Linux7-docker Private Warehouse Nginx Key Verification

This is an enterprise-used Docker private warehouse building method
improve security with Nginx CA key pair validation.
ensure data is not lost, provide warehouse container external storage
First install Docker and Nginx support packages, SSL key verification, etc.
Docker installs with Yum
nginx Support Key, etc. also with Yum related package is
yum-y Install pcre-devel zlib-devel OpenSSL openssl-devel
secret key pair need to resolve domain name verification so need to do DNS lazy to do directly modify the Hosts file
vim/etc/hosts
192.168.1.0 www.gao.com
Complete
--------------------------------------------------------------key generation using production
Cd/etc/pki/ca
OpenSSL genrsa-out private/cakey.pem 2048 native CA
OpenSSL req-new-x509-key private/cakey.pem-out CACERT.PEM certificate
Create a certificate for Nginx
mkdir SSL
CD SSL
OpenSSL genrsa-out nginx.key 2048
OpenSSL req-new-key nginx.key-out NGINX.CSR request File
create two empty files to receive a certificate
Touch/etc/pki/ca/index.txt created under the CA!
Touch Serial is created under the CA!
echo > Serial
--------------------------------------------------------------keys are OK
Start installing nginx---------------------------------------
Groupadd www-g
useradd-u 58-g www www
Decompression nginx in Configuration installation
./configure

--user=user Setting the user environment for the program to run (WWW)

--group=group Setting Program Run Group Environment (WWW)

--prefix=path Setting the installation directory

--with-pcre Enable Pcre libraries, Nginx rewrite modules and HTTP core modules are used to pcre regular expressions

--with-http_stub_status_module is designed to enable Nginx's nginxstatus function to monitor the current state of Nginx.

--with-http_ssl_module Open SSL module, support Web page with HTTPS protocol

--with-http_realip_module enables real IP support, which is used to read the real IP address from the header data requested by the customer

--with-http_addition_module Open the Addtion module, which allows you to append or prepend data to the appropriate body section

--with-http_flv_module Module Ngx_http_flv_module provides service-side pseudo-streaming media support for Flash Video (flv) files
then edit the nginx main file, directly can copy the paragraph in
User www;

Worker_processes 4;

Events {

Worker_connections 4096;

}

HTTP {

Include Mime.types;

Default_type Application/octet-stream;

Sendfile on;

Keepalive_timeout 65;

Upstream Registry {

Server 192.168.1.107:5000;

}

server {

Listen 443 SSL;

server_name docker.benet.com;

SSL_CERTIFICATE/ETC/PKI/CA/SSL/NGINX.CRT;

Ssl_certificate_key/etc/pki/ca/ssl/nginx.key;

Ssl_session_cache shared:ssl:1m;

Ssl_session_timeout 5m;

Ssl_ciphers high:!anull:! MD5;

Ssl_prefer_server_ciphers on;

Location/{

Proxy_pass Http://registry ;

Client_max_body_size 3000m;

Proxy_set_header Host $host;

Proxy_set_header x-forward-for $remote _addr;

}

}

}

Relevant options mean:

The Ssl_session_cache session cache is used to hold SSL sessions, which are shared between worker processes and can be configured using the Ssl_session_cache directive. A 1M cache can hold approximately 4,000 sessions.

Ssl_session_timeout cache timeout, the default cache timeout is 5 minutes.

Ssl_ciphers high:!anull:! MD5 using high-strength encryption algorithms

Ssl_prefer_server_ciphers on the server password that relies on the SSLV3 and TLSV1 protocols will take precedence over the client password. That is, choose a password in SSLv3 or this is the TLSv1 handshake, usually using the client's preference. If this command is enabled, the server is instead using the server's preferences.

Client_max_body_size is the maximum number of file sizes allowed to upload

Description of the role of the Proxy_set_header Host $host and Proxy_set_header x-forward-for $remote _addr:

Nginx has added a ngx_http_proxy_module module to realize the demand of reverse proxy. Where the proxy_set_header instruction is the configuration file that the module needs to read. Here, the meaning of all set values is exactly the same as the HTTP request, with the exception of host x-forward-for.

The meaning of host is to indicate the hostname of the request, because Nginx is used as a reverse proxy, and if the backend real server is set up with a similar anti-theft chain or based on the Host field in the HTTP request header for routing or judging functions, If nginx in the reverse proxy layer does not rewrite the host field in the request header, it will cause the request to fail "The default reverse proxy server sends the request back to the real server, and the host field in the request header should be the server set by the proxy_pass instruction."

Similarly, The X_forward_for field indicates who initiated the HTTP request for this article? If the reverse proxy server does not rewrite the request header, then the backend real server will consider all requests from the reverse proxy server when processing, and if the backend has an anti-attack strategy, then the machine is sealed off. Therefore, in the configuration of nginx used as a reverse proxy will generally add two configuration, modify the HTTP request header:

Proxy_set_header Host $host;

Proxy_set_header x-forward-for $remote _addr;

here the $host and $remote_addr are nginx export variables, can be used directly in the configuration file.
/opt/nginx/sbin/nginx Open Service

------------------------------------------ -----------------------------------------------------------------------------nginx complete ---------------------------------------------------- ---------------------------------------------------------------Open a Docker private warehouse   edit " Span style= "font-family: ' The song body '; font-size:14px;" >/etc/sysconfig/docke

docker_opts= "--insecure-registry docker.benet.com--tlsverify--tlscacert/etc/pki/ca/cacert.pem" Add in

Copy the root certificate to /etc/docker/certs.d/docker.yy.com/ directory under

Mkdir-p/etc/docker/certs.d/docker.benet.com

Cp/etc/pki/ca/cacert.pem/etc/docker/certs.d/docker.benet.com/ca-certificates.crt

The official private warehouse is a direct pull of the registry mirror .
Create an address for the back of the private warehouse container to store your own long-lasting images
To start the image creation container
Docker run-d-P 5000:5000-v/gao:/tmp/registry docker.io/registry:latest
-P Local Port 5000 corresponding container 5000-v bar locally mapped to the container to prevent data loss
Login webpage https://own domain name appears "\" Docker-registry server\ "" is the success
HTTPS port is 443 TCP Remember firewall open exception ~ ~ ~
-----------------------------------------------------------------------------Docker Client Configuration
First The hosts point to the Docker IP
Login https://The other party domain success can
Install docker yourself
then create a mirror
Image Name Format
Docker.gao.com/gao:gao1
First warehouse domain /warehouse name customization: Mirror name customization
Docker Tag existing mirror-Custom mirror name
copy The Docker public key
Import to /etc/pki/tls/certs/ca-certificates.crt name must be the same
Create a private warehouse account
Docker login https://domain name
Docker push upload
Docker Pull Download

This article is from the "11627223" blog, please be sure to keep this source http://11637223.blog.51cto.com/11627223/1909517

Linux7-docker Private Warehouse Nginx Key Verification