search

cloudfoundry-community / docker-registry-boshrelease

Run your own private Docker Registry in standalone mode (without requiring the public index) on AWS, OpenStack or vSphere with BOSH
MIT License
13 stars 20 forks source link

Impossible to terminate SSL at Load balancer #48

Open sytz4labs opened 4 years ago

sytz4labs commented 4 years ago

I'm using docker-registry in Cloud Foundry by yml-pathing route-registrar into the deployment so the GoRouter terminates SSL and forwards request to port 80 of nginx proxy. I also require the basic auth configuration.

The following config template for nginx provides no path to the port 80 listener.

    <% if_p('docker.proxy.ssl.cert') do %>  <----- this would have to be true;
    server {
        server_name proxy_admin;
        <% if_p('docker.proxy.ssl.cert') do %>  <----- but then switch to false to hit the else
            listen <%= p('docker.proxy.address','*') %>:<%= p('docker.proxy.port', '443') %> default_server;
            ssl on;
        <% end.else do %>
            listen <%= p('docker.proxy.address','*') %>:<%= p('docker.proxy.port', '80') %> default_server;
            ssl off;
        <% end %>
jhunt commented 4 years ago

Ah the fabled maybe-boolean-depending-on-the-millisecond type.

This definitely looks like an oversight / bug. Care to PR a fix? My guess is that the outer docker.proxy.ssl.cert check is just too aggressive, and needs to be scaled back. I'd be curious to see what follows the two listen branches.