Add annotated example for adding header; +spelling

This adds a variable to help nginx add the
Docker-Distribution-Api-Version when using basic auth, and not add the
header when it sees it from the upstream.

Also fix some minor spelling/grammar issues.

Signed-off-by: Sharif Nassar <sharif@mrwacky.com>
This commit is contained in:
Sharif Nassar 2015-10-14 15:15:21 -07:00
parent 89bedf1e7f
commit 0249cc9cb2

View file

@ -23,9 +23,9 @@ If you just want authentication for your registry, and are happy maintaining use
With the method presented here, you implement basic authentication for docker engines in a reverse proxy that sits in front of your registry.
While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the exemple.
While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the example.
We also implement push restriction (to a limited user group) for the sake of the exemple. Again, you should modify this to fit your mileage.
We also implement push restriction (to a limited user group) for the sake of the example. Again, you should modify this to fit your mileage.
### Gotchas
@ -49,7 +49,7 @@ X-Forwarded-For $proxy_add_x_forwarded_for;
X-Forwarded-Proto $scheme;
```
Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more informations, see [#970](https://github.com/docker/distribution/issues/970).
Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more information, see [#970](https://github.com/docker/distribution/issues/970).
## Setting things up
@ -69,6 +69,16 @@ upstream docker-registry {
server registry:5000;
}
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header will be unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'registry/2.0' '';
default registry/2.0;
}
server {
listen 443 ssl;
server_name myregistrydomain.com;
@ -77,7 +87,7 @@ server {
ssl_certificate /etc/nginx/conf.d/domain.crt;
ssl_certificate_key /etc/nginx/conf.d/domain.key;
# Recommandations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
@ -96,10 +106,13 @@ server {
return 404;
}
# To add basic authentication to v2 use auth_basic setting plus add_header
# To add basic authentication to v2 use auth_basic setting.
auth_basic "Registry realm";
auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
## If $docker_distribution_api_version is empty, the header will not be added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://docker-registry;
proxy_set_header Host \$http_host; # required for docker client's sake