fix(security): require configurable secret for X-Special-Auth docker registry bypass
Replace hardcoded "docker-registry" check with a configurable secret via DOCKER_REGISTRY_SECRET env var. When the env var is unset, the anonymous docker registry bypass is disabled entirely, closing the unauthenticated access path if the service is accidentally exposed directly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
2a9eec233a
commit
7b568607a6
2 changed files with 8 additions and 1 deletions
2
login.go
2
login.go
|
|
@ -108,7 +108,7 @@ func httpBasicAuth(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
return
|
||||
}
|
||||
} else if v := r.Header.Get("X-Special-Auth"); v == "docker-registry" {
|
||||
} else if dockerRegistrySecret != "" && r.Header.Get("X-Special-Auth") == dockerRegistrySecret {
|
||||
method := r.Header.Get("X-Original-Method")
|
||||
uri := r.Header.Get("X-Original-URI")
|
||||
|
||||
|
|
|
|||
7
main.go
7
main.go
|
|
@ -19,6 +19,10 @@ import (
|
|||
|
||||
var myPublicURL = "https://ldap.nemunai.re"
|
||||
|
||||
// dockerRegistrySecret is required for X-Special-Auth anonymous access.
|
||||
// If empty, the feature is disabled.
|
||||
var dockerRegistrySecret string
|
||||
|
||||
var myLDAP = LDAP{
|
||||
Host: "localhost",
|
||||
Port: 389,
|
||||
|
|
@ -164,6 +168,9 @@ func main() {
|
|||
if val, ok := os.LookupEnv("PUBLIC_URL"); ok {
|
||||
myPublicURL = val
|
||||
}
|
||||
if val, ok := os.LookupEnv("DOCKER_REGISTRY_SECRET"); ok {
|
||||
dockerRegistrySecret = val
|
||||
}
|
||||
|
||||
if flag.NArg() > 0 {
|
||||
switch flag.Arg(0) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue