Docker Registry v2 Nginx secure access control

Environment Preparation:

Docker version: 1.9.1

Registry version: 2.2.1

This article has also issued a self-built warehouse Nginx certification, but the new registry V2 version does not apply, extra weight more.

First, create the relevant directory and documents

(1) directory structure

Auth
│├──domain.crt
│├──domain.key
│├──nginx.conf
│└──nginx.htpasswd
├──data

Mkdir-p authmkdir-p dataopenssl req-newkey rsa:4096-nodes-sha256-keyout auth/domain.key-x509-days 365-out auth/do Main.crt

For example:

Country name (2 letter code) [Au]:chinastring was too long, it needs to being less than 2 bytes longcountry Name (2 letter Co DE) [Au]:chstate or province name (full name) [some-state]:beijinglocality name (eg, city) []:beijing Organization Na Me (eg, company) [Internet widgits Pty ltd]:beijingorganizational Unit Name (eg, section) []:beijing Common Name (e.g. SE RVer FQDN or YOUR name) []:registry.test.comemail Address []:[email protected]

(2) generate the corresponding Nginx configuration file

cat <<eof > auth/nginx.confupstream docker-registry {       server registry:5000;} server {  listen 443 ssl;  server_name default_server;  #  ssl  ssl on;  ssl_certificate /etc/nginx/conf.d/domain.crt;  ssl _certificate_key /etc/nginx/conf.d/domain.key;  # recommendations from https:// raymii.org/s/tutorials/strong_ssl_security_on_nginx.html  ssl_protocols tlsv1.1 tlsv1.2;   ssl_ciphers  ' Eecdh+aesgcm:edh+aesgcm:aes256+eecdh:aes256+edh ';   ssl_prefer_server_ ciphers on;  ssl_session_cache shared:ssl:10m;  # disable any  Limits to avoid http 413 for large image uploads  client_max _body_size 0;  # required to avoid http 411: see issue  #1486   (https://github.com/docker/docker/issues/1486)   chunked_transfer_ Encoding on;  location /v2/ {    # do not allow  connections from docker 1.5 and earlier    # docker  pre-1.6.0 did not properly set the user agent on ping,  catch  "go *"  user agents        if  (\$ http_user_agent ~  "^ (docker\/1\. ( 3|4|5 (?! \. [0-9]-dev)] | go ). *\$ " )      {               return 404;    }    # To  add basic authentication to v2 use auth_basic setting.     auth_basic  "Registry realm";     auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;    ## if  $docker _distribution_ api_version is empty, the header will not be added.     ## See the map directive above where this variable is  defined.    add_header  ' docker-distribution-api-version '   ' registry/2.0 '   always;    proxy_pass                           http:// docker-registry;    proxy_set_header  host               \ $http _host;   # required for  Docker client ' s sake    proxy_set_header  x-real-ip           \ $remote _addr; # pass on real client ' s ip    proxy_set_ Header  x-forwarded-for   \ $proxy _add_x_forwarded_for;    proxy_ Set_header  x-forwarded-proto \ $scheme;    proxy_read_timeout                   900;   }}eof

(3) Create a login user file

HTPASSWD-CB auth/nginx.htpasswd Admin Admin

(4) Start with Docker-compose

Cat <<eof > Docker-compose.ymlnginx:image: "Nginx:latest" ports:-443:443 Restart:always Links:-RE Gistry:registry volumes:-' pwd '/auth/:/etc/nginx/conf.dregistry:image:registry:2.2.1 ports:-127.0.0.1:5000:5 Restart:always volumes:-' pwd '/data:/var/lib/registryeof

Start command:

Docker-compose up-d (5) Verify curl-i-k-v https://admin:[email protected]/v2/Login: Docker login registry.test.com View uploaded image information: cu Rl-i-k-v Https://admin:[email Protected]/v2/_catalog

This article is from "TNT, Yun-Dimensional Road" blog, please be sure to keep this source http://tntdba.blog.51cto.com/1199791/1732696

Docker Registry v2 Nginx secure access control