ЧТо это??
AWS Codeartifacts не позволяют использовать свои репозитриии без аутентификации, что может быть неудобно.
Эти скрипты позволяют настроить прокси, который будет автоматически получать, обновлять и подставлять в заголовки запросов свежие токены.
Таким образом - клиенты могут использовать AWS CodeArtifacts NPM repo без аутентификации (вернее - с пустым токеном).
Openresty LUA based Setup
server {
listen $PORT;
location / {
access_by_lua_block {
--ngx.log(ngx.ERR, '################ HEADERS BEFORE AUTH #####################');
--local h = ngx.req.get_headers();
--for k, v in pairs(h) do
-- ngx.log(ngx.ERR, k..' - '..v);
--end
--ngx.log(ngx.ERR, '### REQUEST BODY ###');
--ngx.log(ngx.ERR, ngx.req.get_body_data());
--ngx.log(ngx.ERR, '###################### AUTH #######################');
command = [[aws codeartifact get-authorization-token --domain ${CODEARTIFACTS_DOMAIN} --domain-owner ${CODEARTIFACTS_OWNER} --query authorizationToken --output text]];
local handle = io.popen(command);
local token = handle:read("*a"):gsub("\n$", "");
handle:close();
--ngx.log(ngx.ERR, 'Token - '..token);
ngx.req.set_header('authorization', 'Bearer '..token);
ngx.req.set_header('host', '${BACKEND_HOST}');
--ngx.log(ngx.ERR, '################ HEADERS BEFORE PROXYPASS #####################');
--local h = ngx.req.get_headers()
--for k, v in pairs(h) do
-- ngx.log(ngx.ERR, k..' - '..v);
--end
}
proxy_redirect off;
proxy_pass ${BACKEND_URL}:${BACKEND_PORT};
}
}
version: '3.9'
services:
npm-proxy:
restart: always
image: openresty/openresty:1.21.4.1-alpine-fat
container_name: proxy
volumes:
- ./proxy-conf.template:/etc/nginx/conf.d/proxy-conf.template:ro
ports:
- "8088:8088"
environment:
- CODEARTIFACTS_DOMAIN=artifats-domain
- BACKEND_URL=https://artifacts-domain-1234567.d.codeartifact.eu-west-1.amazonaws.com
- BACKEND_PORT=443
- BACKEND_HOST=artifacts-domain-1234567.d.codeartifact.eu-west-1.amazonaws.com
- PORT=8088
command: >
/bin/bash -c "
apk add --no-cache aws-cli &&
export CODEARTIFACTS_OWNER=`aws sts get-caller-identity | grep Account | cut -d':' -f2 | tr -d '\" ,'` &&
envsubst < /etc/nginx/conf.d/proxy-conf.template > /etc/nginx/conf.d/default.conf &&
cat /etc/nginx/conf.d/default.conf &&
openresty -g 'daemon off;'"
node:
restart: always
image: node:18
container_name: node
command: >
/bin/bash -c "sleep infinity"
проверка
git clone https://github.com/wix-incubator/empty-package
cd empty-package/
sed -i 's/https\:\/\/registry\.npmjs\.org\//http\:\/\/proxy\:8088\/npm\/anima-npm\//' ./package.json
npm config set registry=http://proxy:8088/npm/anima-npm/
npm config set //proxy:8088/npm/anima-npm/:_authToken=e30=
#### npm config set //proxy:8088/npm/anima-npm/:_authToken=`echo -n '{}' | base64`
Plain Nginx setup
docker-compose.yml
version: '3.9'
services:
npm-proxy:
restart: always
image: ubuntu/nginx:1.18-22.04_edge
container_name: proxy
volumes:
- ./npm-proxy-entrypoint.sh:/start.sh:ro
- ./npm-proxy-conf.template:/etc/nginx/conf.d/npm-proxy-conf.template:ro
ports:
- "8088:8088"
environment:
- SERVER_NAME=npm-proxy.domain.com
- CODEARTIFACTS_DOMAIN=artifacts-domain
- BACKEND_URL=https://artifacts-domain-1234567.d.codeartifact.eu-west-1.amazonaws.com
- BACKEND_PORT=443
- BACKEND_HOST=artifacts-domain-1234567.d.codeartifact.eu-west-1.amazonaws.com
- PORT=8088
- REGION=eu-west-1
command: >
/bin/bash /start.sh
npm-proxy-entrypoint.sh
#!/bin/bash
set -e
echo "Installing AWS CLI..."
apt-get update 2>&1>/dev/null
apt-get install -y awscli 2>&1>/dev/null
echo "AWS CLI Installed!!!"
export CODEARTIFACTS_OWNER=`aws sts get-caller-identity | grep Account | cut -d':' -f2 | tr -d '\" ,'`
ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log
nginx -g 'daemon off;' &
while true; do
export AUTH_TOKEN=`aws codeartifact get-authorization-token --region ${REGION} --domain ${CODEARTIFACTS_DOMAIN} --domain-owner ${CODEARTIFACTS_OWNER} --query authorizationToken --output text | tr -d '\n'`
envsubst < /etc/nginx/conf.d/npm-proxy-conf.template > /etc/nginx/conf.d/default.conf
nginx -s reload
sleep 800
done
npm-proxy-conf.template
server {
listen $PORT;
server_name $SERVER_NAME;
gzip_static off;
default_type application/octet-stream;
location = /health {
access_log off;
add_header 'Content-Type' 'application/json';
return 200 '{"status":"UP"}';
}
location / {
proxy_method GET;
sub_filter '$BACKEND_HOST' '$SERVER_NAME';
sub_filter_types application/json;
sub_filter_once off;
proxy_http_version 1.1;
proxy_set_header Host $BACKEND_HOST;
proxy_set_header Authorization 'Bearer $AUTH_TOKEN';
proxy_pass_request_headers off;
proxy_pass $BACKEND_URL:$BACKEND_PORT;
}
}
NPM Nginx-based caching proxy
https://gist.github.com/dctrwatson/5785675
user www-data;
worker_processes 4;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
access_log off;
default_type application/octet-stream;
sendfile on;
tcp_nodelay on;
tcp_nopush off;
reset_timedout_connection on;
server_tokens off;
# Cache 10G worth of packages for up to 1 month
proxy_cache_path /var/lib/nginx/npm levels=1:2 keys_zone=npm:16m inactive=1M max_size=10G;
# Multiple server definitions makes nginx retry
upstream registry_npm {
server registry.npmjs.org;
server registry.npmjs.org;
keepalive 16;
}
gzip on;
gzip_types application/json text/css text/javascript;
gzip_proxied any;
gzip_vary on;
server {
listen 80 default_server;
server_name npm.example.com;
root /var/www;
proxy_cache npm;
proxy_cache_key $uri;
proxy_cache_lock on;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_http_version 1.1;
proxy_pass_request_headers off;
proxy_set_header Host registry.npmjs.org;
location / {
proxy_cache_valid any 5m;
add_header X-Cache $upstream_cache_status;
proxy_pass http://registry_npm;
}
location ~ ^/.+/-/.+ {
proxy_cache_valid any 1M;
add_header X-Cache $upstream_cache_status;
proxy_pass http://registry_npm;
}
}
}
Discussion