# Docker registry proxy for api version 2

upstream docker-registry-v2 {
  server registryv2:5000;
}

# No client auth or TLS
server {
  listen 5000;
  server_name localhost;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;

  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
  chunked_transfer_encoding on;

  location /v2/ {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }
    
    include               docker-registry-v2.conf;
  }
}

# No client auth or TLS (V2 Only)
server {
  listen 5002;
  server_name localhost;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;

  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
  chunked_transfer_encoding on;

  location / {
    include               docker-registry-v2.conf;
  }
}

# TLS Configuration chart
# Username/Password: testuser/passpassword
#      | ca  | client | basic | notes
# 5440 | yes | no     | no    | Tests CA certificate
# 5441 | yes | no     | yes   | Tests basic auth over TLS
# 5442 | yes | yes    | no    | Tests client auth with client CA
# 5443 | yes | yes    | no    | Tests client auth without client CA
# 5444 | yes | yes    | yes   | Tests using basic auth + tls auth
# 5445 | no  | no     | no    | Tests insecure using TLS
# 5446 | no  | no     | yes   | Tests sending credentials to server with insecure TLS
# 5447 | no  | yes    | no    | Tests client auth to insecure
# 5448 | yes | no     | no    | Bad SSL version

server {
  listen 5440;
  server_name localhost;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
  include registry-noauth.conf;
}

server {
  listen 5441;
  server_name localhost;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
  include registry-basic.conf;
}

server {
  listen 5442;
  listen 5443;
  server_name localhost;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
  ssl_verify_client on;
  include registry-noauth.conf;
}

server {
  listen 5444;
  server_name localhost;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
  ssl_verify_client on;
  include registry-basic.conf;
}

server {
  listen 5445;
  server_name localhost;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
  include registry-noauth.conf;
}

server {
  listen 5446;
  server_name localhost;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
  include registry-basic.conf;
}

server {
  listen 5447;
  server_name localhost;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
  ssl_verify_client on;
  include registry-noauth.conf;
}

server {
  listen 5448;
  server_name localhost;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
  ssl_protocols       SSLv3;
  include registry-noauth.conf;
}

# Add configuration for localregistry server_name
# Requires configuring /etc/hosts to use
# Set /etc/hosts entry to external IP, not 127.0.0.1 for testing
# Docker secure/insecure registry features
server {
  listen 5440;
  server_name localregistry;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
  include registry-noauth.conf;
}

server {
  listen 5441;
  server_name localregistry;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
  include registry-basic.conf;
}

server {
  listen 5442;
  listen 5443;
  server_name localregistry;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
  ssl_verify_client on;
  include registry-noauth.conf;
}

server {
  listen 5444;
  server_name localregistry;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
  ssl_verify_client on;
  include registry-basic.conf;
}

server {
  listen 5445;
  server_name localregistry;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
  include registry-noauth.conf;
}

server {
  listen 5446;
  server_name localregistry;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
  include registry-basic.conf;
}

server {
  listen 5447;
  server_name localregistry;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
  ssl_verify_client on;
  include registry-noauth.conf;
}

server {
  listen 5448;
  server_name localregistry;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
  ssl_protocols       SSLv3;
  include registry-noauth.conf;
}


# V1 search test
# Registry configured with token auth and no tls
# TLS termination done by nginx, search results
# served by nginx

upstream docker-registry-v2-oauth {
  server registryv2tokenoauthnotls:5000;
}

server {
  listen 5600;
  server_name localregistry;
  ssl on;
  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;

  root /var/www/html;

  client_max_body_size 0;
  chunked_transfer_encoding on;
  location /v2/ {
    proxy_buffering off;
    proxy_pass                          http://docker-registry-v2-oauth;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
  }

  location /v1/search {
    if ($http_authorization !~ "Bearer [a-zA-Z0-9\._-]+") {
	return 401;
    }
    try_files /v1/search.json =404;
    add_header Content-Type application/json;
  }
}