fix(proxy): enable https

Author: mickael-garrido

.markdownlint.yaml

@@ -0,0 +1,6 @@
+# Default state for all rules
+default: true
+
+# MD013/line-length - Line length
+MD013:
+  line_length: 200

README.md

@@ -1,15 +1,20 @@
-# Build with bake
+# Docker registry proxy
+
+## Build with bake
+
 ```bash
 docker buildx bake --file docker-bake.hcl
 ```
 
-# Create .env file
+## Create .env file
+
 ```bash
 cp .env.sample .env
 vim .env
 ```
 
-# Run with docker
+## Run with docker
+
 ```bash
 docker run --name openresty_docker_registry_proxy \
   --rm -it \
@@ -20,28 +25,33 @@ docker run --name openresty_docker_registry_proxy \
   docker-registry-proxy-cache:latest
 ```
 
-# Run with docker compose
+## Run with docker compose
+
 ```bash
 docker compose up
 ```
 
 The `HTPASSWD` environment variable activates basic authentication. In this example, we define two users:
-* user1:user1
-* user2:user2
+
+* user1:password1
+* user2:password2
 
 The `HTPASSWD_DELIMITER` environment variable can be used to specify a custom delimiter. By default, a `space` is used.
 
 By default, `generate-certificate.sh` generates a self-signed certificate. You can override this by mounting a volume with your own certificates at `/certs`.
+
 * server.crt
 * server.key
+* proxy_server.crt
+* proxy_server.key
+
+## Configure docker to use a proxy
 
-# Configure docker to use a proxy
 ```json
 {
   ...
   "proxies": {
-    "http-proxy": "http://user1:[email protected]:3128",
-    "https-proxy": "http://user1:[email protected]:3128"
+    "https-proxy": "https://user1:[email protected]:3128"
   },
   "insecure-registries" : ["own-registry.sample.com:443"]
 }

generate-certificate.sh

@@ -8,3 +8,12 @@ if [ ! -f /certs/server.crt ]; then
     -subj "/C=FR/ST=Grand-Est/L=Strasbourg/O=Scalingo/OU=IT Department/CN=scalingo.com"
   openssl x509 -req -days 365 -in /certs/server.csr -signkey /certs/server.key -out /certs/server.crt
 fi
+
+if [ ! -f /certs/proxy_server.crt ]; then
+  openssl genrsa -des3 -passout pass:x -out /certs/proxy_server.pass.key 2048
+  openssl rsa -passin pass:x -in /certs/proxy_server.pass.key -out /certs/proxy_server.key
+  rm /certs/proxy_server.pass.key
+  openssl req -new -key /certs/proxy_server.key -out /certs/proxy_server.csr \
+    -subj "/C=FR/ST=Grand-Est/L=Strasbourg/O=Scalingo/OU=IT Department/CN=scalingo.com"
+  openssl x509 -req -days 365 -in /certs/proxy_server.csr -signkey /certs/proxy_server.key -out /certs/proxy_server.crt
+fi

nginx.conf

@@ -151,8 +151,7 @@ http {
 
     # The proxy director layer, listens on 3128
     server {
-        listen 3128;
-        listen [::]:3128;
+        listen 3128 ssl;
         server_name proxy_director_;
 
         # dont log the CONNECT proxy.
@@ -162,6 +161,9 @@ http {
 
         include /opt/openresty/nginx/conf/htpasswd.conf;
 
+        ssl_certificate /certs/proxy_server.crt;
+        ssl_certificate_key /certs/proxy_server.key;
+
         proxy_connect;
         proxy_connect_allow all;
         proxy_connect_address $interceptedHost;
@@ -182,8 +184,7 @@ http {
     # The caching layer
     server {
         # Listen on both 8080 and 8443, for all hostnames.
-        listen 8080 default_server;
-        include /opt/openresty/nginx/conf/caching.layer.listen;
+        listen 8443 ssl default_server;
         server_name proxy_caching_;
 
         # Do some tweaked logging.