Implement a custom auth backend or a custom proxy with auth logic

[cgcgbcbc]

Requirements:

1. Support query for anonymous or login user. (Configurable is better)
2. Support pull for anonymous or login user.(Configurable is better)
3. Support push,delete for login user. Restricted to path under the user name.
4. Support push,delete for /library and any path for administrator.
5. Support docker-cli login logout method.

Implement notes:

There are two approach: A custom auth backend behind nginx; A custom proxy with auth logic.

For the first one, http://antoineroygobeil.com/blog/2014/2/6/nginx-ruby-auth/ can be a reference.
Another idea is to use LDAP behind nginx, references are: https://github.com/presbrey/nginx-auth-request-ldap https://registry.hub.docker.com/u/h3nrik/nginx-ldap/

For the second one, references are https://github.com/nodejitsu/node-http-proxy https://golang.org/src/net/http/httputil/reverseproxy.go https://github.com/azer/boxcars

Benefits:

Now the registry is running behind vpn, without auth. There are two issues:

1. We cannot prevent users who has a vpn access modify images that we do not want.
2. Users running docker behind boot2docker now will get stuck since modify are needed to let vm use host's vpn network, which need study and is not easy to use.

When we have a auth backend, we can bind the registry on public interface and thus solve the 2 issues

[cgcgbcbc]

Something like ralasafe may be helpful. But ralasafe itself has turned to an close sourse commercial product, and the open source version has been inactive since last year.