# Docker registry proxy for api versions 1 and 2 upstream docker-registry { server registryv1:5000; } upstream docker-registry-v2 { server registryv2:5000; } # No client auth or TLS server { listen 5000; server_name localhost; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; location /v2/ { # Do not allow connections from docker 1.5 and earlier # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { return 404; } include docker-registry-v2.conf; } location / { include docker-registry.conf; } } # No client auth or TLS (V1 Only) server { listen 5001; server_name localhost; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; location / { include docker-registry.conf; } } # No client auth or TLS (V2 Only) server { listen 5002; server_name localhost; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; location / { include docker-registry-v2.conf; } } # TLS Configuration chart # Username/Password: testuser/passpassword # | ca | client | basic | notes # 5440 | yes | no | no | Tests CA certificate # 5441 | yes | no | yes | Tests basic auth over TLS # 5442 | yes | yes | no | Tests client auth with client CA # 5443 | yes | yes | no | Tests client auth without client CA # 5444 | yes | yes | yes | Tests using basic auth + tls auth # 5445 | no | no | no | Tests insecure using TLS # 5446 | no | no | yes | Tests sending credentials to server with insecure TLS # 5447 | no | yes | no | Tests client auth to insecure # 5448 | yes | no | no | Bad SSL version server { listen 5440; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+client-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+client-cert-key.pem; client_max_body_size 0; chunked_transfer_encoding on; location /v2/ { include docker-registry-v2.conf; } location / { include docker-registry.conf; } } server { listen 5441; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+client-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+client-cert-key.pem; client_max_body_size 0; chunked_transfer_encoding on; location /v2/ { auth_basic "registry.localhost"; auth_basic_user_file test.passwd; add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always; include docker-registry-v2.conf; } location / { auth_basic "registry.localhost"; auth_basic_user_file test.passwd; include docker-registry.conf; } } server { listen 5442; listen 5443; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+client-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+client-cert-key.pem; ssl_client_certificate /etc/nginx/ssl/registry-ca+client-ca.pem; ssl_verify_client on; client_max_body_size 0; chunked_transfer_encoding on; location /v2/ { include docker-registry-v2.conf; } location / { include docker-registry.conf; } } server { listen 5444; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+client-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+client-cert-key.pem; ssl_client_certificate /etc/nginx/ssl/registry-ca+client-ca.pem; ssl_verify_client on; client_max_body_size 0; chunked_transfer_encoding on; location /v2/ { auth_basic "registry.localhost"; auth_basic_user_file test.passwd; add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always; include docker-registry-v2.conf; } location / { auth_basic "registry.localhost"; auth_basic_user_file test.passwd; include docker-registry.conf; } } server { listen 5445; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-noca-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-noca-cert-key.pem; client_max_body_size 0; chunked_transfer_encoding on; location /v2/ { include docker-registry-v2.conf; } location / { include docker-registry.conf; } } server { listen 5446; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-noca-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-noca-cert-key.pem; client_max_body_size 0; chunked_transfer_encoding on; location /v2/ { auth_basic "registry.localhost"; auth_basic_user_file test.passwd; add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always; include docker-registry-v2.conf; } location / { auth_basic "registry.localhost"; auth_basic_user_file test.passwd; include docker-registry.conf; } } server { listen 5447; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-noca-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-noca-cert-key.pem; ssl_client_certificate /etc/nginx/ssl/registry-ca+client-ca.pem; ssl_verify_client on; client_max_body_size 0; chunked_transfer_encoding on; location /v2/ { include docker-registry-v2.conf; } location / { include docker-registry.conf; } } server { listen 5448; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+client-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+client-cert-key.pem; ssl_protocols SSLv3; client_max_body_size 0; chunked_transfer_encoding on; location /v2/ { include docker-registry-v2.conf; } location / { include docker-registry.conf; } }