 37 deletions
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@ -692,7 +692,7 @@ sudo cp /opt/APP_NAME/registry/docker-compose.registry.yml docker-compose.yml
 sudo cp /opt/APP_NAME/registry/Caddyfile Caddyfile

 # Update Caddyfile with your actual IP address
-sudo sed -i "s/registry.example.com/YOUR_CI_CD_IP/g" Caddyfile
+sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" Caddyfile

 # Create environment file for registry authentication
 # First, create a secure password hash
@ -716,28 +716,11 @@ sudo chmod 600 .env
 sudo mkdir -p /opt/registry/data
 sudo chown registry:registry /opt/registry/data

-# Create registry configuration (no authentication needed - Caddy handles it)
-sudo tee /opt/registry/config.yml << 'EOF'
-version: 0.1
-log:
-  level: debug
-storage:
-  filesystem:
-    rootdirectory: /var/lib/registry
-  delete:
-    enabled: true
-http:
-  addr: :5000
-  headers:
-    X-Content-Type-Options: [nosniff]
-middleware:
-  repository:
-    - name: AwsEc2PublicBlock
-  storage:
-    - name: Redirect
-      options:
-        baseurl: https://YOUR_CI_CD_IP
-EOF
+# Copy registry configuration from repository
+sudo cp /opt/APP_NAME/registry/config.yml /opt/registry/config.yml
+
+# Update the baseurl with your actual IP address
+sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/registry/config.yml

 # Set proper permissions
 sudo chown registry:registry /opt/registry/config.yml
@ -802,8 +785,8 @@ sudo journalctl -u docker-registry.service -f
 The Docker Registry is now configured with the following access model:

 **Authentication Model:**
- **Pulls**: Unauthenticated (public read access)
- **Pushes**: Require authentication with `registry-user` credentials
+- **Pulls**: Unauthenticated (public read access) - `/v2/*/blobs/*`, `/v2/*/manifests/*`, `/v2/_catalog`, `/v2/*/tags/list`
+- **Pushes**: Require authentication with `registry-user` credentials - `/v2/*/blobs/uploads/*`, `/v2/*/manifests/*` (PUT/POST/PATCH/DELETE)

 **Registry Credentials:**
 - **Username**: `registry-user`
@ -811,7 +794,13 @@ The Docker Registry is now configured with the following access model:

 **Registry URL**: `https://YOUR_CI_CD_IP`

-**Note**: The authentication is handled by Caddy using the environment variables in the `.env` file. The Docker Registry itself runs without authentication, but Caddy enforces authentication for push operations.
+**Security Features:**
+- **URL-based access control**: Different paths require different authentication levels
+- **Method-based restrictions**: Push operations (PUT/POST/PATCH/DELETE) require authentication
+- **Path validation**: Prevents method spoofing by validating both URL patterns and HTTP methods
+- **Security headers**: X-Content-Type-Options, X-Frame-Options for additional protection
+
+**Note**: The authentication is handled by Caddy using the environment variables in the `.env` file. The Docker Registry itself runs without authentication, but Caddy enforces authentication for push operations based on URL patterns and HTTP methods.

 #### 5.8 Test Registry Setup

--- a/registry/Caddyfile
+++ b/registry/Caddyfile
@ -1,25 +1,63 @@
-
 (registry_auth) {
    basicauth {
        {env.REGISTRY_USERNAME} {env.REGISTRY_PASSWORD_HASH}
    }
 }

-https://registry.example.com {
-    import registry_auth
-    reverse_proxy registry:5000
+YOUR_CI_CD_IP {
+    # Security headers
    header {
        X-Content-Type-Options nosniff
+        X-Frame-Options DENY
    }

-    @push method POST PUT PATCH DELETE
-    handle @push {
+    # Handle registry operations based on URL patterns
+    @push_operations {
+        path /v2/*/blobs/uploads/*
+        path /v2/*/manifests/*
+        method PUT POST PATCH DELETE
+    }
+
+    @pull_operations {
+        path /v2/*/blobs/*
+        path /v2/*/manifests/*
+        path /v2/_catalog
+        path /v2/*/tags/list
+        method GET HEAD OPTIONS
+    }
+
+    # Require authentication for push operations
+    handle @push_operations {
        import registry_auth
-        reverse_proxy registry:5000
+        reverse_proxy registry:5000 {
+            header_up Authorization {http.request.header.Authorization}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Host {host}
+        }
    }

-    @pull method GET HEAD OPTIONS
-    handle @pull {
-        reverse_proxy registry:5000
+    # Allow unauthenticated pull operations
+    handle @pull_operations {
+        reverse_proxy registry:5000 {
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Host {host}
+        }
    }
-}
+
+    # Block all other requests
+    handle {
+        respond "Registry operation not allowed" 405
+    }
+
+    # Logging
+    log {
+        output file /var/log/caddy/registry.log
+        format json
+        level INFO
+    }
+
+    # Compression
+    encode zstd gzip
+}
--- a/registry/README.md
+++ b/registry/README.md
@ -6,6 +6,7 @@ This folder contains the configuration files for the Docker Registry setup used

 - **`docker-compose.registry.yml`**: Docker Compose configuration for the registry and Caddy reverse proxy
 - **`Caddyfile`**: Caddy configuration for HTTPS and authentication
+- **`config.yml`**: Docker Registry configuration file
 - **`README.md`**: This documentation file

 ## Architecture
@ -18,7 +19,20 @@ The registry setup uses:
 ## Authentication Model

 - **Pulls**: Unauthenticated (public read access)
+  - `/v2/*/blobs/*` - Download image layers
+  - `/v2/*/manifests/*` - Download image manifests
+  - `/v2/_catalog` - List repositories
+  - `/v2/*/tags/list` - List image tags
 - **Pushes**: Require authentication with `registry-user` credentials
+  - `/v2/*/blobs/uploads/*` - Upload image layers
+  - `/v2/*/manifests/*` (PUT/POST/PATCH/DELETE) - Upload/update manifests
+
+## Security Features
+
+- **URL-based access control**: Different paths require different authentication levels
+- **Method-based restrictions**: Push operations require authentication
+- **Path validation**: Prevents method spoofing by validating both URL patterns and HTTP methods
+- **Security headers**: X-Content-Type-Options, X-Frame-Options for additional protection

 ## Configuration

@ -26,6 +40,7 @@ The setup is configured through:
 1. **Environment Variables**: Stored in `.env` file (created during setup)
 2. **Caddyfile**: Handles HTTPS and authentication
 3. **Docker Compose**: Orchestrates the registry and Caddy services
+4. **Registry Config**: `config.yml` contains the Docker Registry configuration

 ## Usage

--- a/registry/config.yml
+++ b/registry/config.yml
@ -0,0 +1,19 @@
+version: 0.1
+log:
+  level: debug
+storage:
+  filesystem:
+    rootdirectory: /var/lib/registry
+  delete:
+    enabled: true
+http:
+  addr: :5000
+  headers:
+    X-Content-Type-Options: [nosniff]
+middleware:
+  repository:
+    - name: AwsEc2PublicBlock
+  storage:
+    - name: Redirect
+      options:
+        baseurl: https://YOUR_CI_CD_IP