#
# Sample Apache 2.x configuration where : 
#
# http://registry.example.com proxify Docker Registry 1.0 in Mirror mode
# https://registry.example.com proxify Docker Registry 1.0 or 2.0 in Hosting mode
#
# 3 Docker containers should be started 
#
# Docker Registry 1.0 in Mirror mode : port 5000
# Docker Registry 1.0 in Hosting mode : port 5001
# Docker Registry 2.0 in Hosting mode : port 5002
#
# For Hosting mode :
# 
# users should have account (valid-user) to be able to fetch images
# only users using account docker-deployer will be allowed to push images

<VirtualHost *:80>
         
  ServerName registry.example.com
  ServerAlias www.registry.example.com

  ProxyRequests     off
  ProxyPreserveHost on

  # no proxy for /error/ (Apache HTTPd errors messages)
  ProxyPass /error/ !

  ProxyPass        /_ping http://localhost:5001/_ping
  ProxyPassReverse /_ping http://localhost:5001/_ping

  ProxyPass        /v1 http://localhost:5001/v1
  ProxyPassReverse /v1 http://localhost:5001/v1

  # Logs
  ErrorLog ${APACHE_LOG_DIR}/mirror_error_log
  CustomLog ${APACHE_LOG_DIR}/mirror_access_log combined env=!dontlog

</VirtualHost>


<VirtualHost *:443>

  ServerName registry.example.com
  ServerAlias www.registry.example.com

  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/registry.example.com.crt
  SSLCertificateKeyFile /etc/apache2/ssl/registry.example.com.key

  # Higher Strength SSL Ciphers
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 
  SSLCipherSuite RC4-SHA:HIGH
  SSLHonorCipherOrder on

  # Logs
  ErrorLog ${APACHE_LOG_DIR}/registry_error_ssl_log
  CustomLog ${APACHE_LOG_DIR}/registry_access_ssl_log combined env=!dontlog

  Header set Host "registry.example.com"
  Header set "Docker-Distribution-Api-Version" "registry/2.0"
  RequestHeader set X-Forwarded-Proto "https"

  ProxyRequests     off
  ProxyPreserveHost on

  # no proxy for /error/ (Apache HTTPd errors messages)
  ProxyPass /error/ !

  #
  # Registry v1
  #

  ProxyPass        /v1 http://localhost:5000/v1
  ProxyPassReverse /v1 http://localhost:5000/v1

  ProxyPass        /_ping http://localhost:5000/_ping
  ProxyPassReverse /_ping http://localhost:5000/_ping

  # Authentication require for push
  <Location /v1>
    Order deny,allow
    Allow from all
    AuthName "Registry Authentication"
    AuthType basic
    AuthUserFile "/etc/apache2/htpasswd/registry-htpasswd"

    # Read access to authentified users
    <Limit GET HEAD>
      Require valid-user
    </Limit>

    # Write access to docker-deployer account only
    <Limit POST PUT DELETE>
      Require user docker-deployer
    </Limit>

  </Location>

  # Allow ping to run unauthenticated.
  <Location /v1/_ping>
    Satisfy any
    Allow from all
  </Location>

  # Allow ping to run unauthenticated.
  <Location /_ping>
    Satisfy any
    Allow from all
  </Location>

  #
  # Registry v2
  #

  ProxyPass        /v2 http://localhost:5002/v2
  ProxyPassReverse /v2 http://localhost:5002/v2

  <Location /v2>
    Order deny,allow
    Allow from all
    AuthName "Registry Authentication"
    AuthType basic
    AuthUserFile "/etc/apache2/htpasswd/registry-htpasswd"

    # Read access to authentified users
    <Limit GET HEAD>
      Require valid-user
    </Limit>

    # Write access to docker-deployer only
    <Limit POST PUT DELETE>
      Require user docker-deployer
    </Limit>

  </Location>


</VirtualHost>