diff --git a/roles/fedora-web/candidate-registry/files/passwd b/roles/fedora-web/candidate-registry/files/passwd new file mode 100644 index 0000000000..4979d2dcf6 --- /dev/null +++ b/roles/fedora-web/candidate-registry/files/passwd @@ -0,0 +1 @@ +/C=US/ST=North Carolina/O=Fedora Project/OU=Fedora Builders/CN=containerbuild/emailAddress=buildsys@fedoraproject.org:xxj31ZMTZzkVA diff --git a/roles/fedora-web/candidate-registry/tasks/main.yml b/roles/fedora-web/candidate-registry/tasks/main.yml new file mode 100644 index 0000000000..0c66247d4e --- /dev/null +++ b/roles/fedora-web/candidate-registry/tasks/main.yml @@ -0,0 +1,17 @@ +- name: Copy over the Fedora Server CA cert + copy: src="{{ private }}/files/fedora-ca.cert" dest=/etc/pki/httpd/fedora-server-ca.cert + owner=root group=root mode=0644 + notify: + - reload httpd + tags: + - fedora-web + - fedora-web/candidate-registry + +- name: Copy over the registry passwd + copy: src=passwd dest=/etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd + owner=root group=root mode=0644 + notify: + - reload httpd + tags: + - fedora-web + - fedora-web/candidate-registry diff --git a/roles/fedora-web/registry/files/passwd b/roles/fedora-web/registry/files/passwd index 4979d2dcf6..e69de29bb2 100644 --- a/roles/fedora-web/registry/files/passwd +++ b/roles/fedora-web/registry/files/passwd @@ -1 +0,0 @@ -/C=US/ST=North Carolina/O=Fedora Project/OU=Fedora Builders/CN=containerbuild/emailAddress=buildsys@fedoraproject.org:xxj31ZMTZzkVA diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf new file mode 100644 index 0000000000..d2c0cd650b --- /dev/null +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf @@ -0,0 +1,32 @@ +RequestHeader set X-Forwarded-Scheme https early +RequestHeader set X-Scheme https early +RequestHeader set X-Forwarded-Proto https early +ProxyPreserveHost On + +ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} +ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}} + +SSLVerifyClient optional +SSLVerifyDepth 1 +SSLCACertificateFile /etc/pki/httpd/fedora-server-ca.cert +SSLOptions +FakeBasicAuth + + + + Order deny,allow + Allow from all + AuthName "Registry Authentication" + AuthType Basic + AuthUserFile /etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd + + # Anyone can read + + Require all granted + + + # Write access to docker-deployer only + + Require valid-user + + +