amancevice/terraform-aws-custom-ecr-domain

307 Redirect to S3

cajund opened this issue · 3 comments

cajund commented

Hi There,

Thanks for this effort. I was reviewing your code and had a question. We have a client that has very strict network rules, as in they can only reach one Public IP address.

We have an ECR set up with an nginx proxy in front. We were thinking about using your solution in front of our "master" ECR so all of the restricted environments can get to it (client -> proxy -> api gateway -> ecr). At this point, we are able to proxy to ECR to log in, but when we pull, we see these 307's to S3. Our client systems can get the S3 URL. When we direct the traffic to our proxy, we get an SSL Cert error (as expected).

So we want to intercept these S3 requests, or I guess rewrite them on the way out so the client system doesn't try to hit S3, and tries to pull the blob from our domain (which we ca then proxy). I wanted to see if your solution is making the assumption that the calling system has access to any URL, and that you are just masking the overall domain.

Thanks again.

amancevice commented

I'm not sure I 100% understand your setup but I can tell I tried to make this with as few assumptions as possible. Let me walk through an example to see if that clears things up:

Assumptions I am making:

  1. ecr.private.io is the custom DNS name we will use to reference our ECR registry
  2. Our real ECR registry host is 123456789012.dkr.ecr.us-east-1.amazonaws.com

Example workflow:

  1. I execute docker pull ecr.private.io/my-image on my machine
  2. My local docker client translates this command into a series of HTTP requests to https://ecr.private.io/v2/* (eg, https://ecr.private.io/v2/my-image/manifests/latest)
  3. Each of these requests is received by AWS (Route53 -> API Gateway -> Lambda), which returns an AWS proxy response JSON: {"statusCode":307,"headers":{"location":"https://123456789012.dkr.ecr.us-east-1.amazonaws.com/*"}} where * in the location header is whatever the original request path is.
  4. If I have access to whatever this redirect location is then the request should succeed, if I don't then the request fails.

Does that clear things up at all?

cajund commented

It does, and thanks for putting it together.

My issue is #4, where the client can't access anything else but the IP address to which ecr.private.io resolves. I need to perform a rewrite on the return content, in this case, using ngx_http_sub_module, and manage the additional traffic.

Thanks again.

  • 👍1
amancevice commented

ah ok, yes this project assumes the end-user has access to both the DNS alias (ecr.private.io) and the raw ECR endpoint (123456789012.dkr.ecr.us-east-1.amazonaws.com) via AWS keys + docker credential helper