diff --git a/roles/docker-distribution-proxy/defaults/main.yml b/roles/docker-distribution-proxy/defaults/main.yml index d983dc1bde..47001f6f26 100644 --- a/roles/docker-distribution-proxy/defaults/main.yml +++ b/roles/docker-distribution-proxy/defaults/main.yml @@ -3,7 +3,7 @@ # servername: "registry.example.com" ssl: - destdir: "/etc/pki/docker-registry/" + destdir: "/etc/pki/docker-registry" certfile_src: "ssl.cert" certfile_dest: "ssl.cert" keyfile_src: "ssl.key" @@ -12,8 +12,12 @@ ssl: auth: type: basic basic: - dest_dir: - userfile_src: /etc/httpd/users.htpasswd - userfile_dest: /etc/httpd/users.htpasswd + dest_dir: "/etc/httpd" + userfile_src: users.htpasswd + userfile_dest: users.htpasswd + ssl: + dest_dir: "/etc/pki/docker-registry" + authca_dest: "/etc/pki/docker-registry/authca.cert" + diff --git a/roles/docker-distribution-proxy/tasks/main.yml b/roles/docker-distribution-proxy/tasks/main.yml index 6c9a2a19bb..989573dc44 100644 --- a/roles/docker-distribution-proxy/tasks/main.yml +++ b/roles/docker-distribution-proxy/tasks/main.yml @@ -37,6 +37,18 @@ dest: "{{ auth.basic.destdir }}/{{ auth.basic.userfile_dest }}" when: auth.type == "basic" +- name: ensure ssl auth dest dir exists + file: + path: "{{ auth.ssl.destdir }}" + state: directory + when: auth.type == "ssl" + +- name: place authca file + copy: + src: "{{ auth.ssl.authca_src }}" + dest: "{{ auth.ssl.destdir }}/{{ auth.ssl.authca_dest }}" + when: auth.type == "ssl" + - name: Configure the vhost template: src: "docker-registry-vhost.conf.j2" diff --git a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 index 0814b67d44..90814fa006 100644 --- a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 +++ b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 @@ -39,6 +39,10 @@ Allow from all +{% if auth.type == "ssl" %} + SSLVerifyClient none + SSLCACertificateFile {{ auth.ssl.authca_dest }} +{% endif %} Order deny,allow Allow from all @@ -47,6 +51,10 @@ AuthType basic AuthUserFile {{ auth.basic.userfile_dest }} {% endif %} +{% if auth.type == "ssl" %} + SSLVerifyClient require + SSLVerifyDepth 1 +{% endif %} ## Read access to authentified users #