# Docker registry proxy for api versions 1 and 2 upstream docker-registry { server registryv1:5000; } upstream docker-registry-v2 { server registryv2:5000; } # No client auth or TLS server { listen 5000; server_name localhost; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; location /v2/ { # Do not allow connections from docker 1.5 and earlier # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { return 404; } include docker-registry-v2.conf; } location / { include docker-registry.conf; } } # No client auth or TLS (V1 Only) server { listen 5001; server_name localhost; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; location / { include docker-registry.conf; } } # No client auth or TLS (V2 Only) server { listen 5002; server_name localhost; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; location / { include docker-registry-v2.conf; } } # TLS localhost (V1 Only) server { listen 5011; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem; client_max_body_size 0; chunked_transfer_encoding on; location / { include docker-registry.conf; } } # TLS localregistry (V1 Only) server { listen 5011; server_name localregistry; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; client_max_body_size 0; chunked_transfer_encoding on; location / { include docker-registry.conf; } } # TLS Configuration chart # Username/Password: testuser/passpassword # | ca | client | basic | notes # 5440 | yes | no | no | Tests CA certificate # 5441 | yes | no | yes | Tests basic auth over TLS # 5442 | yes | yes | no | Tests client auth with client CA # 5443 | yes | yes | no | Tests client auth without client CA # 5444 | yes | yes | yes | Tests using basic auth + tls auth # 5445 | no | no | no | Tests insecure using TLS # 5446 | no | no | yes | Tests sending credentials to server with insecure TLS # 5447 | no | yes | no | Tests client auth to insecure # 5448 | yes | no | no | Bad SSL version server { listen 5440; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem; include registry-noauth.conf; } server { listen 5441; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem; include registry-basic.conf; } server { listen 5442; listen 5443; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem; ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; ssl_verify_client on; include registry-noauth.conf; } server { listen 5444; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem; ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; ssl_verify_client on; include registry-basic.conf; } server { listen 5445; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem; include registry-noauth.conf; } server { listen 5446; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem; include registry-basic.conf; } server { listen 5447; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem; ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; ssl_verify_client on; include registry-noauth.conf; } server { listen 5448; server_name localhost; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem; ssl_protocols SSLv3; include registry-noauth.conf; } # Add configuration for localregistry server_name # Requires configuring /etc/hosts to use # Set /etc/hosts entry to external IP, not 127.0.0.1 for testing # Docker secure/insecure registry features server { listen 5440; server_name localregistry; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; include registry-noauth.conf; } server { listen 5441; server_name localregistry; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; include registry-basic.conf; } server { listen 5442; listen 5443; server_name localregistry; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; ssl_verify_client on; include registry-noauth.conf; } server { listen 5444; server_name localregistry; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; ssl_verify_client on; include registry-basic.conf; } server { listen 5445; server_name localregistry; ssl on; ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem; include registry-noauth.conf; } server { listen 5446; server_name localregistry; ssl on; ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem; include registry-basic.conf; } server { listen 5447; server_name localregistry; ssl on; ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem; ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; ssl_verify_client on; include registry-noauth.conf; } server { listen 5448; server_name localregistry; ssl on; ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; ssl_protocols SSLv3; include registry-noauth.conf; }