continuist
df7386c60d
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
66 lines
1.6 KiB
Caddyfile
66 lines
1.6 KiB
Caddyfile
(registry_auth) {
|
|
basicauth {
|
|
{env.REGISTRY_USERNAME} {env.REGISTRY_PASSWORD_HASH}
|
|
}
|
|
}
|
|
|
|
YOUR_DOMAIN_NAME {
|
|
# Use generated TLS certificate
|
|
tls /etc/caddy/certs/registry.crt /etc/caddy/certs/registry.key
|
|
|
|
# Security headers
|
|
header {
|
|
X-Content-Type-Options nosniff
|
|
X-Frame-Options DENY
|
|
}
|
|
|
|
# Handle registry operations based on URL patterns
|
|
@push_operations {
|
|
path /v2/*/blobs/uploads/*
|
|
path /v2/*/manifests/*
|
|
method PUT POST PATCH DELETE
|
|
}
|
|
|
|
@pull_operations {
|
|
path /v2/*/blobs/*
|
|
path /v2/*/manifests/*
|
|
path /v2/_catalog
|
|
path /v2/*/tags/list
|
|
method GET HEAD OPTIONS
|
|
}
|
|
|
|
# Require authentication for push operations
|
|
handle @push_operations {
|
|
import registry_auth
|
|
reverse_proxy registry:5000 {
|
|
header_up Authorization {http.request.header.Authorization}
|
|
header_up X-Forwarded-For {remote_host}
|
|
header_up X-Forwarded-Proto {scheme}
|
|
header_up X-Forwarded-Host {host}
|
|
}
|
|
}
|
|
|
|
# Allow unauthenticated pull operations
|
|
handle @pull_operations {
|
|
reverse_proxy registry:5000 {
|
|
header_up X-Forwarded-For {remote_host}
|
|
header_up X-Forwarded-Proto {scheme}
|
|
header_up X-Forwarded-Host {host}
|
|
}
|
|
}
|
|
|
|
# Block all other requests
|
|
handle {
|
|
respond "Registry operation not allowed" 405
|
|
}
|
|
|
|
# Logging
|
|
log {
|
|
output file /var/log/caddy/registry.log
|
|
format json
|
|
level INFO
|
|
}
|
|
|
|
# Compression
|
|
encode zstd gzip
|
|
}
|