Basic support for https

liangliu-lab · May 3, 2016 · ddc54a6 · ddc54a6
1 parent 8fb254f
commit ddc54a6
Show file tree

Hide file tree

Showing 7 changed files with 62 additions and 37 deletions.
diff --git a/registry/Dockerfile b/registry/Dockerfile
@@ -16,6 +16,8 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
 
 COPY wsgi.conf /
 COPY proxy.conf /
+COPY locations.conf /
+COPY https.conf /
 
 COPY start.sh /
 COPY nginx.conf /

diff --git a/registry/Makefile b/registry/Makefile
@@ -2,6 +2,7 @@ TAG ?= $(shell git describe --match 'v[0-9]*' --dirty='.m' --always)
 IMAGE ?= ipfs-registry
 CONT ?= $(IMAGE)
 REMOTE = jvassev
+EXTRA ?=
 IPFS_GATEWAY ?= http://localhost:8080
 
 build:
@@ -29,4 +30,7 @@ run: stop build
 		$(EXTRA_ARGS) \
 		--net=host \
 		-e IPFS_GATEWAY=$(IPFS_GATEWAY) \
+		-e HTTPS_CERT=$(HTTPS_CERT) \
+		-e HTTPS_KEY=$(HTTPS_KEY) \
+		$(EXTRA) \
 		$(IMAGE):latest
diff --git a/registry/https.conf b/registry/https.conf
@@ -0,0 +1,14 @@
+server {
+    listen 443;
+    ssl on;
+    ssl_certificate     #HTTPS_CERT#;
+    ssl_certificate_key #HTTPS_KEY#;
+    ssl_session_timeout 5m;
+    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
+    ssl_prefer_server_ciphers on;
+
+    client_max_body_size 512M;
+
+    include /locations.conf;
+}
diff --git a/registry/locations.conf b/registry/locations.conf
@@ -0,0 +1,27 @@
+location /v2 {
+    # uwsgi over http to preserve all Accept headers
+    # https://github.com/unbit/uwsgi/commit/8a032b41ec356f85104cc856922a18f4eee9b407
+    proxy_pass http://127.0.0.1:4444;
+}
+
+location ~ /ipfs/.*/latest-v2$ {
+    include /proxy.conf;
+
+    # override content-type set by gateway, must clear original value,
+    # otherwise docker is confused
+    proxy_hide_header Content-type;
+    add_header Content-type application/vnd.docker.distribution.manifest.v2+json;
+}
+
+location ~ /ipfs/.*/latest-v1$ {
+    include /proxy.conf;
+
+    # override content-type set by gateway, must clear original value,
+    # otherwise docker is confused
+    proxy_hide_header Content-type;
+    add_header Content-type application/vnd.docker.distribution.manifest.v1+prettyjws;
+}
+
+location /ipfs/ {
+    include /proxy.conf;
+}
diff --git a/registry/nginx.conf b/registry/nginx.conf
@@ -24,41 +24,13 @@ http {
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;
 
-    upstream ipfs {
-        server @IPFS@;
-    }
+    #HTTPS#
 
     server {
         listen 5000 default_server;
         server_name _;
         client_max_body_size 512M;
 
-        location /v2 {
-            # uwsgi over http to preserve all Accept headers
-            # https://github.com/unbit/uwsgi/commit/8a032b41ec356f85104cc856922a18f4eee9b407
-            proxy_pass http://127.0.0.1:4444;
-        }
-
-        location ~ /ipfs/.*/latest-v2$ {
-            include /proxy.conf;
-
-            # override content-type set by gateway, must clear original value,
-            # otherwise docker is confused
-            proxy_hide_header Content-type;
-            add_header Content-type application/vnd.docker.distribution.manifest.v2+json;
-        }
-
-        location ~ /ipfs/.*/latest-v1$ {
-            include /proxy.conf;
-
-            # override content-type set by gateway, must clear original value,
-            # otherwise docker is confused
-            proxy_hide_header Content-type;
-            add_header Content-type application/vnd.docker.distribution.manifest.v1+prettyjws;
-        }
-
-        location /ipfs/ {
-            include /proxy.conf;
-        }
+        include /locations.conf;
     }
 }
diff --git a/registry/proxy.conf b/registry/proxy.conf
@@ -1,4 +1,4 @@
-proxy_pass       http://ipfs;
+proxy_pass       #IPFS#;
 proxy_set_header Host      $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

diff --git a/registry/start.sh b/registry/start.sh
@@ -1,15 +1,21 @@
 #!/bin/bash
 
-IPFS=${IPFS_GATEWAY//https:\/\//}
-IPFS=${IPFS//http:\/\//}
-IPFS=${IPFS%%/}
+IPFS=${IPFS_GATEWAY%%/}
 
 # improvised templating engine
-sed -i  "s|@IPFS@|$IPFS|g" /nginx.conf
+sed -i "s|#IPFS#|$IPFS|g" /proxy.conf
+cat /proxy.conf
+
+if [ x$HTTPS_CERT != 'x' ];then
+    sed -i "s|#HTTPS#|include /https.conf;|g" /nginx.conf
+    sed -i "s|#HTTPS_KEY#|$HTTPS_KEY|g" /https.conf
+    sed -i "s|#HTTPS_CERT#|$HTTPS_CERT|g" /https.conf
+    cat /https.conf
+fi
 
 cat /nginx.conf
 
-# TODO manage processes with upervisor
+# TODO manage processes with supervisor
 uwsgi --daemonize /var/log/uwsgi.log --ini /wsgi.conf
 
-nginx -c /nginx.conf -g "daemon off;"
+nginx -c /nginx.conf -g "daemon off;"