Running a dockerproxy only accesible via specific reverse hosts or subnets

Since Registry consumes a lot of data and may be rate limited in the future , you might run your own proxy , but you should secure it properly..

Example docker-compose.yml

version: '3'

services:
dockerproxy:
build: .
container_name: ${APP_URL}
hostname: ${APP_URL}
restart: unless-stopped
networks:
- default
- dockerproxy
volumes:
- ./apache-block.conf:/etc/apache2/conf.d/apache-block.conf
#      - ./store.php:/var/www/html/store.php:consistent
#      - ./wiki/:/var/www/html:consistent
ports:
- 5000:80
environment:
- LETSENCRYPT_EMAIL=${MAIL_ADMINISTRATOR}
- LETSENCRYPT_HOST=${APP_URL}
- VIRTUAL_HOST=${APP_URL}
- VIRTUAL_PORT=80
- VIRTUAL_PROTO=http


dockerproxyregistry:
image: registry:2.6.2
##UNCOMMENT THE ABOVE WHEN NO CLIENT SENDS /v1/ anymore
#    image: registry:2
#    build:
#      context: ./build
#      dockerfile: Dockerfile-tiddlywiki-php7-nginx-alpine
container_name: dockerregistryproxy
hostname: dockerregistryproxy
restart: unless-stopped
networks:
- dockerproxy
volumes:
- /storage_global/machine.hq.mydomain.systems/dockerproxy:/var/lib/registry

environment:
- GITURL
- GITNAME
- GITEMAIL
- BASICUSER
- BASICPASS
- REGISTRY_PROXY_REMOTEURL=https://registry-1.docker.io
- REGISTRY_PROXY_USERNAME=${UPSTREAM_USER}
- REGISTRY_PROXY_PASSWORD=${UPSTREAM_PASS}

#      - REGISTRY_HTTP_SECRET=${HTTPSECRET}

networks:
dockerproxy:
default:
external:
name: nginx-proxy

Example Dockerfile:

FROM alpine
RUN apk add apache2 apache2-proxy bash
RUN sed 's/#LoadModule remoteip_module/LoadModule remoteip_module/g' /etc/apache2/httpd.conf -i
EXPOSE 80
CMD  /usr/sbin/httpd -DFOREGROUND
#cmd /bin/bash -c "which apachectl ;which apache ;which apache2 ;sleep 6000"

Example Apache-block.conf

<VirtualHost *:80 >
ServerName _default
ServerAlias "*"
#RemoteIPHeader X-Forwarded-For
#RemoteIPHeader X-Client-IP
RemoteIPHeader X-Real-IP
#RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 172.0.0.0 192.168.178.52
ErrorDocument 403 "You are not in my Friend list 403"
ErrorDocument 401 "Unauthorized 401"
ErrorDocument 404 "Not Found 404"

<Location />

Require ip 127.0.0.0/8 192.168.0.0/16 10.12.13.14 10.1.2.1
Require local
Require host .mydomain.eu .yourdomain.de .yourdomain.systems .uptimerobot.com nginx.nginx-proxy
Require forward-dns myhosta.mydomain.eu myhostb.mydomain.eu

</Location>
<Directory />
<Limit GET POST PUT HEAD>
Order deny,allow
Deny from all
Allow from localhost
Allow from 24.134.39.209
Allow from 37.120.175.232
Allow from *.mydomain.eu
Allow from *.yourdomain.de
Allow from *.yourdomain.systems
Allow from 192.168.*.*
Allow from 172.15.*.*
Allow from 172.16.*.*
Allow from 172.17.*.*
Allow from 172.18.*.*
Allow from 172.19.*.*
Allow from 172.2*.*.*
Allow from 127.*.*.*

</Limit>
</Directory>

ErrorLog /dev/stderr
CustomLog /dev/stdout common
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" proxy
SetEnvIf X-Forwarded-For "^.*..*..*..*" forwarded
CustomLog "logs/access_log" combined env=!forwarded
CustomLog "logs/access_log" proxy env=forwarded
Header set Host "dockerproxy.hq.kosmoskosmos.systems"
Header set "Docker-Distribution-Api-Version" "registry/2.0"
RequestHeader set X-Forwarded-Proto "https"

ProxyRequests off
ProxyPreserveHost on

ProxyPass           /       http://dockerregistryproxy:5000/
ProxyPassReverse    /       http://dockerregistryproxy:5000/

#    <Location /registry>
#        Order deny,allow
#        Allow from all

#        AuthName "Registry Authentication"
#        AuthType basic
#        AuthUserFile "/auth/htpasswd"
#        Require valid-user
#    </Location>
</VirtualHost>
Licensed under CC BY-NC-SA 4.0
      © 2024 the fØund4ŧ¹°n
      ...