From b2f08b8b00e3b3daae5cc863f6a12d0e182fa151 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Tue, 12 Jun 2018 23:21:07 +0200
Subject: [PATCH] Docker client wants to check /v2/.... Allow /v2/ from outside
 but not internally

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 .../templates/reversepassproxy.candidate-registry.conf | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf
index a3f7ccf22b..39f9018484 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf
@@ -27,7 +27,15 @@ ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
   AuthName "Candidate Registry Authentication"
   AuthType Basic
   AuthUserFile /etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd
-  Require valid-user
+
+  <RequireAny>
+    Require valid-user
+    <RequireAll>
+      Require not ip 10.5
+      # This require is because otherwise apache thinks the Require not ip is useless
+      Require method GET
+    </RequireAll>
+  </RequireAny>
 </Location>
 
 # But we allow random pulling by anyone without auth