docs: add OCI registry caveat docs

Signed-off-by: Xe Iaso <me@xeiaso.net>

.github/actions/spelling/expect.txt

@@ -64,6 +64,7 @@ Codespaces
 confd
 connnection
 containerbuild
+containerregistry
 coreutils
 Cotoyogi
 Cromite
@@ -341,6 +342,7 @@ Velen
 vendored
 vhosts
 VKE
+vnd
 VPS
 Vultr
 weblate

.github/workflows/asset-verification.yml

@@ -1,73 +0,0 @@
-name: Asset Build Verification
-
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-
-permissions:
-  contents: read
-
-jobs:
-  asset_verification:
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-
-      - name: build essential
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y build-essential
-
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-        with:
-          node-version: latest
-
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-        with:
-          go-version: stable
-
-      - name: install node deps
-        run: |
-          npm ci
-
-      - name: Check for uncommitted changes before asset build
-        id: check-changes-before
-        run: |
-          if [[ -n $(git status --porcelain) ]]; then
-            echo "has_changes=true" >> $GITHUB_OUTPUT
-          else
-            echo "has_changes=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Fail if there are uncommitted changes before build
-        if: steps.check-changes-before.outputs.has_changes == 'true'
-        run: |
-          echo "There are uncommitted changes before running npm run assets"
-          git status
-          exit 1
-
-      - name: Run asset build
-        run: |
-          npm run assets
-
-      - name: Check for uncommitted changes after asset build
-        id: check-changes-after
-        run: |
-          if [[ -n $(git status --porcelain) ]]; then
-            echo "has_changes=true" >> $GITHUB_OUTPUT
-          else
-            echo "has_changes=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Fail if assets generated changes
-        if: steps.check-changes-after.outputs.has_changes == 'true'
-        run: |
-          echo "npm run assets generated uncommitted changes. This indicates the repository has outdated generated files."
-          echo "Please run 'npm run assets' locally and commit the changes."
-          git status
-          git diff
-          exit 1

.github/workflows/docker-pr.yml

@@ -2,7 +2,7 @@ name: Docker image builds (pull requests)
 
 on:
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 
 env:
   DOCKER_METADATA_SET_OUTPUT_ENV: "true"
@@ -21,29 +21,20 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Set up Homebrew
+      - name: build essential
-        uses: Homebrew/actions/setup-homebrew@main
-
-      - name: Setup Homebrew cellar cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        with:
-          path: |
-            /home/linuxbrew/.linuxbrew/Cellar
-            /home/linuxbrew/.linuxbrew/bin
-            /home/linuxbrew/.linuxbrew/etc
-            /home/linuxbrew/.linuxbrew/include
-            /home/linuxbrew/.linuxbrew/lib
-            /home/linuxbrew/.linuxbrew/opt
-            /home/linuxbrew/.linuxbrew/sbin
-            /home/linuxbrew/.linuxbrew/share
-            /home/linuxbrew/.linuxbrew/var
-          key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-homebrew-cellar-
-
-      - name: Install Brew dependencies
         run: |
-          brew bundle
+          sudo apt-get update
+          sudo apt-get install -y build-essential
+
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: latest
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: stable
+
+      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Docker meta
         id: meta

.github/workflows/docker.yml

@@ -27,33 +27,24 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
+      - name: build essential
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential
+
       - name: Set lowercase image name
         run: |
           echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
 
-      - name: Set up Homebrew
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-        uses: Homebrew/actions/setup-homebrew@main
-
-      - name: Setup Homebrew cellar cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
-          path: |
+          node-version: latest
-            /home/linuxbrew/.linuxbrew/Cellar
-            /home/linuxbrew/.linuxbrew/bin
-            /home/linuxbrew/.linuxbrew/etc
-            /home/linuxbrew/.linuxbrew/include
-            /home/linuxbrew/.linuxbrew/lib
-            /home/linuxbrew/.linuxbrew/opt
-            /home/linuxbrew/.linuxbrew/sbin
-            /home/linuxbrew/.linuxbrew/share
-            /home/linuxbrew/.linuxbrew/var
-          key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-homebrew-cellar-
 
-      - name: Install Brew dependencies
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-        run: |
+        with:
-          brew bundle
+          go-version: stable
+
+      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Log into registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0

.github/workflows/go.yml

@@ -2,9 +2,9 @@ name: Go
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 
 permissions:
   contents: read
@@ -15,77 +15,51 @@ jobs:
     #runs-on: alrest-techarohq
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
+        with:
-        persist-credentials: false
+          persist-credentials: false
 
-    - name: build essential
+      - name: build essential
-      run: |
+        run: |
-        sudo apt-get update
+          sudo apt-get update
-        sudo apt-get install -y build-essential
+          sudo apt-get install -y build-essential
 
-    - name: Set up Homebrew
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-      uses: Homebrew/actions/setup-homebrew@main
+        with:
+          node-version: latest
 
-    - name: Setup Homebrew cellar cache
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
-      with:
+          go-version: stable
-        path: |
-          /home/linuxbrew/.linuxbrew/Cellar
-          /home/linuxbrew/.linuxbrew/bin
-          /home/linuxbrew/.linuxbrew/etc
-          /home/linuxbrew/.linuxbrew/include
-          /home/linuxbrew/.linuxbrew/lib
-          /home/linuxbrew/.linuxbrew/opt
-          /home/linuxbrew/.linuxbrew/sbin
-          /home/linuxbrew/.linuxbrew/share
-          /home/linuxbrew/.linuxbrew/var
-        key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-homebrew-cellar-
 
-    - name: Install Brew dependencies
+      - name: Cache playwright binaries
-      run: |
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        brew bundle
+        id: playwright-cache
+        with:
+          path: |
+            ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('**/go.sum') }}
 
-    - name: Setup Golang caches
+      - name: install node deps
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        run: |
-      with:
+          npm ci
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-golang-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-golang-
 
-    - name: Cache playwright binaries
+      - name: install playwright browsers
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        run: |
-      id: playwright-cache
+          npx --no-install playwright@1.52.0 install --with-deps
-      with:
+          npx --no-install playwright@1.52.0 run-server --port 9001 &
-        path: |
-          ~/.cache/ms-playwright
-        key: ${{ runner.os }}-playwright-${{ hashFiles('**/go.sum') }}
 
-    - name: install node deps
+      - name: Build
-      run: |
+        run: npm run build
-        npm ci
 
-    - name: install playwright browsers
+      - name: Test
-      run: |
+        run: npm run test
-        npx --no-install playwright@1.52.0 install --with-deps
-        npx --no-install playwright@1.52.0 run-server --port 9001 &
 
-    - name: Build
+      - name: Lint with staticcheck
-      run: npm run build
+        uses: dominikh/staticcheck-action@024238d2898c874f26d723e7d0ff4308c35589a2 # v1.4.0
+        with:
+          version: "latest"
 
-    - name: Test
+      - name: Govulncheck
-      run: npm run test
+        run: |
-
+          go tool govulncheck ./...
-    - name: Lint with staticcheck
-      uses: dominikh/staticcheck-action@024238d2898c874f26d723e7d0ff4308c35589a2 # v1.4.0
-      with:
-        version: "latest"
-
-    - name: Govulncheck
-      run: |
-        go tool govulncheck ./...

.github/workflows/package-builds-stable.yml

@@ -25,39 +25,13 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - name: Set up Homebrew
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-        uses: Homebrew/actions/setup-homebrew@main
-
-      - name: Setup Homebrew cellar cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
-          path: |
+          node-version: latest
-            /home/linuxbrew/.linuxbrew/Cellar
-            /home/linuxbrew/.linuxbrew/bin
-            /home/linuxbrew/.linuxbrew/etc
-            /home/linuxbrew/.linuxbrew/include
-            /home/linuxbrew/.linuxbrew/lib
-            /home/linuxbrew/.linuxbrew/opt
-            /home/linuxbrew/.linuxbrew/sbin
-            /home/linuxbrew/.linuxbrew/share
-            /home/linuxbrew/.linuxbrew/var
-          key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-homebrew-cellar-
 
-      - name: Install Brew dependencies
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-        run: |
-          brew bundle
-
-      - name: Setup Golang caches
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
-          path: |
+          go-version: stable
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-golang-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-golang-
 
       - name: install node deps
         run: |

.github/workflows/package-builds-unstable.yml

@@ -2,9 +2,9 @@ name: Package builds (unstable)
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 
 permissions:
   contents: read
@@ -15,60 +15,34 @@ jobs:
     #runs-on: alrest-techarohq
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
+        with:
-        persist-credentials: false
+          persist-credentials: false
-        fetch-tags: true
+          fetch-tags: true
-        fetch-depth: 0
+          fetch-depth: 0
 
-    - name: build essential
+      - name: build essential
-      run: |
+        run: |
-        sudo apt-get update
+          sudo apt-get update
-        sudo apt-get install -y build-essential
+          sudo apt-get install -y build-essential
 
-    - name: Set up Homebrew
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-      uses: Homebrew/actions/setup-homebrew@main
+        with:
+          node-version: latest
 
-    - name: Setup Homebrew cellar cache
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
-      with:
+          go-version: stable
-        path: |
-          /home/linuxbrew/.linuxbrew/Cellar
-          /home/linuxbrew/.linuxbrew/bin
-          /home/linuxbrew/.linuxbrew/etc
-          /home/linuxbrew/.linuxbrew/include
-          /home/linuxbrew/.linuxbrew/lib
-          /home/linuxbrew/.linuxbrew/opt
-          /home/linuxbrew/.linuxbrew/sbin
-          /home/linuxbrew/.linuxbrew/share
-          /home/linuxbrew/.linuxbrew/var
-        key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-homebrew-cellar-
 
-    - name: Install Brew dependencies
+      - name: install node deps
-      run: |
+        run: |
-        brew bundle
+          npm ci
 
-    - name: Setup Golang caches
+      - name: Build Packages
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        run: |
-      with:
+          go tool yeet
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-golang-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-golang-
 
-    - name: install node deps
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-      run: |
+        with:
-        npm ci
+          name: packages
-
+          path: var/*
-    - name: Build Packages
-      run: |
-        go tool yeet
-
-    - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-      with:
-        name: packages
-        path: var/*

.github/workflows/smoke-tests.yml

@@ -15,6 +15,7 @@ jobs:
       matrix:
         test:
           - default-config-macro
+          - docker-registry
           - double_slash
           - forced-language
           - git-clone

data/clients/docker-client.yaml

@@ -0,0 +1,25 @@
+- name: allow-docker-client
+  action: ALLOW
+  expression:
+    all:
+      - path.startsWith("/v2/")
+      - userAgent.contains("docker/")
+      - userAgent.contains("git-commit/")
+      - '"Accept" in headers'
+      - headers["Accept"].contains("vnd.docker.distribution")
+      - '"Baggage" in headers'
+      - headers["Baggage"].contains("trigger")
+
+- name: allow-crane-client
+  action: ALLOW
+  expression:
+    all:
+      - userAgent.contains("crane/")
+      - userAgent.contains("go-containerregistry/")
+
+- name: allow-docker-distribution-api-client
+  action: ALLOW
+  expression:
+    all:
+      - '"Docker-Distribution-Api-Version" in headers'
+      - '!(userAgent.contains("Mozilla"))'

docs/docs/CHANGELOG.md

@@ -16,6 +16,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fix `SERVE_ROBOTS_TXT` setting file after the double slash fix broke it.
 - Remove the default configuration rule to block Tencent cloud. If users see abuse from Tencent cloud IP ranges, please contact abuse@tencent.com and mention that you are using Anubis to protect your services. Please include source IP address, source port, timestamp, target IP address, target port, request headers (including the User-Agent header), and target endpoints/patterns.
 
+### Potentially breaking changes
+
+#### Docker / OCI registry clients
+
+Anubis v1.23.0 accidentally blocked Docker / OCI registry clients. In order to explicitly allow them, add an import for `(data)/clients/docker-client.yaml`:
+
+```yaml
+bots:
+  - import: (data)/meta/default-config.yaml
+  - import: (data)/clients/docker-client.yaml
+```
+
+This is technically a regression as these clients used to work in Anubis v1.22.0, however it is allowable to make this opt-in as most websites do not expect to be serving Docker / OCI registry client traffic.
+
 ## v1.23.0: Lyse Hext
 
 - Add default tencent cloud DENY rule.

docs/docs/admin/roles/_category_.json

@@ -0,0 +1,8 @@
+{
+  "label": "Server Roles",
+  "position": 40,
+  "link": {
+    "type": "generated-index",
+    "description": "Various server roles you will need to keep in mind with Anubis."
+  }
+}

docs/docs/admin/roles/oci-registry.mdx

@@ -0,0 +1,10 @@
+# OCI Registries
+
+If you are serving an OCI registry behind Anubis, you will need to import the `(data)/clients/docker-client.yaml` file in order to make sure that OCI registry clients can download images:
+
+```yaml
+bots:
+  - import: (data)/meta/default-config.yaml
+  - import: (data)/clients/docker-client.yaml
+# ... the rest of your config
+```

lib/challenge/metarefresh/metarefresh_templ.go

@@ -1,6 +1,6 @@
 // Code generated by templ - DO NOT EDIT.
 
-// templ: version: v0.3.960
+// templ: version: v0.3.924
 package metarefresh
 
 //lint:file-ignore SA4006 This context is only used if a nested component is present.

lib/challenge/preact/preact_templ.go

@@ -1,6 +1,6 @@
 // Code generated by templ - DO NOT EDIT.
 
-// templ: version: v0.3.960
+// templ: version: v0.3.924
 package preact
 
 //lint:file-ignore SA4006 This context is only used if a nested component is present.

lib/challenge/proofofwork/proofofwork_templ.go

@@ -1,6 +1,6 @@
 // Code generated by templ - DO NOT EDIT.
 
-// templ: version: v0.3.960
+// templ: version: v0.3.924
 package proofofwork
 
 //lint:file-ignore SA4006 This context is only used if a nested component is present.

test/docker-registry/anubis.yaml

@@ -0,0 +1,7 @@
+bots:
+  - import: (data)/meta/default-config.yaml
+  - import: (data)/clients/docker-client.yaml
+
+status_codes:
+  CHALLENGE: 200
+  DENY: 403

test/docker-registry/docker-compose.yaml

@@ -0,0 +1,30 @@
+services:
+  registry:
+    image: distribution/distribution:edge
+    restart: always
+
+  relayd:
+    image: ghcr.io/xe/x/relayd
+    pull_policy: always
+    environment:
+      CERT_DIR: /etc/techaro/pki/registry.local.cetacean.club
+      CERT_FNAME: cert.pem
+      KEY_FNAME: key.pem
+      PROXY_TO: http://anubis:3000
+    ports:
+      - 3004:3004
+    volumes:
+      - ../pki/registry.local.cetacean.club:/etc/techaro/pki/registry.local.cetacean.club
+
+  anubis:
+    image: ko.local/anubis
+    restart: always
+    environment:
+      BIND: ":3000"
+      TARGET: http://registry:5000
+      POLICY_FNAME: /etc/techaro/anubis.yaml
+      USE_REMOTE_ADDRESS: "true"
+    ports:
+      - 3000
+    volumes:
+      - ./anubis.yaml:/etc/techaro/anubis.yaml

test/docker-registry/test.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+export VERSION=${GITHUB_SHA}-test
+export KO_DOCKER_REPO=ko.local
+
+set -u
+
+source ../lib/lib.sh
+
+build_anubis_ko
+
+function cleanup() {
+	docker compose down
+}
+
+trap cleanup EXIT SIGINT
+
+mint_cert registry.local.cetacean.club
+
+docker compose up -d
+
+backoff-retry skopeo \
+	--insecure-policy \
+	copy \
+	--dest-tls-verify=false \
+	docker://hello-world \
+	docker://registry.local.cetacean.club:3004/hello-world

test/docker-registry/var/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

test/git-push/test.sh

@@ -2,7 +2,7 @@
 
 set -eo pipefail
 
-export VERSION=$GITHUB_COMMIT-test
+export VERSION=${GITHUB_SHA}-test
 export KO_DOCKER_REPO=ko.local
 
 set -u
@@ -21,16 +21,16 @@ docker compose up -d
 sleep 2
 
 (
-  cd var && \
+	cd var &&
-  mkdir foo && \
+		mkdir foo &&
-  cd foo && \
+		cd foo &&
-  git init && \
+		git init &&
-  touch README && \
+		touch README &&
-  git add . && \
+		git add . &&
-  git config user.name "Anubis CI" && \
+		git config user.name "Anubis CI" &&
-  git config user.email "social+anubis-ci@techaro.lol" && \
+		git config user.email "social+anubis-ci@techaro.lol" &&
-  git commit -sm "initial commit" && \
+		git commit -sm "initial commit" &&
-  git push -u http://localhost:3000/git/foo.git master
+		git push -u http://localhost:3000/git/foo.git master
 )
 
-exit 0
+exit 0

web/index_templ.go

@@ -1,6 +1,6 @@
 // Code generated by templ - DO NOT EDIT.
 
-// templ: version: v0.3.960
+// templ: version: v0.3.924
 package web
 
 //lint:file-ignore SA4006 This context is only used if a nested component is present.