| # Docker registry proxy for api version 2 |
| |
| upstream docker-registry-v2 { |
| server registryv2:5000; |
| } |
| |
| # No client auth or TLS |
| server { |
| listen 5000; |
| server_name localhost; |
| |
| # disable any limits to avoid HTTP 413 for large image uploads |
| client_max_body_size 0; |
| |
| # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) |
| chunked_transfer_encoding on; |
| |
| location /v2/ { |
| # Do not allow connections from docker 1.5 and earlier |
| # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents |
| if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { |
| return 404; |
| } |
| |
| include docker-registry-v2.conf; |
| } |
| } |
| |
| # No client auth or TLS (V2 Only) |
| server { |
| listen 5002; |
| server_name localhost; |
| |
| # disable any limits to avoid HTTP 413 for large image uploads |
| client_max_body_size 0; |
| |
| # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) |
| chunked_transfer_encoding on; |
| |
| location / { |
| include docker-registry-v2.conf; |
| } |
| } |
| |
| # TLS Configuration chart |
| # Username/Password: testuser/passpassword |
| # | ca | client | basic | notes |
| # 5440 | yes | no | no | Tests CA certificate |
| # 5441 | yes | no | yes | Tests basic auth over TLS |
| # 5442 | yes | yes | no | Tests client auth with client CA |
| # 5443 | yes | yes | no | Tests client auth without client CA |
| # 5444 | yes | yes | yes | Tests using basic auth + tls auth |
| # 5445 | no | no | no | Tests insecure using TLS |
| # 5446 | no | no | yes | Tests sending credentials to server with insecure TLS |
| # 5447 | no | yes | no | Tests client auth to insecure |
| # 5448 | yes | no | no | Bad SSL version |
| |
| server { |
| listen 5440; |
| server_name localhost; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem; |
| include registry-noauth.conf; |
| } |
| |
| server { |
| listen 5441; |
| server_name localhost; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem; |
| include registry-basic.conf; |
| } |
| |
| server { |
| listen 5442; |
| listen 5443; |
| server_name localhost; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem; |
| ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; |
| ssl_verify_client on; |
| include registry-noauth.conf; |
| } |
| |
| server { |
| listen 5444; |
| server_name localhost; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem; |
| ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; |
| ssl_verify_client on; |
| include registry-basic.conf; |
| } |
| |
| server { |
| listen 5445; |
| server_name localhost; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem; |
| include registry-noauth.conf; |
| } |
| |
| server { |
| listen 5446; |
| server_name localhost; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem; |
| include registry-basic.conf; |
| } |
| |
| server { |
| listen 5447; |
| server_name localhost; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem; |
| ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; |
| ssl_verify_client on; |
| include registry-noauth.conf; |
| } |
| |
| server { |
| listen 5448; |
| server_name localhost; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem; |
| ssl_protocols SSLv3; |
| include registry-noauth.conf; |
| } |
| |
| # Add configuration for localregistry server_name |
| # Requires configuring /etc/hosts to use |
| # Set /etc/hosts entry to external IP, not 127.0.0.1 for testing |
| # Docker secure/insecure registry features |
| server { |
| listen 5440; |
| server_name localregistry; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; |
| include registry-noauth.conf; |
| } |
| |
| server { |
| listen 5441; |
| server_name localregistry; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; |
| include registry-basic.conf; |
| } |
| |
| server { |
| listen 5442; |
| listen 5443; |
| server_name localregistry; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; |
| ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; |
| ssl_verify_client on; |
| include registry-noauth.conf; |
| } |
| |
| server { |
| listen 5444; |
| server_name localregistry; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; |
| ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; |
| ssl_verify_client on; |
| include registry-basic.conf; |
| } |
| |
| server { |
| listen 5445; |
| server_name localregistry; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem; |
| include registry-noauth.conf; |
| } |
| |
| server { |
| listen 5446; |
| server_name localregistry; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem; |
| include registry-basic.conf; |
| } |
| |
| server { |
| listen 5447; |
| server_name localregistry; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem; |
| ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem; |
| ssl_verify_client on; |
| include registry-noauth.conf; |
| } |
| |
| server { |
| listen 5448; |
| server_name localregistry; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; |
| ssl_protocols SSLv3; |
| include registry-noauth.conf; |
| } |
| |
| |
| # V1 search test |
| # Registry configured with token auth and no tls |
| # TLS termination done by nginx, search results |
| # served by nginx |
| |
| upstream docker-registry-v2-oauth { |
| server registryv2tokenoauthnotls:5000; |
| } |
| |
| server { |
| listen 5600; |
| server_name localregistry; |
| ssl on; |
| ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; |
| ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; |
| |
| root /var/www/html; |
| |
| client_max_body_size 0; |
| chunked_transfer_encoding on; |
| location /v2/ { |
| proxy_buffering off; |
| proxy_pass http://docker-registry-v2-oauth; |
| proxy_set_header Host $http_host; # required for docker client's sake |
| proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| proxy_set_header X-Forwarded-Proto $scheme; |
| proxy_read_timeout 900; |
| } |
| |
| location /v1/search { |
| if ($http_authorization !~ "Bearer [a-zA-Z0-9\._-]+") { |
| return 401; |
| } |
| try_files /v1/search.json =404; |
| add_header Content-Type application/json; |
| } |
| } |