Skip to content

Instantly share code, notes, and snippets.

@thockin
Last active March 21, 2023 11:00
Show Gist options
  • Save thockin/b9fa587a63f4c642588813ab172e081d to your computer and use it in GitHub Desktop.
Save thockin/b9fa587a63f4c642588813ab172e081d to your computer and use it in GitHub Desktop.
Idea: nginx vanity domain fronting gcr.io
# This is a GCR vanity domain. It aliases our domain to a specific
# bucket in GCR.
# e.g.`docker pull gcr.example.com/foobar` -> gcr.io/my_bucket/foobar
server {
server_name gcr.example.com;
listen 80;
listen 443 ssl;
location = /v2/ {
# If we redirect this, it can detect as unauthorized, but the token
# auth will go directly to the backend, with the shortened image name
# in a parameter. Much harder to fix up. We know our GCR is public.
return 200;
}
location / {
# There may be fancier ways to express this, but it's nice to be
# obvious. These paths come from:
# https://docs.docker.com/registry/spec/api/#detail
rewrite ^/v2/_catalog$ https://gcr.io/v2/_catalog redirect;
rewrite ^/v2/(.*)/tags/(.*) https://gcr.io/v2/my_bucket/$1/tags/$2 redirect;
rewrite ^/v2/(.*)/manifests/(.*) https://gcr.io/v2/my_bucket/$1/manifests/$2 redirect;
rewrite ^/v2/(.*)/blobs/(.*) https://gcr.io/v2/my_bucket/$1/blobs/$2 redirect;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment