Add annotated example for adding header; +spelling

This adds a variable to help nginx add the Docker-Distribution-Api-Version when using basic auth, and not add the header when it sees it from the upstream. Also fix some minor spelling/grammar issues. Signed-off-by: Sharif Nassar <sharif@mrwacky.com>
2015-10-14 15:15:21 -07:00 · 2015-10-14 15:15:21 -07:00 · 0249cc9cb2
parent 89bedf1e7f
commit 0249cc9cb2
1 changed files with 19 additions and 6 deletions
--- a/docs/nginx.md
+++ b/docs/nginx.md
@ -23,9 +23,9 @@ If you just want authentication for your registry, and are happy maintaining use

 With the method presented here, you implement basic authentication for docker engines in a reverse proxy that sits in front of your registry.

-While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the exemple.
+While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the example.

-We also implement push restriction (to a limited user group) for the sake of the exemple. Again, you should modify this to fit your mileage.
+We also implement push restriction (to a limited user group) for the sake of the example. Again, you should modify this to fit your mileage.

 ### Gotchas

@ -49,7 +49,7 @@ X-Forwarded-For   $proxy_add_x_forwarded_for;
 X-Forwarded-Proto $scheme;
 ```

-Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more informations, see [#970](https://github.com/docker/distribution/issues/970).
+Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more information, see [#970](https://github.com/docker/distribution/issues/970).

 ## Setting things up

@ -69,6 +69,16 @@ upstream docker-registry {
  server registry:5000;
 }

+## Set a variable to help us decide if we need to add the
+## 'Docker-Distribution-Api-Version' header.
+## The registry always sets this header.
+## In the case of nginx performing auth, the header will be unset
+## since nginx is auth-ing before proxying.
+map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+  'registry/2.0' '';
+  default registry/2.0;
+}
+
 server {
  listen 443 ssl;
  server_name myregistrydomain.com;
@ -77,7 +87,7 @@ server {
  ssl_certificate /etc/nginx/conf.d/domain.crt;
  ssl_certificate_key /etc/nginx/conf.d/domain.key;

-  # Recommandations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+  # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
@ -96,10 +106,13 @@ server {
      return 404;
    }

-    # To add basic authentication to v2 use auth_basic setting plus add_header
+    # To add basic authentication to v2 use auth_basic setting.
    auth_basic "Registry realm";
    auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
-    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
+
+    ## If $docker_distribution_api_version is empty, the header will not be added.
+    ## See the map directive above where this variable is defined.
+    add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

    proxy_pass                          http://docker-registry;
    proxy_set_header  Host              \$http_host;   # required for docker client's sake