From 0249cc9cb2fb3b674b667c677e8f6ac3adb5f4f4 Mon Sep 17 00:00:00 2001 From: Sharif Nassar Date: Wed, 14 Oct 2015 15:15:21 -0700 Subject: [PATCH] Add annotated example for adding header; +spelling This adds a variable to help nginx add the Docker-Distribution-Api-Version when using basic auth, and not add the header when it sees it from the upstream. Also fix some minor spelling/grammar issues. Signed-off-by: Sharif Nassar --- docs/nginx.md | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/docs/nginx.md b/docs/nginx.md index 5ca19833d..720ff0eee 100644 --- a/docs/nginx.md +++ b/docs/nginx.md @@ -23,9 +23,9 @@ If you just want authentication for your registry, and are happy maintaining use With the method presented here, you implement basic authentication for docker engines in a reverse proxy that sits in front of your registry. -While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the exemple. +While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the example. -We also implement push restriction (to a limited user group) for the sake of the exemple. Again, you should modify this to fit your mileage. +We also implement push restriction (to a limited user group) for the sake of the example. Again, you should modify this to fit your mileage. ### Gotchas @@ -49,7 +49,7 @@ X-Forwarded-For $proxy_add_x_forwarded_for; X-Forwarded-Proto $scheme; ``` -Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more informations, see [#970](https://github.com/docker/distribution/issues/970). +Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more information, see [#970](https://github.com/docker/distribution/issues/970). ## Setting things up @@ -69,6 +69,16 @@ upstream docker-registry { server registry:5000; } +## Set a variable to help us decide if we need to add the +## 'Docker-Distribution-Api-Version' header. +## The registry always sets this header. +## In the case of nginx performing auth, the header will be unset +## since nginx is auth-ing before proxying. +map $upstream_http_docker_distribution_api_version $docker_distribution_api_version { + 'registry/2.0' ''; + default registry/2.0; +} + server { listen 443 ssl; server_name myregistrydomain.com; @@ -77,7 +87,7 @@ server { ssl_certificate /etc/nginx/conf.d/domain.crt; ssl_certificate_key /etc/nginx/conf.d/domain.key; - # Recommandations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; @@ -96,10 +106,13 @@ server { return 404; } - # To add basic authentication to v2 use auth_basic setting plus add_header + # To add basic authentication to v2 use auth_basic setting. auth_basic "Registry realm"; auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd; - add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always; + + ## If $docker_distribution_api_version is empty, the header will not be added. + ## See the map directive above where this variable is defined. + add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; proxy_pass http://docker-registry; proxy_set_header Host \$http_host; # required for docker client's sake