fix(data): add ruleset to explicitly allow Docker / OCI clients (#1253)

* fix(data): add ruleset to explicitly allow Docker / OCI clients Fixes #1252 This is technically a regression as these clients used to work in Anubis v1.22.0, however it is allowable to make this opt-in as most websites do not expect to be serving Docker / OCI registry client traffic. Signed-off-by: Xe Iaso <me@xeiaso.net> * Update metadata check-spelling run (pull_request) for Xe/gh-1252/docker-registry-client-fix Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com> on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev> * test(docker-registry): export the right envvars Signed-off-by: Xe Iaso <me@xeiaso.net> * ci: add simdjson dependency for homebrew node Signed-off-by: Xe Iaso <me@xeiaso.net> * ci: install go/node without homebrew Signed-off-by: Xe Iaso <me@xeiaso.net> * test: use right github commit variable Signed-off-by: Xe Iaso <me@xeiaso.net> * ci: remove simdjson dependency Signed-off-by: Xe Iaso <me@xeiaso.net> * ci: install ko with an action Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: add OCI registry caveat docs Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com>
2025-11-07 19:17:25 -05:00 · 2025-11-07 19:17:25 -05:00 · b5ead0a68c
commit b5ead0a68c
parent df217d61c8
16 changed files with 237 additions and 205 deletions
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@ -16,6 +16,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fix `SERVE_ROBOTS_TXT` setting file after the double slash fix broke it.
 - Remove the default configuration rule to block Tencent cloud. If users see abuse from Tencent cloud IP ranges, please contact abuse@tencent.com and mention that you are using Anubis to protect your services. Please include source IP address, source port, timestamp, target IP address, target port, request headers (including the User-Agent header), and target endpoints/patterns.

+### Potentially breaking changes
+
+#### Docker / OCI registry clients
+
+Anubis v1.23.0 accidentally blocked Docker / OCI registry clients. In order to explicitly allow them, add an import for `(data)/clients/docker-client.yaml`:
+
+```yaml
+bots:
+  - import: (data)/meta/default-config.yaml
+  - import: (data)/clients/docker-client.yaml
+```
+
+This is technically a regression as these clients used to work in Anubis v1.22.0, however it is allowable to make this opt-in as most websites do not expect to be serving Docker / OCI registry client traffic.
+
 ## v1.23.0: Lyse Hext

 - Add default tencent cloud DENY rule.
--- a/docs/docs/admin/roles/_category_.json
+++ b/docs/docs/admin/roles/_category_.json
@ -0,0 +1,8 @@
+{
+  "label": "Server Roles",
+  "position": 40,
+  "link": {
+    "type": "generated-index",
+    "description": "Various server roles you will need to keep in mind with Anubis."
+  }
+}
--- a/docs/docs/admin/roles/oci-registry.mdx
+++ b/docs/docs/admin/roles/oci-registry.mdx
@ -0,0 +1,10 @@
+# OCI Registries
+
+If you are serving an OCI registry behind Anubis, you will need to import the `(data)/clients/docker-client.yaml` file in order to make sure that OCI registry clients can download images:
+
+```yaml
+bots:
+  - import: (data)/meta/default-config.yaml
+  - import: (data)/clients/docker-client.yaml
+# ... the rest of your config
+```