Add annotated example for adding header; +spelling

This adds a variable to help nginx add the
Docker-Distribution-Api-Version when using basic auth, and not add the
header when it sees it from the upstream.

Also fix some minor spelling/grammar issues.

Signed-off-by: Sharif Nassar <sharif@mrwacky.com>
This commit is contained in:
Sharif Nassar 2015-10-14 15:15:21 -07:00
parent 89bedf1e7f
commit 0249cc9cb2

View file

@ -23,9 +23,9 @@ If you just want authentication for your registry, and are happy maintaining use
With the method presented here, you implement basic authentication for docker engines in a reverse proxy that sits in front of your registry. With the method presented here, you implement basic authentication for docker engines in a reverse proxy that sits in front of your registry.
While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the exemple. While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the example.
We also implement push restriction (to a limited user group) for the sake of the exemple. Again, you should modify this to fit your mileage. We also implement push restriction (to a limited user group) for the sake of the example. Again, you should modify this to fit your mileage.
### Gotchas ### Gotchas
@ -49,7 +49,7 @@ X-Forwarded-For $proxy_add_x_forwarded_for;
X-Forwarded-Proto $scheme; X-Forwarded-Proto $scheme;
``` ```
Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more informations, see [#970](https://github.com/docker/distribution/issues/970). Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more information, see [#970](https://github.com/docker/distribution/issues/970).
## Setting things up ## Setting things up
@ -69,6 +69,16 @@ upstream docker-registry {
server registry:5000; server registry:5000;
} }
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header will be unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'registry/2.0' '';
default registry/2.0;
}
server { server {
listen 443 ssl; listen 443 ssl;
server_name myregistrydomain.com; server_name myregistrydomain.com;
@ -77,7 +87,7 @@ server {
ssl_certificate /etc/nginx/conf.d/domain.crt; ssl_certificate /etc/nginx/conf.d/domain.crt;
ssl_certificate_key /etc/nginx/conf.d/domain.key; ssl_certificate_key /etc/nginx/conf.d/domain.key;
# Recommandations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2; ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
@ -96,10 +106,13 @@ server {
return 404; return 404;
} }
# To add basic authentication to v2 use auth_basic setting plus add_header # To add basic authentication to v2 use auth_basic setting.
auth_basic "Registry realm"; auth_basic "Registry realm";
auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd; auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
## If $docker_distribution_api_version is empty, the header will not be added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://docker-registry; proxy_pass http://docker-registry;
proxy_set_header Host \$http_host; # required for docker client's sake proxy_set_header Host \$http_host; # required for docker client's sake