diff --git a/pica-nginx-ldap/Dockerfile b/pica-nginx-ldap/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..ffbcdf84deb42800361048b76a3749c814c80494
--- /dev/null
+++ b/pica-nginx-ldap/Dockerfile
@@ -0,0 +1,34 @@
+FROM debian:bullseye
+ARG NGINX_VERSION=1.21.4
+LABEL maintainer picasoft@assos.utc.fr
+
+# Install prerequisites
+RUN apt-get update && \
+ apt-get install -y build-essential git-core libpcre3-dev libldap2-dev libssl-dev wget zlib1g zlib1g-dev
+
+# Download LDAP module
+RUN git clone https://github.com/kvspb/nginx-auth-ldap.git /nginx-auth-ldap
+
+# Download and build NGINX with LDAP module
+RUN wget -O nginx.tar.gz http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz && \
+ tar xvf nginx.tar.gz && \
+ cd nginx-${NGINX_VERSION} && \
+ chmod +x configure && \
+ ./configure --user=nginx --group=nginx --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_gzip_static_module --with-http_stub_status_module --with-http_ssl_module --with-pcre --with-file-aio --with-http_realip_module --add-module=/nginx-auth-ldap/ --with-ipv6 --with-debug && \
+ make && \
+ make install
+
+COPY ./entrypoint.sh /entrypoint.sh
+COPY ./nginx.conf /etc/nginx/templates/nginx.conf.template
+
+RUN touch /etc/nginx/site.conf
+
+RUN apt-get install -y gettext-base && \
+ chmod +x /entrypoint.sh
+
+RUN useradd nginx
+
+EXPOSE 80
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["nginx"]
diff --git a/pica-nginx-ldap/README.md b/pica-nginx-ldap/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..ce179a1f8c092aa66cf1d6bd56899159ea6b8119
--- /dev/null
+++ b/pica-nginx-ldap/README.md
@@ -0,0 +1,64 @@
+## nginx with LDAP authentication
+
+nginx has a mechanism allowing to use an external service handling authentication requests. For LDAP, the traditionnal way involves running a [ldap-auth](https://github.com/nginxinc/nginx-ldap-auth) daemon. It seemed a bit burdensome to me, even if there is a [Docker image](https://hub.docker.com/r/bitnami/nginx-ldap-auth-daemon/) for the daemon. I think this is because LDAP auth is included in NGINX Plus and a bit tricky to integrate with free pre-built packages.
+
+There is an unofficial nginx module, [nginx-auth-ldap](https://github.com/kvspb/nginx-auth-ldap), which works well. We just need to recompile nginx with it, and voilà .
+
+This is the purpose of this repository : make a ready-to-use nginx single image with LDAP auth.
+
+## Sample usage with Compose
+
+```yaml
+version: '3.8'
+
+services:
+ nginx_ldap:
+ image: registry.picasoft.net/pica-nginx-ldap:1.21.4
+ container_name: registry_frontend
+ environment:
+ LDAP_URL: ldaps://ldap.picasoft.net:636
+ LDAP_BASE_DN: dc=picasoft,dc=net
+ LDAP_ANSWER_ATTRIBUTES: cn
+ LDAP_SCOPE_SEARCH: sub
+ LDAP_FILTER: (objectClass=posixAccount)
+ LDAP_BIND_DN: cn=nss,dc=picasoft,dc=net
+ SERVER_NAME: registry.picasoft.net
+ ports:
+ - 8080:80
+ env_file: ./secrets/ldap.secrets
+ restart: unless-stopped
+```
+
+With `LDAP_BIND_PASSWORD=XXX` in `ldap.secrets`.
+
+## Build
+
+```
+docker build -t nginx-ldap .
+```
+
+## LDAP configuration
+
+Via Environments variables :
+
+- `LDAP_URL` → `ldap[s]://<url>:<port>`
+- `LDAP_BASE_DN` → where to start the search
+- `LDAP_ANSWER_ATTRIBUTES` → which attributes to get back, comma-separated.
+- `LDAP_SCOPE_SEARCH` : `base`, `one` or `sub`
+- `LDAP_FILTER` : constrain the search
+- `LDAP_BIND_DN` : user with read access
+- `LDAP_BIND_PASSWORD` : password for the user with read access
+
+See [official docs](https://ldapwiki.com/wiki/LDAP%20URL) for detail.
+
+## Server configuration
+
+Environment variable :
+
+- `SERVER_NAME` : URL of your website.
+
+Mount a file at `/etc/nginx/site.conf`. Every line will be included in the `server {}` section of `nginx.conf`.
+
+Environment variables **won't be** subtituted at startup.
+
+Note that nginx always listen internally on port 80. To change all configuration you can just mount an `nginx.conf` file. The moninal use is pretty standard : act as an authorization proxy or serve a simple single website.
diff --git a/pica-nginx-ldap/entrypoint.sh b/pica-nginx-ldap/entrypoint.sh
new file mode 100644
index 0000000000000000000000000000000000000000..047dafd716acbf260753e161b27c41d11a7acc1c
--- /dev/null
+++ b/pica-nginx-ldap/entrypoint.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Substitute env variables (secrets) in nginx configuration
+envsubst < /etc/nginx/templates/nginx.conf.template > /etc/nginx/nginx.conf
+
+# Execute initial command
+exec $@
diff --git a/pica-nginx-ldap/nginx.conf b/pica-nginx-ldap/nginx.conf
new file mode 100644
index 0000000000000000000000000000000000000000..02b1cfd2cabca68304704287e060d79e193a532e
--- /dev/null
+++ b/pica-nginx-ldap/nginx.conf
@@ -0,0 +1,31 @@
+worker_processes 1;
+daemon off;
+error_log /dev/stdout info;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include mime.types;
+ default_type application/octet-stream;
+ access_log /dev/stdout;
+ sendfile on;
+ keepalive_timeout 65;
+
+ ldap_server main {
+ url ${LDAP_URL}/${LDAP_BASE_DN}?${LDAP_ANSWER_ATTRIBUTES}?${LDAP_SCOPE_SEARCH}?${LDAP_FILTER};
+ binddn ${LDAP_BIND_DN};
+ binddn_passwd ${LDAP_BIND_PASSWORD};
+ require valid_user;
+ }
+
+ server {
+ listen 80;
+ server_name ${SERVER_NAME};
+ auth_ldap "Enter LDAP credentials";
+ auth_ldap_servers main;
+
+ include /etc/nginx/site.conf;
+ }
+}
diff --git a/pica-nginx-ldap/secrets/ldap.secrets.example b/pica-nginx-ldap/secrets/ldap.secrets.example
new file mode 100644
index 0000000000000000000000000000000000000000..38b0b9360bbfe2498f619f070e11c2703656233a
--- /dev/null
+++ b/pica-nginx-ldap/secrets/ldap.secrets.example
@@ -0,0 +1 @@
+LDAP_PASSWORD=test
diff --git a/pica-registry/auth.example b/pica-registry/auth.example
deleted file mode 100644
index 93fd9cde491e77394ea8971eaef6b86f0785c7a9..0000000000000000000000000000000000000000
--- a/pica-registry/auth.example
+++ /dev/null
@@ -1 +0,0 @@
-pica:<encrypted_password>
diff --git a/pica-registry/docker-compose.yml b/pica-registry/docker-compose.yml
index 9609cd9a501e31fee0b0e607b4b474f0373cd56e..f2eae1004941752b3772b0f9d83ab4f1caf01084 100644
--- a/pica-registry/docker-compose.yml
+++ b/pica-registry/docker-compose.yml
@@ -3,6 +3,8 @@ version: '3.7'
networks:
proxy:
external: true
+ registry:
+ name: registry
volumes:
registry:
@@ -13,18 +15,35 @@ services:
image: registry:2
container_name: registry
environment:
- REGISTRY_AUTH: htpasswd
- REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
- REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
+ REGISTRY_HTTP_HOST: registry.picasoft.net
networks:
- - proxy
+ - registry
volumes:
- registry:/var/lib/registry
- - ./auth.secrets:/auth/htpasswd
+ restart: unless-stopped
+
+ nginx_ldap:
+ image: registry.picasoft.net/pica-nginx-ldap:1.21.4
+ build: ../pica-nginx-ldap
+ container_name: registry_frontend
+ environment:
+ LDAP_URL: ldaps://ldap.picasoft.net:636
+ LDAP_BASE_DN: dc=picasoft,dc=net
+ LDAP_ANSWER_ATTRIBUTES: cn
+ LDAP_SCOPE_SEARCH: sub
+ LDAP_FILTER: (objectClass=posixAccount)
+ LDAP_BIND_DN: cn=nss,dc=picasoft,dc=net
+ SERVER_NAME: registry.picasoft.net
+ env_file: ./secrets/ldap.secrets
+ volumes:
+ - ./proxy.conf:/etc/nginx/site.conf
labels:
traefik.http.routers.registry.entrypoints: websecure
traefik.http.routers.registry.rule: Host(`registry.picasoft.net`)
- traefik.http.services.registry.loadbalancer.server.port: 5000
+ traefik.http.services.registry.loadbalancer.server.port: 80
traefik.enable: true
+ networks:
+ - registry
+ - proxy
restart: unless-stopped
diff --git a/pica-registry/proxy.conf b/pica-registry/proxy.conf
new file mode 100644
index 0000000000000000000000000000000000000000..447a02c4547bc22d6d0c598d2eccbbc080d8d378
--- /dev/null
+++ b/pica-registry/proxy.conf
@@ -0,0 +1,22 @@
+# disable any limits to avoid HTTP 413 for large image uploads
+client_max_body_size 0;
+
+# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+chunked_transfer_encoding on;
+
+location /v2 {
+ add_header 'Docker-Distribution-Api-Version' 'registry/2.0';
+
+ proxy_pass http://registry:5000;
+ proxy_set_header Host $http_host; # required for docker client's sake
+ proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ # Forwarding from Traefik, always https
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_read_timeout 900;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection keep-alive;
+ proxy_request_buffering off;
+ proxy_cache off;
+ proxy_buffering off;
+}
diff --git a/pica-registry/secrets/ldap.secrets.example b/pica-registry/secrets/ldap.secrets.example
new file mode 100644
index 0000000000000000000000000000000000000000..74edc6eaeac147cce51d4841bcfd21f564165b1c
--- /dev/null
+++ b/pica-registry/secrets/ldap.secrets.example
@@ -0,0 +1 @@
+LDAP_BIND_PASSWORD=test