opensafely-core · madwort · Jun 27, 2025 · Jun 27, 2025
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ when they need to access external data.
 
 This repository produces a Docker image that uses nginx to host four proxy
 domains, each has their own nginx config file:
- 
+
  * github-proxy.opensafely.org: this provides access to *only* opensafely
    repositories hosted on https://github.com, and not other repositories. It
    also restricts access to certain paths within those organisations.
@@ -16,14 +16,11 @@ domains, each has their own nginx config file:
    Container Registry, where the docker images for running the study code are
    stored.
 
- * opencodelists-proxy.opensafely.org: this provides access to a single OpenCodelists
-   API endpoint.
-
  * changelogs.opensafely.org: this allows us to use the do-release-upgrade tool
    to perform major OS upgrades.
 
 Whilst the last two are very simple, the first two requires some shenagins in
-order to proxy git http protocol and docker registry API v2.0 protocol. 
+order to proxy git http protocol and docker registry API v2.0 protocol.
 
 Of particular note is that ghcr.io issues 307 redirects for blob urls to
 a Fastly CDN url. Normally, this is pass back to the client, which fetchs the
@@ -33,7 +30,7 @@ url, and return the response to the original client.  Basically, we follow the
 redirect in nginx.
 
 ## Building docker image
- 
+
 To build
 
     just build
@@ -43,13 +40,13 @@ To build
 This will run the container in docker on port 8080. It uses `network_mode:
 host` in order to have access to the hosts resolver at 127.0.0.53.
 
-    just run 
+    just run
 
 Because we use handle redirects dynamically, we need to configure a DNS
 resolver at run time.  We use 127.0.0.53 by default, assuming you are running
 modern Ubuntu, you may need to use something different by editing .env
 
-## Testing 
+## Testing
 
 To run basic tests:
 
@@ -79,7 +76,7 @@ compose service, which runs with nginx debug logs. This is very verbose, but
 logs all request and response headers, so can be useful.
 
 To look at the debug logs, you can do:
-    
+
     docker compose logs debug
 
 

diff --git a/ci-tests.sh b/ci-tests.sh
@@ -7,8 +7,8 @@ set -euo pipefail
 # So we use curl's --resolve option to query the base APIs to check we get the
 # appropriate responses at the http level.
 #
-# see also: full-tests.sh, which can be run post deploy 
-# 
+# see also: full-tests.sh, which can be run post deploy
+#
 url=
 body=$(mktemp)
 headers=$(mktemp)
@@ -43,7 +43,6 @@ try() {
     curl_args+=(--write-out "%{http_code}")
     curl_args+=(--connect-to github-proxy.opensafely.org:80:127.0.0.1:8080)
     curl_args+=(--connect-to docker-proxy.opensafely.org:80:127.0.0.1:8080)
-    curl_args+=(--connect-to opencodelists-proxy.opensafely.org:80:127.0.0.1:8080)
     curl_args+=(--connect-to changelogs.opensafely.org:80:127.0.0.1:8080)
 
     # Conditionally token if set. Only used for docker-proxy tests.
@@ -66,7 +65,7 @@ try() {
 git-post() {
     # reset tests
     last_test_failed=0
- 
+
     type_=$1
     url=$2
     local expected=$3
@@ -90,7 +89,7 @@ git-post() {
     fi
 }
 
-    
+
 assert-in-body() {
     if test "$last_test_failed" = "1"; then
         echo "SKIP assert body"
@@ -168,7 +167,7 @@ assert-header 'X-GitHub-Request-Id:'
 assert-header 'Www-Authenticate: Bearer realm="https://docker-proxy.opensafely.org/token",service="docker-proxy.opensafely.org",scope="repository:user/image:pull"'
 
 # test other projects are 404'd
-try docker-proxy.opensafely.org/v2/other/project 404 
+try docker-proxy.opensafely.org/v2/other/project 404
 assert-in-body '{ "errors": [{"code": "NAME_UNKNOWN", "message": "only opensafely repositories allowed" }] }';
 assert-header 'Content-Type: application/json; charset=UTF-8'
 
@@ -185,14 +184,6 @@ digest=$(jq -r .config.digest < "$body")
 # including the strict ssl/host config
 try "docker-proxy.opensafely.org/v2/opensafely-core/busybox/blobs/$digest?" 200 "$token"
 
-### opencodelists-proxy.opensafely.org ###
-
-# we should allow this specific call...
-try opencodelists-proxy.opensafely.org/api/v1/dmd-mapping/ 200
-
-# ...but not any others
-try opencodelists-proxy.opensafely.org/api/v1/codelist/ 404
-
 ### changelogs.opensafely.org ###
 
 # This allows us to use the do-release-upgrade tool to perform major backend OS upgrades.

diff --git a/opencodelists.org.conf.template b/opencodelists.org.conf.template