From: Kevin Fenzi <kevin@xxxxxxxxx>
When composing with flatpaks, we need to download them, but right now we always
download them from the cdn, but thats blocked in builders. Instead add a new
host that bypasses the cdn and use it for composes, so it pulls all the images
directly from our registry.fedoraproject.org.
Signed-off-by: Kevin Fenzi <kevin@xxxxxxxxx>
---
playbooks/include/proxies-reverseproxy.yml | 9 +++
.../reversepassproxy.registry-no-cdn-fedora.conf | 38 ++++++++++++
.../reversepassproxy.registry-no-cdn-generic.conf | 72 ++++++++++++++++++++++
3 files changed, 119 insertions(+)
create mode 100644 roles/httpd/reverseproxy/templates/reversepassproxy.registry-no-cdn-fedora.conf
create mode 100644 roles/httpd/reverseproxy/templates/reversepassproxy.registry-no-cdn-generic.conf
diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index 63fb246..ab1e242 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -651,6 +651,15 @@
- registry
- role: httpd/reverseproxy
+ website: registry-no-cdn.fedoraproject.org
+ destname: registry-no-cdn-fedora
+ # proxyurl in this one is totally ignored, because Docker.
+ # (turns out it uses PATCH requests that Varnish cannot deal with)
+ proxyurl: "{{ varnish_url }}"
+ tags:
+ - registry
+
+ - role: httpd/reverseproxy
website: registry.centos.org
destname: registry-centos
# proxyurl in this one is totally ignored, because Docker.
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-no-cdn-fedora.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-no-cdn-fedora.conf
new file mode 100644
index 0000000..bdb7d0d
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-no-cdn-fedora.conf
@@ -0,0 +1,38 @@
+RewriteEngine on
+
+RewriteRule ^/v2/latest/(.*) /v2/f27/$1 [R,L]
+
+{% if env == "staging-new" %}
+RewriteRule ^/v2/(.*) /v2/fedora/$1
+{% endif %}
+
+RewriteRule ^/signatures/(.*) /srv/web/registry-signatures/$1 [L]
+
+<Directory /srv/web/registry-signatures>
+ Require all granted
+</Directory>
+
+{% include './reversepassproxy.registry-no-cdn-generic.conf' %}
+
+# Write access to docker-deployer only
+{% if env == "staging-new" %}
+ <Location /v2/fedora>
+ <LimitExcept GET HEAD>
+ Require user docker-registry-internal-stg
+ </LimitExcept>
+ </Location>
+ <Location /v2/centos>
+ Require all denied
+ </Location>
+
+{% else %}
+
+<Location /v2>
+ <Limit GET HEAD>
+ require all granted
+ </Limit>
+ <LimitExcept GET HEAD>
+ require valid-user
+ </LimitExcept>
+</Location>
+{% endif %}
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-no-cdn-generic.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-no-cdn-generic.conf
new file mode 100644
index 0000000..54fc273
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-no-cdn-generic.conf
@@ -0,0 +1,72 @@
+RequestHeader set X-Forwarded-Scheme https early
+RequestHeader set X-Scheme https early
+RequestHeader set X-Forwarded-Proto https early
+ProxyPreserveHost On
+
+# This is terible, but Docker.
+RewriteCond %{REQUEST_METHOD} ^(PATCH|POST|PUT|DELETE)$
+{% if env == "production" %}
+RewriteRule ^/v2/(.*)$ http://oci-registry02:5000/v2/$1 [P,L]
+{% elif env == "staging" %}
+RewriteRule ^/v2/(.*)$ http://oci-registry01:5000/v2/$1 [P,L]
+{% endif %}
+RewriteRule ^/v2/(.*)$ http://localhost:6081/v2/$1 [P,L]
+
+RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1
+RewriteCond "&%{QUERY_STRING}" &tag=testing
+RewriteCond "&%{QUERY_STRING}" &architecture=([^&]+)
+RewriteRule "^/index/static$" /index/flatpak-testing-%1.json [L,PT]
+
+RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1
+RewriteCond "&%{QUERY_STRING}" &architecture=([^&]+)
+RewriteRule "^/index/static$" /index/flatpak-%1.json [L,PT]
+
+RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1
+RewriteCond "&%{QUERY_STRING}" &tag=testing
+RewriteRule "^/index/static$" /index/flatpak-testing.json [L,PT]
+
+RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1
+RewriteRule "^/index/static$" /index/flatpak.json [L,PT]
+
+DocumentRoot /srv/web/registry-index/
+
+<Directory /srv/web/registry-index>
+ Require all granted
+</Directory>
+
+SSLVerifyClient optional
+SSLVerifyDepth 1
+SSLCACertificateFile /etc/pki/httpd/registry-ca-{{env}}.cert
+SSLOptions +FakeBasicAuth
+
+<Location /v2>
+ AuthName "Registry Authentication"
+ AuthType Basic
+ AuthUserFile /etc/httpd/conf.d/registry.fedoraproject.org/passwd
+
+ <Limit GET HEAD>
+ Require all granted
+ </Limit>
+</Location>
+
+Alias "/index/" "/srv/web/registry-index/index/"
+Alias "/app-icons/" "/srv/web/registry-index/icons/"
+
+<Directory “/srv/web/registry-index/index/">
+ Options +FollowSymLinks
+
+ ExpiresActive on
+ ExpiresDefault "access plus 30 minutes"
+
+ AllowOverride None
+ Require all granted
+</Directory>
+
+<Directory "/srv/web/registry-index/icons/">
+ ExpiresActive on
+ ExpiresDefault "access plus 1 year"
+
+ AllowOverride None
+ Options +Indexes
+ Require all granted
+</Directory>
--
1.8.3.1
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
