sophie/nuke
1
0
Fork 0
Code Packages 1 Activity Actions

fix(data): add ruleset to explicitly allow Docker / OCI clients (#1253)

Browse source 
* fix(data): add ruleset to explicitly allow Docker / OCI clients

Fixes #1252

This is technically a regression as these clients used to work in Anubis
v1.22.0, however it is allowable to make this opt-in as most websites do not
expect to be serving Docker / OCI registry client traffic.

Signed-off-by: Xe Iaso <me@xeiaso.net>

* Update metadata

check-spelling run (pull_request) for Xe/gh-1252/docker-registry-client-fix

Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com>
on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev>

* test(docker-registry): export the right envvars

Signed-off-by: Xe Iaso <me@xeiaso.net>

* ci: add simdjson dependency for homebrew node

Signed-off-by: Xe Iaso <me@xeiaso.net>

* ci: install go/node without homebrew

Signed-off-by: Xe Iaso <me@xeiaso.net>

* test: use right github commit variable

Signed-off-by: Xe Iaso <me@xeiaso.net>

* ci: remove simdjson dependency

Signed-off-by: Xe Iaso <me@xeiaso.net>

* ci: install ko with an action

Signed-off-by: Xe Iaso <me@xeiaso.net>

* docs: add OCI registry caveat docs

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com>
This commit is contained in:
Xe Iaso 2025-11-07 19:17:25 -05:00 committed by GitHub
parent df217d61c8
commit b5ead0a68c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 237 additions and 205 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/actions/spelling/expect.txt vendored
View file

@ -64,6 +64,7 @@ Codespaces
confd confd
connnection connnection
containerbuild containerbuild
containerregistry
coreutils coreutils
Cotoyogi Cotoyogi
Cromite Cromite
@ -341,6 +342,7 @@ Velen
vendored vendored
vhosts vhosts
VKE VKE
vnd
VPS VPS
Vultr Vultr
weblate weblate

37
.github/workflows/docker-pr.yml vendored
View file

@ -2,7 +2,7 @@ name: Docker image builds (pull requests)
on: on:
pull_request: pull_request:
branches: [ "main" ] branches: ["main"]
env: env:
DOCKER_METADATA_SET_OUTPUT_ENV: "true" DOCKER_METADATA_SET_OUTPUT_ENV: "true"
@ -21,29 +21,20 @@ jobs:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false
- name: Set up Homebrew - name: build essential
uses: Homebrew/actions/setup-homebrew@main
- name: Setup Homebrew cellar cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: |
/home/linuxbrew/.linuxbrew/Cellar
/home/linuxbrew/.linuxbrew/bin
/home/linuxbrew/.linuxbrew/etc
/home/linuxbrew/.linuxbrew/include
/home/linuxbrew/.linuxbrew/lib
/home/linuxbrew/.linuxbrew/opt
/home/linuxbrew/.linuxbrew/sbin
/home/linuxbrew/.linuxbrew/share
/home/linuxbrew/.linuxbrew/var
key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
restore-keys: |
${{ runner.os }}-go-homebrew-cellar-
- name: Install Brew dependencies
run: | run: |
brew bundle sudo apt-get update
sudo apt-get install -y build-essential
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: latest
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: stable
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- name: Docker meta - name: Docker meta
id: meta id: meta

33
.github/workflows/docker.yml vendored
View file

@ -27,33 +27,24 @@ jobs:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false
- name: build essential
run: |
sudo apt-get update
sudo apt-get install -y build-essential
- name: Set lowercase image name - name: Set lowercase image name
run: | run: |
echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
- name: Set up Homebrew - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
uses: Homebrew/actions/setup-homebrew@main
- name: Setup Homebrew cellar cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with: with:
path: | node-version: latest
/home/linuxbrew/.linuxbrew/Cellar
/home/linuxbrew/.linuxbrew/bin
/home/linuxbrew/.linuxbrew/etc
/home/linuxbrew/.linuxbrew/include
/home/linuxbrew/.linuxbrew/lib
/home/linuxbrew/.linuxbrew/opt
/home/linuxbrew/.linuxbrew/sbin
/home/linuxbrew/.linuxbrew/share
/home/linuxbrew/.linuxbrew/var
key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
restore-keys: |
${{ runner.os }}-go-homebrew-cellar-
- name: Install Brew dependencies - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
run: | with:
brew bundle go-version: stable
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- name: Log into registry - name: Log into registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0

106
.github/workflows/go.yml vendored
View file

@ -2,9 +2,9 @@ name: Go
on: on:
push: push:
branches: [ "main" ] branches: ["main"]
pull_request: pull_request:
branches: [ "main" ] branches: ["main"]
permissions: permissions:
contents: read contents: read
@ -15,77 +15,51 @@ jobs:
#runs-on: alrest-techarohq #runs-on: alrest-techarohq
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
persist-credentials: false persist-credentials: false
- name: build essential - name: build essential
run: | run: |
sudo apt-get update sudo apt-get update
sudo apt-get install -y build-essential sudo apt-get install -y build-essential
- name: Set up Homebrew - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
uses: Homebrew/actions/setup-homebrew@main with:
node-version: latest
- name: Setup Homebrew cellar cache - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with:
with: go-version: stable
path: |
/home/linuxbrew/.linuxbrew/Cellar
/home/linuxbrew/.linuxbrew/bin
/home/linuxbrew/.linuxbrew/etc
/home/linuxbrew/.linuxbrew/include
/home/linuxbrew/.linuxbrew/lib
/home/linuxbrew/.linuxbrew/opt
/home/linuxbrew/.linuxbrew/sbin
/home/linuxbrew/.linuxbrew/share
/home/linuxbrew/.linuxbrew/var
key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
restore-keys: |
${{ runner.os }}-go-homebrew-cellar-
- name: Install Brew dependencies - name: Cache playwright binaries
run: | uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
brew bundle id: playwright-cache
with:
path: |
~/.cache/ms-playwright
key: ${{ runner.os }}-playwright-${{ hashFiles('**/go.sum') }}
- name: Setup Golang caches - name: install node deps
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 run: |
with: npm ci
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-golang-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-golang-
- name: Cache playwright binaries - name: install playwright browsers
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 run: |
id: playwright-cache npx --no-install playwright@1.52.0 install --with-deps
with: npx --no-install playwright@1.52.0 run-server --port 9001 &
path: |
~/.cache/ms-playwright
key: ${{ runner.os }}-playwright-${{ hashFiles('**/go.sum') }}
- name: install node deps - name: Build
run: | run: npm run build
npm ci
- name: install playwright browsers - name: Test
run: | run: npm run test
npx --no-install playwright@1.52.0 install --with-deps
npx --no-install playwright@1.52.0 run-server --port 9001 &
- name: Build - name: Lint with staticcheck
run: npm run build uses: dominikh/staticcheck-action@024238d2898c874f26d723e7d0ff4308c35589a2 # v1.4.0
with:
version: "latest"
- name: Test - name: Govulncheck
run: npm run test run: |
go tool govulncheck ./...
- name: Lint with staticcheck
uses: dominikh/staticcheck-action@024238d2898c874f26d723e7d0ff4308c35589a2 # v1.4.0
with:
version: "latest"
- name: Govulncheck
run: |
go tool govulncheck ./...

34
.github/workflows/package-builds-stable.yml vendored
View file

@ -25,39 +25,13 @@ jobs:
sudo apt-get update sudo apt-get update
sudo apt-get install -y build-essential sudo apt-get install -y build-essential
- name: Set up Homebrew - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
uses: Homebrew/actions/setup-homebrew@main
- name: Setup Homebrew cellar cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with: with:
path: | node-version: latest
/home/linuxbrew/.linuxbrew/Cellar
/home/linuxbrew/.linuxbrew/bin
/home/linuxbrew/.linuxbrew/etc
/home/linuxbrew/.linuxbrew/include
/home/linuxbrew/.linuxbrew/lib
/home/linuxbrew/.linuxbrew/opt
/home/linuxbrew/.linuxbrew/sbin
/home/linuxbrew/.linuxbrew/share
/home/linuxbrew/.linuxbrew/var
key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
restore-keys: |
${{ runner.os }}-go-homebrew-cellar-
- name: Install Brew dependencies - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
run: |
brew bundle
- name: Setup Golang caches
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with: with:
path: | go-version: stable
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-golang-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-golang-
- name: install node deps - name: install node deps
run: | run: |

80
.github/workflows/package-builds-unstable.yml vendored
View file

@ -2,9 +2,9 @@ name: Package builds (unstable)
on: on:
push: push:
branches: [ "main" ] branches: ["main"]
pull_request: pull_request:
branches: [ "main" ] branches: ["main"]
permissions: permissions:
contents: read contents: read
@ -15,60 +15,34 @@ jobs:
#runs-on: alrest-techarohq #runs-on: alrest-techarohq
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
persist-credentials: false persist-credentials: false
fetch-tags: true fetch-tags: true
fetch-depth: 0 fetch-depth: 0
- name: build essential - name: build essential
run: | run: |
sudo apt-get update sudo apt-get update
sudo apt-get install -y build-essential sudo apt-get install -y build-essential
- name: Set up Homebrew - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
uses: Homebrew/actions/setup-homebrew@main with:
node-version: latest
- name: Setup Homebrew cellar cache - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with:
with: go-version: stable
path: |
/home/linuxbrew/.linuxbrew/Cellar
/home/linuxbrew/.linuxbrew/bin
/home/linuxbrew/.linuxbrew/etc
/home/linuxbrew/.linuxbrew/include
/home/linuxbrew/.linuxbrew/lib
/home/linuxbrew/.linuxbrew/opt
/home/linuxbrew/.linuxbrew/sbin
/home/linuxbrew/.linuxbrew/share
/home/linuxbrew/.linuxbrew/var
key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
restore-keys: |
${{ runner.os }}-go-homebrew-cellar-
- name: Install Brew dependencies - name: install node deps
run: | run: |
brew bundle npm ci
- name: Setup Golang caches - name: Build Packages
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 run: |
with: go tool yeet
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-golang-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-golang-
- name: install node deps - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
run: | with:
npm ci name: packages
path: var/*
- name: Build Packages
run: |
go tool yeet
- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: packages
path: var/*

1
.github/workflows/smoke-tests.yml vendored
View file

@ -15,6 +15,7 @@ jobs:
matrix: matrix:
test: test:
- default-config-macro - default-config-macro
- docker-registry
- double_slash - double_slash
- forced-language - forced-language
- git-clone - git-clone

25
data/clients/docker-client.yaml Normal file
View file

@ -0,0 +1,25 @@
- name: allow-docker-client
action: ALLOW
expression:
all:
- path.startsWith("/v2/")
- userAgent.contains("docker/")
- userAgent.contains("git-commit/")
- '"Accept" in headers'
- headers["Accept"].contains("vnd.docker.distribution")
- '"Baggage" in headers'
- headers["Baggage"].contains("trigger")
- name: allow-crane-client
action: ALLOW
expression:
all:
- userAgent.contains("crane/")
- userAgent.contains("go-containerregistry/")
- name: allow-docker-distribution-api-client
action: ALLOW
expression:
all:
- '"Docker-Distribution-Api-Version" in headers'
- '!(userAgent.contains("Mozilla"))'

14
docs/docs/CHANGELOG.md
View file

@ -16,6 +16,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Fix `SERVE_ROBOTS_TXT` setting file after the double slash fix broke it. - Fix `SERVE_ROBOTS_TXT` setting file after the double slash fix broke it.
- Remove the default configuration rule to block Tencent cloud. If users see abuse from Tencent cloud IP ranges, please contact abuse@tencent.com and mention that you are using Anubis to protect your services. Please include source IP address, source port, timestamp, target IP address, target port, request headers (including the User-Agent header), and target endpoints/patterns. - Remove the default configuration rule to block Tencent cloud. If users see abuse from Tencent cloud IP ranges, please contact abuse@tencent.com and mention that you are using Anubis to protect your services. Please include source IP address, source port, timestamp, target IP address, target port, request headers (including the User-Agent header), and target endpoints/patterns.
### Potentially breaking changes
#### Docker / OCI registry clients
Anubis v1.23.0 accidentally blocked Docker / OCI registry clients. In order to explicitly allow them, add an import for `(data)/clients/docker-client.yaml`:
```yaml
bots:
- import: (data)/meta/default-config.yaml
- import: (data)/clients/docker-client.yaml
```
This is technically a regression as these clients used to work in Anubis v1.22.0, however it is allowable to make this opt-in as most websites do not expect to be serving Docker / OCI registry client traffic.
## v1.23.0: Lyse Hext ## v1.23.0: Lyse Hext
- Add default tencent cloud DENY rule. - Add default tencent cloud DENY rule.

8
docs/docs/admin/roles/_category_.json Normal file
View file

@ -0,0 +1,8 @@
{
"label": "Server Roles",
"position": 40,
"link": {
"type": "generated-index",
"description": "Various server roles you will need to keep in mind with Anubis."
}
}

10
docs/docs/admin/roles/oci-registry.mdx Normal file
View file

@ -0,0 +1,10 @@
# OCI Registries
If you are serving an OCI registry behind Anubis, you will need to import the `(data)/clients/docker-client.yaml` file in order to make sure that OCI registry clients can download images:
```yaml
bots:
- import: (data)/meta/default-config.yaml
- import: (data)/clients/docker-client.yaml
# ... the rest of your config
```

7
test/docker-registry/anubis.yaml Normal file
View file

@ -0,0 +1,7 @@
bots:
- import: (data)/meta/default-config.yaml
- import: (data)/clients/docker-client.yaml
status_codes:
CHALLENGE: 200
DENY: 403

30
test/docker-registry/docker-compose.yaml Normal file
View file

@ -0,0 +1,30 @@
services:
registry:
image: distribution/distribution:edge
restart: always
relayd:
image: ghcr.io/xe/x/relayd
pull_policy: always
environment:
CERT_DIR: /etc/techaro/pki/registry.local.cetacean.club
CERT_FNAME: cert.pem
KEY_FNAME: key.pem
PROXY_TO: http://anubis:3000
ports:
- 3004:3004
volumes:
- ../pki/registry.local.cetacean.club:/etc/techaro/pki/registry.local.cetacean.club
anubis:
image: ko.local/anubis
restart: always
environment:
BIND: ":3000"
TARGET: http://registry:5000
POLICY_FNAME: /etc/techaro/anubis.yaml
USE_REMOTE_ADDRESS: "true"
ports:
- 3000
volumes:
- ./anubis.yaml:/etc/techaro/anubis.yaml

29
test/docker-registry/test.sh Executable file
View file

@ -0,0 +1,29 @@
#!/usr/bin/env bash
set -eo pipefail
export VERSION=${GITHUB_SHA}-test
export KO_DOCKER_REPO=ko.local
set -u
source ../lib/lib.sh
build_anubis_ko
function cleanup() {
docker compose down
}
trap cleanup EXIT SIGINT
mint_cert registry.local.cetacean.club
docker compose up -d
backoff-retry skopeo \
--insecure-policy \
copy \
--dest-tls-verify=false \
docker://hello-world \
docker://registry.local.cetacean.club:3004/hello-world

2
test/docker-registry/var/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
*
!.gitignore

22
test/git-push/test.sh
View file

@ -2,7 +2,7 @@
set -eo pipefail set -eo pipefail
export VERSION=$GITHUB_COMMIT-test export VERSION=${GITHUB_SHA}-test
export KO_DOCKER_REPO=ko.local export KO_DOCKER_REPO=ko.local
set -u set -u
@ -21,16 +21,16 @@ docker compose up -d
sleep 2 sleep 2
( (
cd var && \ cd var &&
mkdir foo && \ mkdir foo &&
cd foo && \ cd foo &&
git init && \ git init &&
touch README && \ touch README &&
git add . && \ git add . &&
git config user.name "Anubis CI" && \ git config user.name "Anubis CI" &&
git config user.email "social+anubis-ci@techaro.lol" && \ git config user.email "social+anubis-ci@techaro.lol" &&
git commit -sm "initial commit" && \ git commit -sm "initial commit" &&
git push -u http://localhost:3000/git/foo.git master git push -u http://localhost:3000/git/foo.git master
) )
exit 0 exit 0