forked from TrueCloudLab/distribution
fc07e0380e
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
260 lines
7.3 KiB
Text
260 lines
7.3 KiB
Text
# Docker registry proxy for api version 2
|
|
|
|
upstream docker-registry-v2 {
|
|
server registryv2:5000;
|
|
}
|
|
|
|
# No client auth or TLS
|
|
server {
|
|
listen 5000;
|
|
server_name localhost;
|
|
|
|
# disable any limits to avoid HTTP 413 for large image uploads
|
|
client_max_body_size 0;
|
|
|
|
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
|
|
chunked_transfer_encoding on;
|
|
|
|
location /v2/ {
|
|
# Do not allow connections from docker 1.5 and earlier
|
|
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
|
|
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
|
|
return 404;
|
|
}
|
|
|
|
include docker-registry-v2.conf;
|
|
}
|
|
}
|
|
|
|
# No client auth or TLS (V2 Only)
|
|
server {
|
|
listen 5002;
|
|
server_name localhost;
|
|
|
|
# disable any limits to avoid HTTP 413 for large image uploads
|
|
client_max_body_size 0;
|
|
|
|
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
|
|
chunked_transfer_encoding on;
|
|
|
|
location / {
|
|
include docker-registry-v2.conf;
|
|
}
|
|
}
|
|
|
|
# TLS Configuration chart
|
|
# Username/Password: testuser/passpassword
|
|
# | ca | client | basic | notes
|
|
# 5440 | yes | no | no | Tests CA certificate
|
|
# 5441 | yes | no | yes | Tests basic auth over TLS
|
|
# 5442 | yes | yes | no | Tests client auth with client CA
|
|
# 5443 | yes | yes | no | Tests client auth without client CA
|
|
# 5444 | yes | yes | yes | Tests using basic auth + tls auth
|
|
# 5445 | no | no | no | Tests insecure using TLS
|
|
# 5446 | no | no | yes | Tests sending credentials to server with insecure TLS
|
|
# 5447 | no | yes | no | Tests client auth to insecure
|
|
# 5448 | yes | no | no | Bad SSL version
|
|
|
|
server {
|
|
listen 5440;
|
|
server_name localhost;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
|
|
include registry-noauth.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5441;
|
|
server_name localhost;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
|
|
include registry-basic.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5442;
|
|
listen 5443;
|
|
server_name localhost;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
|
|
ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
|
|
ssl_verify_client on;
|
|
include registry-noauth.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5444;
|
|
server_name localhost;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
|
|
ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
|
|
ssl_verify_client on;
|
|
include registry-basic.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5445;
|
|
server_name localhost;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
|
|
include registry-noauth.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5446;
|
|
server_name localhost;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
|
|
include registry-basic.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5447;
|
|
server_name localhost;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
|
|
ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
|
|
ssl_verify_client on;
|
|
include registry-noauth.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5448;
|
|
server_name localhost;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
|
|
ssl_protocols SSLv3;
|
|
include registry-noauth.conf;
|
|
}
|
|
|
|
# Add configuration for localregistry server_name
|
|
# Requires configuring /etc/hosts to use
|
|
# Set /etc/hosts entry to external IP, not 127.0.0.1 for testing
|
|
# Docker secure/insecure registry features
|
|
server {
|
|
listen 5440;
|
|
server_name localregistry;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
|
|
include registry-noauth.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5441;
|
|
server_name localregistry;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
|
|
include registry-basic.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5442;
|
|
listen 5443;
|
|
server_name localregistry;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
|
|
ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
|
|
ssl_verify_client on;
|
|
include registry-noauth.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5444;
|
|
server_name localregistry;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
|
|
ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
|
|
ssl_verify_client on;
|
|
include registry-basic.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5445;
|
|
server_name localregistry;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
|
|
include registry-noauth.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5446;
|
|
server_name localregistry;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
|
|
include registry-basic.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5447;
|
|
server_name localregistry;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
|
|
ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
|
|
ssl_verify_client on;
|
|
include registry-noauth.conf;
|
|
}
|
|
|
|
server {
|
|
listen 5448;
|
|
server_name localregistry;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
|
|
ssl_protocols SSLv3;
|
|
include registry-noauth.conf;
|
|
}
|
|
|
|
|
|
# V1 search test
|
|
# Registry configured with token auth and no tls
|
|
# TLS termination done by nginx, search results
|
|
# served by nginx
|
|
|
|
upstream docker-registry-v2-oauth {
|
|
server registryv2tokenoauthnotls:5000;
|
|
}
|
|
|
|
server {
|
|
listen 5600;
|
|
server_name localregistry;
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
|
|
|
|
root /var/www/html;
|
|
|
|
client_max_body_size 0;
|
|
chunked_transfer_encoding on;
|
|
location /v2/ {
|
|
proxy_buffering off;
|
|
proxy_pass http://docker-registry-v2-oauth;
|
|
proxy_set_header Host $http_host; # required for docker client's sake
|
|
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 900;
|
|
}
|
|
|
|
location /v1/search {
|
|
if ($http_authorization !~ "Bearer [a-zA-Z0-9\._-]+") {
|
|
return 401;
|
|
}
|
|
try_files /v1/search.json =404;
|
|
add_header Content-Type application/json;
|
|
}
|
|
}
|