forked from TrueCloudLab/distribution
Merge pull request #1095 from mrwacky42/api-version-annotated
Add annotated example for adding header; +spelling
This commit is contained in:
commit
a266f99418
1 changed files with 19 additions and 6 deletions
|
@ -23,9 +23,9 @@ If you just want authentication for your registry, and are happy maintaining use
|
|||
|
||||
With the method presented here, you implement basic authentication for docker engines in a reverse proxy that sits in front of your registry.
|
||||
|
||||
While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the exemple.
|
||||
While we use a simple htpasswd file as an example, any other nginx authentication backend should be fairly easy to implement once you are done with the example.
|
||||
|
||||
We also implement push restriction (to a limited user group) for the sake of the exemple. Again, you should modify this to fit your mileage.
|
||||
We also implement push restriction (to a limited user group) for the sake of the example. Again, you should modify this to fit your mileage.
|
||||
|
||||
### Gotchas
|
||||
|
||||
|
@ -49,7 +49,7 @@ X-Forwarded-For $proxy_add_x_forwarded_for;
|
|||
X-Forwarded-Proto $scheme;
|
||||
```
|
||||
|
||||
Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more informations, see [#970](https://github.com/docker/distribution/issues/970).
|
||||
Otherwise nginx will reset the ELB's values, and the requests will not be routed properly. For more information, see [#970](https://github.com/docker/distribution/issues/970).
|
||||
|
||||
## Setting things up
|
||||
|
||||
|
@ -69,6 +69,16 @@ upstream docker-registry {
|
|||
server registry:5000;
|
||||
}
|
||||
|
||||
## Set a variable to help us decide if we need to add the
|
||||
## 'Docker-Distribution-Api-Version' header.
|
||||
## The registry always sets this header.
|
||||
## In the case of nginx performing auth, the header will be unset
|
||||
## since nginx is auth-ing before proxying.
|
||||
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
|
||||
'registry/2.0' '';
|
||||
default registry/2.0;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name myregistrydomain.com;
|
||||
|
@ -77,7 +87,7 @@ server {
|
|||
ssl_certificate /etc/nginx/conf.d/domain.crt;
|
||||
ssl_certificate_key /etc/nginx/conf.d/domain.key;
|
||||
|
||||
# Recommandations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
@ -96,10 +106,13 @@ server {
|
|||
return 404;
|
||||
}
|
||||
|
||||
# To add basic authentication to v2 use auth_basic setting plus add_header
|
||||
# To add basic authentication to v2 use auth_basic setting.
|
||||
auth_basic "Registry realm";
|
||||
auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
|
||||
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
|
||||
|
||||
## If $docker_distribution_api_version is empty, the header will not be added.
|
||||
## See the map directive above where this variable is defined.
|
||||
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
|
||||
|
||||
proxy_pass http://docker-registry;
|
||||
proxy_set_header Host \$http_host; # required for docker client's sake
|
||||
|
|
Loading…
Reference in a new issue