coreweave · Jan 24, 2024 · Jan 24, 2024 · Jan 26, 2024 · Jan 26, 2024 · Jan 25, 2025
Showing with 168 additions and 225 deletions.

+0 −16 .github/workflows/mirror.yaml

+60 −0 .github/workflows/publish-image.yml

+0 −100 .gitlab-ci.yml

+0 −28 .releaserc.yaml

+4 −6 Dockerfile

+101 −72 create_ca_cert.sh

+2 −2 entrypoint.sh

+1 −1 nginx.conf
diff --git a/.github/workflows/mirror.yaml b/.github/workflows/mirror.yaml
diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml
@@ -0,0 +1,60 @@
+name: Release container image
+
+permissions:
+  contents: read
+  packages: write
+
+on:
+  workflow_dispatch:
+
+# Only allow one Job at the time
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  release:
+    name: Release container image
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/gitpod-io/docker-registry-proxy
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=sha
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        if: github.event_name != 'pull_request'
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}         
+          platforms: linux/amd64, linux/arm64
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
diff --git a/.releaserc.yaml b/.releaserc.yaml
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,11 @@
-# We start from my nginx fork which includes the proxy-connect module from tEngine
-# Source is available at https://github.com/rpardini/nginx-proxy-connect-stable-alpine
-# This is already multi-arch!
-ARG BASE_IMAGE="docker.io/rpardini/nginx-proxy-connect-stable-alpine:nginx-1.20.1-alpine-3.12.7"
+# Update image once
+ARG BASE_IMAGE=ghcr.io/gitpod-io/nginx-with-proxy-connect:sha-2331b78
 # Could be "-debug"
 ARG BASE_IMAGE_SUFFIX="${IMAGE_SUFFIX}"
 FROM ${BASE_IMAGE}${BASE_IMAGE_SUFFIX}
 
 # Link image to original repository on GitHub
-LABEL org.opencontainers.image.source https://github.com/rpardini/docker-registry-proxy
+LABEL org.opencontainers.image.source https://github.com/gitpod-io/docker-registry-proxy
 
 # apk packages that will be present in the final image both debug and release
 RUN apk add --no-cache --update bash ca-certificates-bundle coreutils openssl
@@ -78,7 +76,7 @@ ENV DEBUG_NGINX="false"
 # Enable slow caching tier; this allows caching in a secondary cache path on e.g a larger slower disk; for known URIs defined in SLOW_TIER_URIS
 ENV SLOW_TIER_ENABLED="false"
 # Statically define worker_processes; defaults to auto
-ENV WORKER_PROCESSES="auto"
+ENV WORKER_PROCESSES="2"
 
 # Manifest caching tiers. Disabled by default, to mimick 0.4/0.5 behaviour.
 # Setting it to true enables the processing of the ENVs below.

diff --git a/create_ca_cert.sh b/create_ca_cert.sh
@@ -2,12 +2,50 @@
 
 set -Eeuo pipefail
 
-declare -i DEBUG=0
+# Default values
+CERT_PASSWORD=${CERT_PASSWORD:-foobar} # Allow override via environment
+KEY_SIZE_CA=${KEY_SIZE_CA:-4096}
+KEY_SIZE_WEB=${KEY_SIZE_WEB:-2048}
+ENCRYPTION_CIPHER="des3"
+ALLDOMAINS=${ALLDOMAINS:-"gitpod.local"}
+
+# Cleanup function
+cleanup() {
+	local exit_code=$?
+	# Clean up temporary files if any
+	rm -f *.tmp 2>/dev/null
+	exit $exit_code
+}
+
+trap cleanup EXIT
+trap 'trap - EXIT; cleanup; exit -1' INT PIPE TERM
 
+# Enhanced logging
 logInfo() {
-    echo "INFO: $@"
+	echo "[INFO] $(date '+%Y-%m-%d %H:%M:%S') - $*"
 }
 
+logError() {
+	echo "[ERROR] $(date '+%Y-%m-%d %H:%M:%S') - $*" >&2
+}
+
+# Create directory with proper permissions
+create_secure_dir() {
+	local dir=$1
+	mkdir -p "$dir"
+	chmod 700 "$dir"
+}
+
+# Generate key with proper permissions
+generate_secure_key() {
+	local keyfile=$1
+	local keysize=$2
+	openssl genrsa -${ENCRYPTION_CIPHER} -passout "pass:${CERT_PASSWORD}" -out "$keyfile" "$keysize" &>/dev/null
+	chmod 600 "$keyfile"
+}
+
+# Main script starts here
+
 PROJ_NAME=DockerMirrorBox
 logInfo "Will create certificate with names $ALLDOMAINS"
 
@@ -22,103 +60,94 @@ CN_CA=${CN_CA:0:64}
 CN_IA=${CN_IA:0:64}
 CN_WEB=${CN_WEB:0:64}
 
-mkdir -p /certs /ca
+mkdir -p /certs ca
 cd /ca
 
 CA_KEY_FILE=${CA_KEY_FILE:-/ca/ca.key}
 CA_CRT_FILE=${CA_CRT_FILE:-/ca/ca.crt}
 CA_SRL_FILE=${CA_SRL_FILE:-/ca/ca.srl}
 
-if [ -f "$CA_CRT_FILE" ] ; then
-    logInfo "CA already exists. Good. We'll reuse it."
-    if [ ! -f "$CA_SRL_FILE" ] ; then
-        echo 01 > ${CA_SRL_FILE}
-    fi
+if [ -f "$CA_CRT_FILE" ]; then
+	logInfo "CA already exists. Good. We'll reuse it."
+	if [ ! -f "$CA_SRL_FILE" ]; then
+		echo 01 >"${CA_SRL_FILE}"
+	fi
 else
-    logInfo "No CA was found. Generating one."
-    logInfo "*** Please *** make sure to mount /ca as a volume -- if not, everytime this container starts, it will regenerate the CA and nothing will work."
-
-    openssl genrsa -des3 -passout pass:foobar -out ${CA_KEY_FILE} 4096
-
-    logInfo "generate CA cert with key and self sign it: ${CAID}"
-    openssl req -new -x509 -days 1300 -sha256 -key ${CA_KEY_FILE} -out ${CA_CRT_FILE} -passin pass:foobar -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=ME/OU=IT/CN=${CN_CA}" -extensions IA -config <(
-cat <<-EOF
-[req]
-distinguished_name = dn
-[dn]
-[IA]
-basicConstraints = critical,CA:TRUE
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-subjectKeyIdentifier = hash
-EOF
-)
-
-    [[ ${DEBUG} -gt 0 ]] && logInfo "show the CA cert details"
-    [[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in ${CA_CRT_FILE}
-
-    echo 01 > ${CA_SRL_FILE}
+	logInfo "No CA was found. Generating one."
+	logInfo "*** Please *** make sure to mount /ca as a volume -- if not, everytime this container starts, it will regenerate the CA and nothing will work."
+
+	create_secure_dir "/ca"
+	generate_secure_key "${CA_KEY_FILE}" "${KEY_SIZE_CA}"
+
+	logInfo "generate CA cert with key and self sign it: ${CAID}"
+	openssl req -new -x509 -days 36500 -sha256 -key "${CA_KEY_FILE}" -out "${CA_CRT_FILE}" -passin pass:foobar -subj "/C=DE/ST=Schleswig-Holstein/L=Kiel/O=Gitpod GmbH/OU=IT/CN=${CN_CA}" -extensions IA -config <(
+		cat <<-EOF
+			[req]
+			distinguished_name = dn
+			[dn]
+			[IA]
+			basicConstraints = critical,CA:TRUE
+			keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+			subjectKeyIdentifier = hash
+		EOF
+	)
+
+	echo 01 >"${CA_SRL_FILE}"
 
 fi
 
 cd /certs
 
 logInfo "Generate IA key"
-openssl genrsa -des3 -passout pass:foobar -out ia.key 4096 &> /dev/null
+openssl genrsa -des3 -passout pass:foobar -out ia.key 4096 &>/dev/null
 
 logInfo "Create a signing request for the IA: ${CAID}"
-openssl req -new -key ia.key -out ia.csr -passin pass:foobar -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=ME/OU=IT/CN=${CN_IA}" -reqexts IA -config <(
-cat <<-EOF
-[req]
-distinguished_name = dn
-[dn]
-[IA]
-basicConstraints = critical,CA:TRUE,pathlen:0
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-subjectKeyIdentifier = hash
-EOF
+openssl req -new -key ia.key -out ia.csr -passin pass:foobar -subj "/C=DE/ST=Schleswig-Holstein/L=Kiel/O=Gitpod GmbH/OU=IT/CN=${CN_IA}" -reqexts IA -config <(
+	cat <<-EOF
+		[req]
+		distinguished_name = dn
+		[dn]
+		[IA]
+		basicConstraints = critical,CA:TRUE,pathlen:0
+		keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+		subjectKeyIdentifier = hash
+	EOF
 )
 
-[[ ${DEBUG} -gt 0 ]] && logInfo "Show the singing request, to make sure extensions are there"
-[[ ${DEBUG} -gt 0 ]] && openssl req -in ia.csr -noout -text
-
 logInfo "Sign the IA request with the CA cert and key, producing the IA cert"
-openssl x509 -req -days 730 -in ia.csr -CA ${CA_CRT_FILE} -CAkey ${CA_KEY_FILE} -CAserial ${CA_SRL_FILE} -out ia.crt -passin pass:foobar -extensions IA -extfile <(
-cat <<-EOF
-[req]
-distinguished_name = dn
-[dn]
-[IA]
-basicConstraints = critical,CA:TRUE,pathlen:0
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-subjectKeyIdentifier = hash
-EOF
-) &> /dev/null
-
-
-[[ ${DEBUG} -gt 0 ]] && logInfo "show the IA cert details"
-[[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in ia.crt
+openssl x509 -req -days 36500 -in ia.csr -CA "${CA_CRT_FILE}" -CAkey "${CA_KEY_FILE}" -CAserial "${CA_SRL_FILE}" -out ia.crt -passin pass:foobar -extensions IA -extfile <(
+	cat <<-EOF
+		[req]
+		distinguished_name = dn
+		[dn]
+		[IA]
+		basicConstraints = critical,CA:TRUE,pathlen:0
+		keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+		subjectKeyIdentifier = hash
+	EOF
+) &>/dev/null
 
 logInfo "Initialize the serial number for signed certificates"
-echo 01 > ia.srl
+echo 01 >ia.srl
 
 logInfo "Create the key (w/o passphrase..)"
-openssl genrsa -des3 -passout pass:foobar -out web.orig.key 2048 &> /dev/null
-openssl rsa -passin pass:foobar -in web.orig.key -out web.key  &> /dev/null
+openssl genrsa -des3 -passout pass:foobar -out web.orig.key 2048 &>/dev/null
+openssl rsa -passin pass:foobar -in web.orig.key -out web.key &>/dev/null
 
 logInfo "Create the signing request, using extensions"
-openssl req -new -key web.key -sha256 -out web.csr -passin pass:foobar -subj "/C=NL/ST=Noord Holland/L=Amsterdam/O=ME/OU=IT/CN=${CN_WEB}" -reqexts SAN -config <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=${ALLDOMAINS}"))
-
-[[ ${DEBUG} -gt 0 ]] && logInfo "Show the singing request, to make sure extensions are there"
-[[ ${DEBUG} -gt 0 ]] && openssl req -in web.csr -noout -text
+openssl req -new -key web.key -sha256 -out web.csr -passin pass:foobar -subj "/C=DE/ST=Schleswig-Holstein/L=Kiel/O=Gitpod GmbH/OU=IT/CN=${CN_WEB}" -reqexts SAN -config <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=DNS:%s" "$ALLDOMAINS"))
 
 logInfo "Sign the request, using the intermediate cert and key"
-openssl x509 -req -days 365 -in web.csr -CA ia.crt -CAkey ia.key -out web.crt -passin pass:foobar -extensions SAN -extfile <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=${ALLDOMAINS}"))  &> /dev/null
-
-[[ ${DEBUG} -gt 0 ]] && logInfo "Show the final cert details"
-[[ ${DEBUG} -gt 0 ]] && openssl x509 -noout -text -in web.crt
+openssl x509 -req -days 36500 -in web.csr -CA ia.crt -CAkey ia.key -out web.crt -passin pass:foobar -extensions SAN -extfile <(cat <(printf '[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=DNS:%s' "$ALLDOMAINS")) &>/dev/null
 
 logInfo "Concatenating fullchain.pem..."
-cat web.crt ia.crt ${CA_CRT_FILE}  > fullchain.pem
+cat web.crt ia.crt "${CA_CRT_FILE}" >fullchain.pem
 
 logInfo "Concatenating fullchain_with_key.pem"
-cat fullchain.pem web.key > fullchain_with_key.pem
+cat fullchain.pem web.key >fullchain_with_key.pem
+
+# Secure the generated files
+chmod 600 /certs/*.key
+chmod 644 /certs/*.crt /certs/*.pem
+
+logInfo "Certificate generation completed successfully"
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -46,7 +46,7 @@ ALLDOMAINS=""
 echo -n "" > /etc/nginx/docker.intercept.map
 
 # Some hosts/registries are always needed, but others can be configured in env var REGISTRIES
-for ONEREGISTRYIN in docker.caching.proxy.internal registry-1.docker.io auth.docker.io ${REGISTRIES}; do
+for ONEREGISTRYIN in gitpod.local docker.caching.proxy.internal registry-1.docker.io auth.docker.io ${REGISTRIES}; do
     ONEREGISTRY=$(echo ${ONEREGISTRYIN} | xargs) # Remove whitespace
     echo "Adding certificate for registry: $ONEREGISTRY"
     ALLDOMAINS="${ALLDOMAINS},DNS:${ONEREGISTRY}"
@@ -105,7 +105,7 @@ CACHE_DIRECTORY=${CACHE_DIRECTORY:-/docker_mirror_cache}
 
 # The cache directory. This can get huge. Better to use a Docker volume pointing here!
 # Set to 32gb which should be enough
-echo "proxy_cache_path ${CACHE_DIRECTORY} levels=1:2 max_size=${CACHE_MAX_SIZE:-15g} min_free=${CACHE_MIN_FREE:-1g} inactive=${CACHE_INACTIVE_TIME:-60d} keys_zone=cache:${CACHE_KEYS_ZONE:-15m} use_temp_path=off manager_threshold=${CACHE_MANAGER_THRESHOLD:-1000ms} manager_sleep=${CACHE_MANAGER_SLEEP:-250ms} manager_files=${CACHE_MANAGER_FILES:-100} loader_files=${CACHE_LOADER_FILES:-100} loader_threshold=${CACHE_LOADER_THRESHOLD:-200ms} loader_sleep=${CACHE_LOADER_SLEEP:-50ms};" > /etc/nginx/conf.d/cache_max_size.conf
+echo "proxy_cache_path ${CACHE_DIRECTORY} levels=1:2 max_size=${CACHE_MAX_SIZE} min_free=${CACHE_MIN_FREE:-1g} inactive=${CACHE_INACTIVE_TIME:-60d} keys_zone=cache:${CACHE_KEYS_ZONE:-15m} use_temp_path=off manager_threshold=${CACHE_MANAGER_THRESHOLD:-1000ms} manager_sleep=${CACHE_MANAGER_SLEEP:-250ms} manager_files=${CACHE_MANAGER_FILES:-100} loader_files=${CACHE_LOADER_FILES:-100} loader_threshold=${CACHE_LOADER_THRESHOLD:-200ms} loader_sleep=${CACHE_LOADER_SLEEP:-50ms};" > /etc/nginx/conf.d/cache_max_size.conf
 
 if [[ "a${SLOW_TIER_ENABLED}" == "atrue" ]]; then
     {

diff --git a/nginx.conf b/nginx.conf
@@ -19,7 +19,7 @@ http {
     default_type  application/octet-stream;
     aio threads;
     aio_write on;
-    sendfile        on;
+    sendfile  on;
 
     # Include nginx timeout configs
     include       /etc/nginx/nginx.timeouts.config.conf;