feat(http_scheme): Allow to force http for some registries

mickael-garrido · mickael-garrido · commit 75cba4f352a4 · 2025-09-25T11:29:46.000+02:00
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -90,6 +90,16 @@ if [[ ${AUTH_REGISTRIES+x} ]]; then
   done
 fi
 
+# Target scheme interception. Used to force the http scheme of a registry host
+echo -n "" >/opt/openresty/nginx/conf/docker.targetScheme.map
+
+if [[ ${FORCE_HTTP_REGISTRIES+x} ]]; then
+  for ONEREGISTRYIN in ${FORCE_HTTP_REGISTRIES}; do
+    ONEREGISTRY=$(echo ${ONEREGISTRYIN} | xargs) # Remove whitespace
+    echo "${ONEREGISTRY} http;" >>/opt/openresty/nginx/conf/docker.targetScheme.map
+  done
+fi
+
 # create default config for the caching layer to listen on 8443.
 echo "        listen 8443 ssl default_server;" >/opt/openresty/nginx/conf/caching.layer.listen
 
diff --git a/nginx.conf b/nginx.conf
@@ -35,15 +35,16 @@ http {
         '"bytes_sent":"$body_bytes_sent",'
         '"host":"$host",'
         '"proxy_host":"$proxy_host",'
-        '"upstream":"$upstream_addr"'
+        '"upstream":"$upstream_addr",'
+        '"scheme_upstream":"$targetScheme",'
         '"upstream_status":"$upstream_status",'
         '"ssl_protocol":"$ssl_protocol",'
         '"connect_host":"$connect_host",'
         '"connect_port":"$connect_port",'
         '"connect_addr":"$connect_addr",'
         '"upstream_http_location":"$upstream_http_location",'
         '"upstream_cache_status":"$upstream_cache_status",'
-        '"http_authorization":"$http_authorization",'
+        '"http_authorization":"$http_authorization"'
       '}';
 
     log_format debug_proxy escape=json
@@ -56,15 +57,16 @@ http {
         '"bytes_sent":"$body_bytes_sent",'
         '"host":"$host",'
         '"proxy_host":"$proxy_host",'
-        '"upstream":"$upstream_addr"'
+        '"upstream":"$upstream_addr",'
+        '"scheme_upstream":"$targetScheme",'
         '"upstream_status":"$upstream_status",'
         '"ssl_protocol":"$ssl_protocol",'
         '"connect_host":"$connect_host",'
         '"connect_port":"$connect_port",'
         '"connect_addr":"$connect_addr",'
         '"upstream_http_location":"$upstream_http_location",'
         '"upstream_cache_status":"$upstream_cache_status",'
-        '"http_authorization":"$http_authorization",'
+        '"http_authorization":"$http_authorization"'
       '}';
 
     log_format tweaked escape=json
@@ -79,7 +81,8 @@ http {
         '"upstream_response_time":"$upstream_response_time",'
         '"host":"$host",'
         '"proxy_host":"$proxy_host",'
-        '"upstream":"$upstream_addr"'
+        '"upstream":"$upstream_addr",'
+        '"scheme_upstream":"$targetScheme"'
       '}';
 
     gzip  off;
@@ -97,6 +100,13 @@ http {
         default $host;
     }
 
+    # A map to force http scheme for some docker registries if needed.
+    map $host $targetScheme {
+        hostnames;
+        include /opt/openresty/nginx/conf/docker.targetScheme.map;
+        default https;
+    }
+
     # A map to enable authentication to some specific docker registries.
     # This is auto-generated by the entrypoint.sh based on environment variables
     map $host $dockerAuth {
@@ -287,7 +297,7 @@ http {
 
         # by default, dont cache anything.
         location / {
-            proxy_pass https://$targetHost;
+            proxy_pass $targetScheme://$targetHost;
             proxy_cache off;
         }
     }
diff --git a/nginx.manifest.common.conf b/nginx.manifest.common.conf
@@ -1,7 +1,7 @@
     # nginx config fragment included in every manifest-related location{} block.
     add_header X-Docker-Registry-Proxy-Cache-Upstream-Status "$upstream_cache_status";
     add_header X-Docker-Registry-Proxy-Cache-Type "$docker_proxy_request_type";
-    proxy_pass https://$targetHost;
+    proxy_pass $targetScheme://$targetHost;
     proxy_cache cache;
     proxy_cache_key   $uri;
     proxy_intercept_errors on;
