vendor/github.com/docker/distribution/contrib/docker-integration/nginx/registry.conf - cloudstack-kubernetes-provider - Git at Google

 # Docker registry proxy for api version 2

 upstream docker-registry-v2 {
   server registryv2:5000;
 }

 # No client auth or TLS
 server {
   listen 5000;
   server_name localhost;

   # disable any limits to avoid HTTP 413 for large image uploads
   client_max_body_size 0;

   # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
   chunked_transfer_encoding on;

   location /v2/ {
     # Do not allow connections from docker 1.5 and earlier
     # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
     if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
       return 404;
     }

     include               docker-registry-v2.conf;
   }
 }

 # No client auth or TLS (V2 Only)
 server {
   listen 5002;
   server_name localhost;

   # disable any limits to avoid HTTP 413 for large image uploads
   client_max_body_size 0;

   # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
   chunked_transfer_encoding on;

   location / {
     include               docker-registry-v2.conf;
   }
 }

 # TLS Configuration chart
 # Username/Password: testuser/passpassword
 #      | ca  | client | basic | notes
 # 5440 | yes | no     | no    | Tests CA certificate
 # 5441 | yes | no     | yes   | Tests basic auth over TLS
 # 5442 | yes | yes    | no    | Tests client auth with client CA
 # 5443 | yes | yes    | no    | Tests client auth without client CA
 # 5444 | yes | yes    | yes   | Tests using basic auth + tls auth
 # 5445 | no  | no     | no    | Tests insecure using TLS
 # 5446 | no  | no     | yes   | Tests sending credentials to server with insecure TLS
 # 5447 | no  | yes    | no    | Tests client auth to insecure
 # 5448 | yes | no     | no    | Bad SSL version

 server {
   listen 5440;
   server_name localhost;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
   include registry-noauth.conf;
 }

 server {
   listen 5441;
   server_name localhost;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
   include registry-basic.conf;
 }

 server {
   listen 5442;
   listen 5443;
   server_name localhost;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
   ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
   ssl_verify_client on;
   include registry-noauth.conf;
 }

 server {
   listen 5444;
   server_name localhost;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
   ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
   ssl_verify_client on;
   include registry-basic.conf;
 }

 server {
   listen 5445;
   server_name localhost;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
   include registry-noauth.conf;
 }

 server {
   listen 5446;
   server_name localhost;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
   include registry-basic.conf;
 }

 server {
   listen 5447;
   server_name localhost;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
   ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
   ssl_verify_client on;
   include registry-noauth.conf;
 }

 server {
   listen 5448;
   server_name localhost;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
   ssl_protocols       SSLv3;
   include registry-noauth.conf;
 }

 # Add configuration for localregistry server_name
 # Requires configuring /etc/hosts to use
 # Set /etc/hosts entry to external IP, not 127.0.0.1 for testing
 # Docker secure/insecure registry features
 server {
   listen 5440;
   server_name localregistry;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
   include registry-noauth.conf;
 }

 server {
   listen 5441;
   server_name localregistry;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
   include registry-basic.conf;
 }

 server {
   listen 5442;
   listen 5443;
   server_name localregistry;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
   ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
   ssl_verify_client on;
   include registry-noauth.conf;
 }

 server {
   listen 5444;
   server_name localregistry;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
   ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
   ssl_verify_client on;
   include registry-basic.conf;
 }

 server {
   listen 5445;
   server_name localregistry;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
   include registry-noauth.conf;
 }

 server {
   listen 5446;
   server_name localregistry;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
   include registry-basic.conf;
 }

 server {
   listen 5447;
   server_name localregistry;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
   ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
   ssl_verify_client on;
   include registry-noauth.conf;
 }

 server {
   listen 5448;
   server_name localregistry;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
   ssl_protocols       SSLv3;
   include registry-noauth.conf;
 }


 # V1 search test
 # Registry configured with token auth and no tls
 # TLS termination done by nginx, search results
 # served by nginx

 upstream docker-registry-v2-oauth {
   server registryv2tokenoauthnotls:5000;
 }

 server {
   listen 5600;
   server_name localregistry;
   ssl on;
   ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
   ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;

   root /var/www/html;

   client_max_body_size 0;
   chunked_transfer_encoding on;
   location /v2/ {
     proxy_buffering off;
     proxy_pass                          http://docker-registry-v2-oauth;
     proxy_set_header  Host              $http_host;   # required for docker client's sake
     proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
     proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
     proxy_set_header  X-Forwarded-Proto $scheme;
     proxy_read_timeout                  900;
   }

   location /v1/search {
     if ($http_authorization !~ "Bearer [a-zA-Z0-9\._-]+") {
 	return 401;
     }
     try_files /v1/search.json =404;
     add_header Content-Type application/json;
   }
 }
	# Docker registry proxy for api version 2

	upstream docker-registry-v2 {
	server registryv2:5000;
	}

	# No client auth or TLS
	server {
	listen 5000;
	server_name localhost;

	# disable any limits to avoid HTTP 413 for large image uploads
	client_max_body_size 0;

	# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
	chunked_transfer_encoding on;

	location /v2/ {
	# Do not allow connections from docker 1.5 and earlier
	# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
	if ($http_user_agent ~ "^(docker\/1\.(3\|4\|5(?!\.[0-9]-dev))\|Go ).*$" ) {
	return 404;
	}

	include docker-registry-v2.conf;
	}
	}

	# No client auth or TLS (V2 Only)
	server {
	listen 5002;
	server_name localhost;

	# disable any limits to avoid HTTP 413 for large image uploads
	client_max_body_size 0;

	# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
	chunked_transfer_encoding on;

	location / {
	include docker-registry-v2.conf;
	}
	}

	# TLS Configuration chart
	# Username/Password: testuser/passpassword
	# \| ca \| client \| basic \| notes
	# 5440 \| yes \| no \| no \| Tests CA certificate
	# 5441 \| yes \| no \| yes \| Tests basic auth over TLS
	# 5442 \| yes \| yes \| no \| Tests client auth with client CA
	# 5443 \| yes \| yes \| no \| Tests client auth without client CA
	# 5444 \| yes \| yes \| yes \| Tests using basic auth + tls auth
	# 5445 \| no \| no \| no \| Tests insecure using TLS
	# 5446 \| no \| no \| yes \| Tests sending credentials to server with insecure TLS
	# 5447 \| no \| yes \| no \| Tests client auth to insecure
	# 5448 \| yes \| no \| no \| Bad SSL version

	server {
	listen 5440;
	server_name localhost;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
	include registry-noauth.conf;
	}

	server {
	listen 5441;
	server_name localhost;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
	include registry-basic.conf;
	}

	server {
	listen 5442;
	listen 5443;
	server_name localhost;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
	ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
	ssl_verify_client on;
	include registry-noauth.conf;
	}

	server {
	listen 5444;
	server_name localhost;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
	ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
	ssl_verify_client on;
	include registry-basic.conf;
	}

	server {
	listen 5445;
	server_name localhost;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
	include registry-noauth.conf;
	}

	server {
	listen 5446;
	server_name localhost;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
	include registry-basic.conf;
	}

	server {
	listen 5447;
	server_name localhost;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
	ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
	ssl_verify_client on;
	include registry-noauth.conf;
	}

	server {
	listen 5448;
	server_name localhost;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
	ssl_protocols SSLv3;
	include registry-noauth.conf;
	}

	# Add configuration for localregistry server_name
	# Requires configuring /etc/hosts to use
	# Set /etc/hosts entry to external IP, not 127.0.0.1 for testing
	# Docker secure/insecure registry features
	server {
	listen 5440;
	server_name localregistry;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
	include registry-noauth.conf;
	}

	server {
	listen 5441;
	server_name localregistry;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
	include registry-basic.conf;
	}

	server {
	listen 5442;
	listen 5443;
	server_name localregistry;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
	ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
	ssl_verify_client on;
	include registry-noauth.conf;
	}

	server {
	listen 5444;
	server_name localregistry;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
	ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
	ssl_verify_client on;
	include registry-basic.conf;
	}

	server {
	listen 5445;
	server_name localregistry;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
	include registry-noauth.conf;
	}

	server {
	listen 5446;
	server_name localregistry;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
	include registry-basic.conf;
	}

	server {
	listen 5447;
	server_name localregistry;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
	ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
	ssl_verify_client on;
	include registry-noauth.conf;
	}

	server {
	listen 5448;
	server_name localregistry;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
	ssl_protocols SSLv3;
	include registry-noauth.conf;
	}


	# V1 search test
	# Registry configured with token auth and no tls
	# TLS termination done by nginx, search results
	# served by nginx

	upstream docker-registry-v2-oauth {
	server registryv2tokenoauthnotls:5000;
	}

	server {
	listen 5600;
	server_name localregistry;
	ssl on;
	ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
	ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;

	root /var/www/html;

	client_max_body_size 0;
	chunked_transfer_encoding on;
	location /v2/ {
	proxy_buffering off;
	proxy_pass http://docker-registry-v2-oauth;
	proxy_set_header Host $http_host; # required for docker client's sake
	proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_read_timeout 900;
	}

	location /v1/search {
	if ($http_authorization !~ "Bearer [a-zA-Z0-9\._-]+") {
	return 401;
	}
	try_files /v1/search.json =404;
	add_header Content-Type application/json;
	}
	}