{"id":46293413,"url":"https://github.com/socketdev/socket-registry-firewall","last_synced_at":"2026-05-23T01:06:08.851Z","repository":{"id":341121856,"uuid":"1159410437","full_name":"SocketDev/socket-registry-firewall","owner":"SocketDev","description":"Release repository for the Socket Registry Firewall artifacts","archived":false,"fork":false,"pushed_at":"2026-03-10T03:13:55.000Z","size":17,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-10T11:43:42.555Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SocketDev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-16T17:39:26.000Z","updated_at":"2026-02-28T03:57:14.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/SocketDev/socket-registry-firewall","commit_stats":null,"previous_names":["socketdev/socket-registry-firewall"],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/SocketDev/socket-registry-firewall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SocketDev%2Fsocket-registry-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SocketDev%2Fsocket-registry-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SocketDev%2Fsocket-registry-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SocketDev%2Fsocket-registry-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SocketDev","download_url":"https://codeload.github.com/SocketDev/socket-registry-firewall/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SocketDev%2Fsocket-registry-firewall/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31549900,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T16:28:08.000Z","status":"online","status_checked_at":"2026-04-08T02:00:06.127Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-03-04T09:03:38.329Z","updated_at":"2026-05-23T01:06:08.845Z","avatar_url":"https://github.com/SocketDev.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Socket Registry Firewall\n\nEnterprise-grade security proxy that protects your package registries (npm, PyPI, Maven, Cargo, RubyGems, OpenVSX, NuGet, Go) by scanning packages with Socket's security API in real-time to block malicious packages before they reach your systems.\n\n## Supported Registries\n\n- **npm** (JavaScript/Node.js) - `registry.npmjs.org`\n- **PyPI** (Python) - `pypi.org`\n- **Maven** (Java) - `repo1.maven.org`\n- **Cargo** (Rust) - `crates.io`\n- **RubyGems** (Ruby) - `rubygems.org`\n- **OpenVSX** (VS Code Extensions) - `open-vsx.org`\n- **NuGet** (.NET) - `nuget.org`\n- **Go** (Go Modules) - `proxy.golang.org`\n- **Conda** (Python/R/etc.) - `repo.anaconda.com/pkgs/main` *(treated as PyPI until native support)*\n\n## Key Features\n\n✅ **Real-time Security** - Blocks malicious packages before installation  \n✅ **Multi-Registry** - Protects all 8 major package ecosystems  \n✅ **Flexible Routing** - Domain-based or path-based routing  \n✅ **Auto-Discovery** - Sync routes from Artifactory/Nexus automatically  \n✅ **High Performance** - Intelligent caching with Redis support  \n✅ **Enterprise Ready** - Outbound proxy, custom CAs, Splunk logging  \n✅ **Zero Config** - Works with public registries out-of-the-box  \n\n## Installation Methods\n\nSocket Registry Firewall can be deployed in two ways:\n\n1. **Pre-built Docker Image** (Recommended) - Pull and run the official image\n2. **Tarball Installation** - Build your own image using the firewall tarball (for air-gapped or custom environments)\n\n## Quick Start (Pre-built Image)\n\n### 1. Get Socket API Key\n\n1. Sign up at [Socket.dev](https://socket.dev/)\n2. Go to [Settings → API Keys](https://socket.dev/dashboard/organization/settings/api-keys)\n3. Create API key with scopes: `packages`, `entitlements:list`\n\n### 2. Set API Token\n\n```bash\n# Create .env file with your Socket API token\ncat \u003e .env \u003c\u003cEOF\nSOCKET_SECURITY_API_TOKEN=your-api-key-here\nEOF\n```\n\nOr export it in your shell:\n\n```bash\nexport SOCKET_SECURITY_API_TOKEN=your-api-key-here\n```\n\n### 3. Create Docker Compose File\n\nCreate a `docker-compose.yml`:\n\n```yaml\nservices:\n  socket-firewall:\n    image: socketdev/socket-registry-firewall:latest\n    ports:\n      - \"8080:8080\"   # HTTP (redirects to HTTPS)\n      - \"8443:8443\"   # HTTPS\n    environment:\n      # Required: Socket.dev API token\n      - SOCKET_SECURITY_API_TOKEN=${SOCKET_SECURITY_API_TOKEN}\n    volumes:\n      # Configuration file\n      - ./socket.yml:/app/socket.yml:ro\n      # SSL certificates directory\n      - ./ssl:/etc/nginx/ssl\n    restart: unless-stopped\n    healthcheck:\n      test: [\"CMD\", \"curl\", \"-fk\", \"https://localhost:8443/health\"]\n      interval: 30s\n      timeout: 10s\n      retries: 3\n```\n\nCreate a minimal `socket.yml`:\n\n```yaml\n# Minimal configuration - uses defaults for all public registries\n# Access registries at: https://localhost:8443/npm/, /pypi/, /maven/, etc.\n\nsocket:\n  api_url: https://api.socket.dev\n\n# Set internal container ports the firewall will bind to\nports:\n  http: 8080\n  https: 8443\n\npath_routing:\n  enabled: true\n  domain: sfw.your_company.com\n  routes:\n    - path: /npm\n      upstream: https://registry.npmjs.org\n      registry: npm\n  \n# Optional: Customize performance settings\nnginx:\n  worker_processes: 2\n  worker_connections: 4096\n```\n\n### 4. Add host entry (edit /etc/hosts)\n```\nsudo sh -c 'printf \"127.0.0.1   sfw.your_company.com\\n::1         sfw.your_company.com\\n\" \u003e\u003e /etc/hosts'\n```\n\n### 5. Pull the Firewall from Docker\n```\ndocker pull socketdev/socket-registry-firewall\n```\n\n### 6. Start the Firewall\n\n```bash\ndocker compose up -d\n```\n\nThat's it! The firewall is now protecting the npm registry at `http://sfw.your_company.com:8080/npm/`.\n\n---\n\n## Alternative: Tarball Installation\n\nFor air-gapped environments, custom base images, or when you need to build your own container, Socket provides the firewall as a tarball that can be extracted into any OpenResty-based image.\n\n### When to Use Tarball Installation\n\n- **Air-gapped environments** - No access to Docker Hub\n- **Custom base images** - Need specific OpenResty version or OS distribution\n- **Security requirements** - Must build from source in your own registry\n- **Custom modifications** - Need to add additional tools or configurations\n\n### Prerequisites\n\n1. **Obtain the tarball** from Socket (e.g., `socket-firewall-1.1.94.arm64.tgz`)\n2. **OpenResty base image** - Compatible with `openresty/openresty:1.29.2.4-alpine` or similar\n\n### Installation Steps\n\n#### 1. Create Dockerfile\n\nCreate a `Dockerfile` in your project directory:\n\n```dockerfile\nFROM openresty/openresty:1.29.2.4-alpine\n\n# Copy and extract the Socket Firewall tarball\nCOPY socket-firewall-1.1.94.arm64.tgz /app/install/socket-firewall-1.1.94.arm64.tgz\nCOPY entrypoint.sh /app/entrypoint.sh\n\nRUN chmod +x /app/entrypoint.sh \\\n  \u0026\u0026 tar -xzf /app/install/socket-firewall-1.1.94.arm64.tgz -C /\n\n# Install basic dependencies\nRUN apk add --no-cache curl ca-certificates git openssl bash \u0026\u0026 \\\n    # Prefer IPv4 over IPv6 to avoid upstream IPv6 connection attempts\n    printf 'precedence ::ffff:0:0/96  100\\n' \u003e\u003e /etc/gai.conf || true\n\n# Install lua-resty libraries\nRUN cd /tmp \u0026\u0026 \\\n    # Install lua-resty-http\n    git clone https://github.com/ledgetech/lua-resty-http.git \u0026\u0026 \\\n    cd lua-resty-http \u0026\u0026 \\\n    cp -r lib/resty/* /usr/local/openresty/lualib/resty/ \u0026\u0026 \\\n    cd /tmp \u0026\u0026 \\\n    # Install lua-resty-openssl (needed for HTTPS)\n    git clone https://github.com/fffonion/lua-resty-openssl.git \u0026\u0026 \\\n    cd lua-resty-openssl \u0026\u0026 \\\n    cp -r lib/resty/* /usr/local/openresty/lualib/resty/ \u0026\u0026 \\\n    cd /tmp \u0026\u0026 \\\n    # Install lua-resty-redis (needed for Redis caching)\n    git clone https://github.com/openresty/lua-resty-redis.git \u0026\u0026 \\\n    cd lua-resty-redis \u0026\u0026 \\\n    cp lib/resty/redis.lua /usr/local/openresty/lualib/resty/ \u0026\u0026 \\\n    cd / \u0026\u0026 \\\n    rm -rf /tmp/lua-resty-http /tmp/lua-resty-openssl /tmp/lua-resty-redis\n\nWORKDIR /app\n\nENTRYPOINT [\"/app/entrypoint.sh\"]\n```\n\n**Note**: Adjust the tarball filename to match your version and architecture (e.g., `socket-firewall-1.1.94.amd64.tgz` for x86_64).\n\n#### 2. Create Entrypoint Script\n\nDownload the `entrypoint.sh` script from Socket (provided with the tarball package) or request it from Socket support.\n\nPlace it in your project directory and make it executable:\n\n```bash\nchmod +x entrypoint.sh\n```\n\nThe entrypoint script handles:\n- Configuration generation using `socket-proxy-config-tool`\n- Environment variable loading\n- Nginx configuration validation\n- Auto-discovery daemon startup (if configured)\n- Nginx process management\n\n#### 3. Create Docker Compose File\n\nCreate a `docker-compose.yml` for the tarball-based installation:\n\n```yaml\nservices:\n  socket-firewall:\n    build:\n      context: .\n      dockerfile: Dockerfile\n    image: socketdev/socket-registry-firewall-tar:latest\n    ports:\n      - \"8085:8080\"   # HTTP (redirects to HTTPS)\n      - \"8445:8443\"   # HTTPS\n    environment:\n      # Required: Socket.dev API token\n      - SOCKET_SECURITY_API_TOKEN=${SOCKET_SECURITY_API_TOKEN}\n    volumes:\n      # Configuration file\n      - ./socket.yml:/app/socket.yml:ro\n      # SSL certificates directory\n      - ./ssl:/etc/nginx/ssl\n    restart: unless-stopped\n    healthcheck:\n      test: [\"CMD\", \"curl\", \"-fk\", \"https://localhost:8443/health\"]\n      interval: 30s\n      timeout: 10s\n      retries: 1\n```\n\n**Note**: Different ports (8085/8445) are used in this example to avoid conflicts if running both methods simultaneously.\n\n#### 4. Build and Start\n\n```bash\n# Build the image\ndocker compose build\n\n# Start the firewall\ndocker compose up -d\n\n# View logs\ndocker compose logs -f socket-firewall\n```\n\n### Tarball Contents\n\nThe Socket Firewall tarball includes:\n\n- `/usr/local/bin/socket-proxy-config-tool` - Configuration generation tool\n- `/usr/local/openresty/lualib/socket/*.lua` - Lua modules for package parsing and security checks\n- `/usr/local/openresty/nginx/conf/snippets/` - Nginx configuration snippets\n- Supporting files for all 8 ecosystems (npm, PyPI, Maven, Cargo, RubyGems, OpenVSX, NuGet, Go)\n\nThe tarball extracts to standard OpenResty paths, making it compatible with any OpenResty-based image.\n\n### Customization Options\n\nWhen using tarball installation, you can:\n\n- **Use different base images**: Change the `FROM` line to use specific OpenResty versions or distributions\n- **Add custom tools**: Install additional packages in the RUN command\n- **Modify entrypoint**: Customize the entrypoint script for your environment\n- **Layer scanning**: Add image scanning tools in your build pipeline\n- **Internal registries**: Push built images to your private container registry\n\n### Verification\n\nAfter starting the firewall, verify it's working:\n\n```bash\n# Check health endpoint\ncurl -k https://localhost:8445/health\n\n# Expected response:\n{\"status\":\"healthy\",\"version\":\"1.1.94\"}\n\n# View startup logs\ndocker compose logs socket-firewall | grep -i \"socket firewall\"\n```\n\n---\n\n## Configuration (Both Methods)\n\nBoth the pre-built image and tarball installation use the same `socket.yml` configuration file format.\n\n### Testing It Works\n\n**Test npm:**\n```bash\n# Configure npm to use the firewall\nnpm config set registry http://sfw.your_company.com:8080/npm/\nnpm config set strict-ssl false  # Only for self-signed certs\n\n# Install a package\nnpm install lodash --loglevel verbose\n\n# Try to install a malicious package and watch Socket Firewall block the package.\nnpm install lodahs\n```\n\n### Additional ecosystem samples\n\n- Add more ecosystems into the `socket.yml`, then test with these common language samples below. \n\n**Test pip:**\n```bash\n# Configure pip to use the firewall\npip config set global.index-url https://localhost:8443/pypi/simple\npip config set global.trusted-host \"localhost\"\n\n# Install a package\npip install requests\n```\n\n**Test Maven:**\n```bash\n# Add to ~/.m2/settings.xml\ncat \u003e ~/.m2/settings.xml \u003c\u003c'EOF'\n\u003csettings\u003e\n  \u003cmirrors\u003e\n    \u003cmirror\u003e\n      \u003cid\u003esocket-firewall\u003c/id\u003e\n      \u003curl\u003ehttps://localhost:8443/maven\u003c/url\u003e\n      \u003cmirrorOf\u003e*\u003c/mirrorOf\u003e\n    \u003c/mirror\u003e\n  \u003c/mirrors\u003e\n\u003c/settings\u003e\nEOF\n\n# Build your project\nmvn install -Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true\n```\n\n**Test Gradle:**\n\nedit your `settings.gradle`:\n```groovy\ndependencyResolutionManagement {\n    repositoriesMode.set(RepositoriesMode.PREFER_SETTINGS) // or FAIL_ON_PROJECT_REPOS\n    repositories {\n        maven { url \"https://localhost:8443/maven\" }\n    }\n}\n```\n\n## Advanced Configuration\n\n### Basic: Custom Domains\n\nCreate `socket.yml` for custom domains:\n\n```yaml\nregistries:\n  npm:\n    domains:\n      - npm.company.com\n  pypi:\n    domains:\n      - pypi.company.com\n  maven:\n    domains:\n      - maven.company.com\n```\n\n### Advanced: Path Routing (Artifactory/Nexus)\n\nSingle domain with path prefixes:\n\n```yaml\npath_routing:\n  enabled: true\n  domain: firewall.company.com\n  \n  routes:\n    - path: /npm\n      upstream: https://registry.npmjs.org\n      registry: npm\n    \n    - path: /pypi\n      upstream: https://pypi.org\n      registry: pypi\n    \n    - path: /maven\n      upstream: https://repo1.maven.org/maven2\n      registry: maven\n```\n\n### Enterprise: Auto-Discovery from Artifactory/Nexus\n\nAutomatically sync repository routes:\n\n```yaml\npath_routing:\n  enabled: true\n  domain: firewall.company.com\n  mode: nexus  # or 'artifactory'\n  \n  private_registry:\n    api_url: https://nexus.company.com\n    api_key: your-nexus-api-token\n    interval: 5m  # Auto-sync every 5 minutes\n    \n    # Optional filters\n    include_pattern: \".*\"\n    exclude_pattern: \"(tmp|test)-.*\"\n```\n\nRoutes update automatically when you add/remove repositories - no manual configuration!\n\nSee [docs/AUTO-DISCOVERY.md](docs/AUTO-DISCOVERY.md) for details.\n\n## SSL/TLS Certificates\n\n### Option 1: Use Provided Self-Signed Certificates\n\nThe firewall auto-generates self-signed certificates on first run. Trust them:\n\n**macOS:**\n```bash\nsudo security add-trusted-cert -d -r trustRoot \\\n  -k /Library/Keychains/System.keychain ssl/fullchain.pem\n```\n\n**Linux:**\n```bash\nsudo cp ssl/fullchain.pem /usr/local/share/ca-certificates/socket-firewall.crt\nsudo update-ca-certificates\n```\n\n### Option 2: Use Your Own Certificates\n\nPlace your certificates in the `ssl/` directory:\n\n```bash\ncp /path/to/cert.pem ssl/fullchain.pem\ncp /path/to/key.pem ssl/privkey.pem\n```\n\n### Option 3: Generate Custom Self-Signed Cert\n\n```bash\nmkdir -p ssl\nopenssl req -x509 -nodes -days 365 -newkey rsa:2048 \\\n  -keyout ssl/privkey.pem \\\n  -out ssl/fullchain.pem \\\n  -subj \"/CN=*.company.com\" \\\n  -addext \"subjectAltName=DNS:firewall.company.com,DNS:npm.company.com,DNS:pypi.company.com\"\n```\n\n## Common Configuration Options\n\n### Outbound Proxy\n\nRoute all upstream traffic through a corporate proxy:\n\n```yaml\nsocket:\n  outbound_proxy: http://proxy.company.com:3128\n  no_proxy: localhost,127.0.0.1,internal.company.com\n```\n\n### SSL Verification (Corporate MITM Proxy)\n\n```yaml\nsocket:\n  outbound_proxy: http://proxy.company.com:3128\n  \n  # Verify SSL with corporate CA (default: false)\n  api_ssl_verify: true\n  api_ssl_ca_cert: /path/to/corporate-ca.crt\n  \n  # Apply same CA to upstream registries (defaults to api_ssl_verify)\n  # (or set upstream_ssl_verify separately if different)\n```\n\n### Redis Caching (Multi-Instance)\n\nFor distributed deployments:\n\n```yaml\nredis:\n  enabled: true\n  host: redis.company.com\n  port: 6379\n  password: your-redis-password\n  ttl: 86400  # 24 hours\n```\n\n### Performance Tuning\n\n```yaml\n# Match worker_processes to CPU cores\nworker_processes: 4\nworker_connections: 8192\n\nproxy:\n  connect_timeout: 60\n  send_timeout: 60\n  read_timeout: 60\n```\n\n### Fail-Safe Behavior\n\n```yaml\nsocket:\n  fail_open: true  # Allow packages if Socket API is down (default)\n  # fail_open: false  # Block all packages if Socket API is down\n```\n\n## Environment Variables\n\nOverride configuration via environment variables:\n\n```bash\n# Core settings\nSOCKET_SECURITY_API_TOKEN=your-api-key     # Required\nSOCKET_API_URL=https://api.socket.dev      # Default\nSOCKET_CACHE_TTL=600                       # Seconds, default: 600\nSOCKET_FAIL_OPEN=true                      # Allow on API error\n\n# Ports\nHTTP_PORT=8080                             # Default: 8080\nHTTPS_PORT=8443                            # Default: 8443\n\n# Redis (optional)\nREDIS_ENABLED=true\nREDIS_HOST=redis\nREDIS_PORT=6379\nREDIS_PASSWORD=secret\n\n# Proxy (optional)\nSOCKET_OUTBOUND_PROXY=http://proxy:3128\nSOCKET_NO_PROXY=localhost,127.0.0.1\n```\n\n## Health Checks\n\n```bash\n# Health endpoint (no auth required)\ncurl https://localhost:8443/health\n\n# Expected response (plain text):\n# SocketFirewall/1.1.23 - Health OK - npm (registry.npmjs.org)\n```\n\n## Monitoring \u0026 Logging\n\n### View Logs\n\n```bash\n# All logs\ndocker compose logs -f socket-firewall\n\n# Errors only\ndocker compose logs socket-firewall | grep -i error\n\n# Security events\ndocker compose logs socket-firewall | grep -i block\n```\n\n### Splunk Integration\n\nForward security events to Splunk:\n\n```yaml\nsplunk:\n  enabled: true\n  hec_url: https://splunk.company.com:8088/services/collector/event\n  hec_token: your-splunk-hec-token\n  index: security\n  source: socket-firewall\n```\n\nSee [docs/SPLUNK.md](docs/SPLUNK.md) for details.\n\n## Troubleshooting\n\n### Docker Container Won't Start\n\n```bash\n# Check logs\ndocker compose logs socket-firewall\n\n# Verify environment variables\ndocker compose exec socket-firewall env | grep SOCKET\n\n# Test config generation\ndocker compose exec socket-firewall socket-proxy-config-tool generate --config /app/socket.yml\n```\n\n### Package Installation Fails\n\n```bash\n# Check if package is blocked\ndocker compose logs socket-firewall | grep -i block\n\n# Verify firewall is reachable\ncurl -I https://localhost:8443/health\n\n# Test upstream connectivity from container\ndocker compose exec socket-firewall curl -I https://registry.npmjs.org\n```\n\n### SSL Certificate Errors\n\n```bash\n# For testing, bypass SSL verification:\n\n# npm\nnpm config set strict-ssl false\n\n# pip\nPIP_TRUSTED_HOST='localhost' pip install package\n\n# Maven (add flags)\nmvn install -Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true\n\n# For production, trust the CA certificate (see SSL/TLS section above)\n```\n\n### Firewall Not Blocking Malicious Packages\n\n```bash\n# Verify API token is set\ndocker compose exec socket-firewall env | grep SOCKET_SECURITY_API_TOKEN\n\n# Check API connectivity (from container)\ndocker compose exec socket-firewall curl https://api.socket.dev/v0/health\n\n# Review fail_open setting\ncat socket.yml | grep fail_open\n```\n\n## Advanced Features\n\n### Metadata Filtering\n\nRemove blocked/warned packages from registry metadata responses:\n\n```yaml\nmetadata_filtering:\n  enabled: true\n  filter_blocked: true   # Remove blocked packages\n  filter_warn: false     # Keep warned packages (show warnings only)\n```\n\n### External Routes File\n\nFor 50+ routes, use external file:\n\n```yaml\npath_routing:\n  enabled: true\n  domain: firewall.company.com\n  routes_file: /config/routes.yml\n```\n\nSee [docs/EXTERNAL-ROUTES.md](docs/EXTERNAL-ROUTES.md) for format.\n\n## Architecture\n\n```\nClient (npm/pip/mvn)\n    ↓\nSocket Firewall (this)\n    ↓\nSocket.dev API (security check)\n    ↓\nUpstream Registry (npmjs.org, pypi.org, etc.)\n```\n\n**Request Flow:**\n1. Client requests package from firewall\n2. Firewall extracts package name/version\n3. Firewall checks Socket API for security issues\n4. If safe: proxy to upstream and return package\n5. If malicious: return 403 Forbidden with reason\n\n## Documentation\n\n- **Getting Started**: This file\n- **Auto-Discovery**: [docs/AUTO-DISCOVERY.md](docs/AUTO-DISCOVERY.md)\n- **External Routes**: [docs/EXTERNAL-ROUTES.md](docs/EXTERNAL-ROUTES.md)\n- **Redis Caching**: [docs/REDIS.md](docs/REDIS.md)\n- **Splunk Integration**: [docs/SPLUNK.md](docs/SPLUNK.md)\n- **Artifactory Auth**: [docs/ARTIFACTORY-AUTH.md](docs/ARTIFACTORY-AUTH.md)\n\n## Examples\n\n### Example 1: Protect Public Registries\n\n```yaml\n# Minimal config - no custom domains needed\n# Just start with docker compose up -d\n# Access at https://localhost:8443/npm/, /pypi/, /maven/, etc.\n```\n\n### Example 2: Custom Domains for Each Registry\n\n```yaml\nregistries:\n  npm:\n    domains: [npm.company.com]\n  pypi:\n    domains: [pypi.company.com]\n  maven:\n    domains: [maven.company.com]\n  cargo:\n    domains: [cargo.company.com]\n  rubygems:\n    domains: [rubygems.company.com]\n  openvsx:\n    domains: [vsx.company.com]\n  nuget:\n    domains: [nuget.company.com]\n  go:\n    domains: [go.company.com]\n```\n\n### Example 3: Single Domain for All Registries\n\n```yaml\npath_routing:\n  enabled: true\n  domain: packages.company.com\n  \n  routes:\n    - { path: /npm, upstream: https://registry.npmjs.org, registry: npm }\n    - { path: /pypi, upstream: https://pypi.org, registry: pypi }\n    - { path: /maven, upstream: https://repo1.maven.org/maven2, registry: maven }\n    - { path: /cargo, upstream: https://index.crates.io, registry: cargo }\n    - { path: /rubygems, upstream: https://rubygems.org, registry: rubygems }\n    - { path: /openvsx, upstream: https://open-vsx.org, registry: openvsx }\n    - { path: /nuget, upstream: https://api.nuget.org, registry: nuget }\n    - { path: /go, upstream: https://proxy.golang.org, registry: go }\n```\n\n### Example 4: Private Artifactory/Nexus\n\n```yaml\npath_routing:\n  enabled: true\n  domain: firewall.company.com\n  mode: artifactory  # or 'nexus'\n  \n  private_registry:\n    api_url: https://artifactory.company.com/artifactory\n    api_key: your-artifactory-api-key\n    interval: 5m\n    default_registry: maven  # Fallback for unknown repos\n```\n\n## Support\n\n- **GitHub Issues**: https://github.com/SocketDev/socket-nginx-firewall/issues\n- **Email**: support@socket.dev\n- **Documentation**: https://docs.socket.dev\n- **Socket Dashboard**: https://socket.dev/dashboard\n\n## License\n\nProprietary - Socket Security Inc.\n\n---\n\n**Need help?** Check [docs/](docs/) for detailed guides or contact support@socket.dev\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsocketdev%2Fsocket-registry-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsocketdev%2Fsocket-registry-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsocketdev%2Fsocket-registry-firewall/lists"}