目录
1. Docker Registry v2的认证模式
2.配置Nginx代理
$ sudo apt-get -y install nginx
#本地的registry服务监听在15000端口
upstream docker-registry {
server localhost:5000;
}
#代理服务器监听在15000端口
server {
listen 15000;
server_name private-registry-server.com;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
# If you have SSL certification files, then can enable this section.
ssl on;
ssl_certificate /etc/ssl/certs/myrepo.crt;
ssl_certificate_key /etc/ssl/private/myrepo.key;
proxy_pass http://docker-registry;
proxy_set_header Host \$http_host; # required for docker client's sake
proxy_set_header X-Real-IP \$remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_read_timeout 600;
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
#禁止旧版本Docker访问
if (\$http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" ) {
return 404;
}
#配置转发访问请求到registry服务
proxy_pass http://docker-registry;
}
}
$ sudo ln -s /etc/nginx/sites-available/docker-registry.conf /etc/nginx/sitesenabled/docker-registry.conf
$ service nginx restart
$ docker tag ubuntu:14.04 127.0.0.1:15000/ubuntu:latest
$ docker push 127.0.0.1:15000/ubuntu:latest
3.添加用户认证
...
location / {
# let Nginx know about our auth file
auth_basic "Please Input username/password";
auth_basic_user_file docker-registry-htpasswd;
proxy_pass http://docker-registry;
}
...
...
user1:password1
user2:password2
...
$ sudo aptitude install apache2-utils -y
$ sudo htpasswd -c /etc/nginx/docker-registry-htpasswd user1
$ New password:
$ Re-type new password:
$ Adding password for user user1
$ sudo service nginx restart
$ curl USERNAME:PASSWORD@127.0.0.1:15000/v2/
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: basic
4.用Compose启动Registry
registry:
restart: always
image: registry:2.1
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/myrepo.crt
REGISTRY_HTTP_TLS_KEY: /certs/myrepo.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/docker-registry-htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: basic
volumes:
- /path/to/data:/var/lib/registry
- /path/to/certs:/certs
- /path/to/auth:/auth