Created
March 11, 2020 14:56
-
-
Save 0x3333/10be4028ca74d9b408e73e29e5b687a9 to your computer and use it in GitHub Desktop.
Revisions
-
0x3333 created this gist
Mar 11, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,87 @@ server { listen 80; server_name docker.yourdomain.com; return 301 https://$server_name$request_uri; } upstream registry { server 192.168.3.10:5000; } ## Set a variable to help us decide if we need to add the ## 'Docker-Distribution-Api-Version' header. ## The registry always sets this header. ## In the case of nginx performing auth, the header is unset ## since nginx is auth-ing before proxying. map $upstream_http_docker_distribution_api_version $docker_distribution_api_version { '' 'registry/2.0'; } server { listen 443 ssl http2; server_name docker.yourdomain.com; include include.d/00-ssl-yourdomain.com.conf; include include.d/10-ssl.conf; add_header Strict-Transport-Security max-age=31536000; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) chunked_transfer_encoding on; # Enable basic authentication auth_basic "Docker Registry's Area"; auth_basic_user_file /var/lib/docker/volumes/v_registry/_data/passfile; location /health { allow all; access_log off; return 200 'OK'; } # Registry passthrough location ~ /v2.* { # Do not allow connections from docker 1.5 and earlier # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { return 404; } # Disable push, except for ALLOW_USER_NAME if ( $request_method ~ ^(POST|PUT|PATCH|DELETE)$ ) { set $REGISTRY_WRITE_BLOCK_1 "1"; } set $REGISTRY_WRITE_BLOCK_2 "1"; if ( $remote_user = "ALLOW_USER_NAME" ) { set $REGISTRY_WRITE_BLOCK_2 "0"; } if ( $REGISTRY_WRITE_BLOCK_1 = $REGISTRY_WRITE_BLOCK_2 ) { add_header 'Content-Type' 'application/json charset=UTF-8'; return 401 '{"errors": [{"code": "UNAUTHORIZED", "message": "Access Denied!", "detail": "Your user doesn\'t have write permission." }]}'; } ## If $docker_distribution_api_version is empty, the header is not added. ## See the map directive above where this variable is defined. add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; # kill cache add_header Last-Modified $date_gmt; add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; if_modified_since off; expires off; etag off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 900; proxy_pass http://registry; } }