zino/docker-nginx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
1361b6aa83242b04c49a5b95fd81c634d01283a0
docker-nginx/volumes/conf.d/registry.zinomedia.de.conf
zino 1361b6aa83 m
2025-08-13 14:58:02 +02:00

128 lines
4.8 KiB
Plaintext
Raw Blame History

## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header is unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
# Mtail friendly json access-log format to record registry traffic.
log_format registry_json escape=json
'{'
'"timestamp":"$time_iso8601",'
'"remote_address":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request_id":"$effective_request_id",'
'"method":"$request_method",'
'"path":"$uri",'
'"query_string":"$args",'
'"http_version":"$server_protocol",'
'"status":$status,'
'"bytes_sent":$bytes_sent,'
'"body_bytes_sent":$body_bytes_sent,'
'"request_length":$request_length,'
'"request_time":$request_time,'
'"upstream_status":"$upstream_status",'
'"upstream_time":"$upstream_response_time",'
'"referer":"$http_referer",'
'"user_agent":"$http_user_agent",'
'"x_forwarded_for":"$http_x_forwarded_for",'
'"range":"$http_range",'
'"docker_content_digest":"$sent_http_docker_content_digest",'
'"upstream_range":"$upstream_http_range",'
'"docker_upload_uuid":"$upstream_http_docker_upload_uuid"'
'}';
# If $request_id is unavailable/empty use client + time.
map $request_id $effective_request_id {
default $request_id;
"" "$remote_addr-$msec-$request_length";
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name registry.zinomedia.de;
access_log /var/log/nginx/registry.zinomedia.de.access.log;
error_log /var/log/nginx/error.log;
ssl_certificate /etc/letsencrypt/live/registry.zinomedia.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/registry.zinomedia.de/privkey.pem;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
chunked_transfer_encoding on;
location / {
return 403;
}
location /v2/ {
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# Password protect
auth_basic "Protected Registry";
auth_basic_user_file /usr/share/nginx/html/registry.zinomedia.de/.htpasswd;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' 'https://registryui.zinomedia.de';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Authorization, Accept, Cache-Control';
add_header 'Access-Control-Allow-Methods' 'HEAD, GET, OPTIONS, DELETE';
add_header 'Content-Length' '0';
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
if ($request_method = DELETE) {
add_header 'Access-Control-Allow-Origin' 'https://registryui.zinomedia.de' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'Authorization, Accept, Cache-Control' always;
add_header 'Access-Control-Allow-Methods' 'HEAD, GET, OPTIONS, DELETE' always;
}
add_header Access-Control-Allow-Origin "https://registryui.zinomedia.de";
add_header Access-Control-Allow-Credentials "true";
add_header Access-Control-Allow-Headers "Authorization, Accept, Cache-Control";
add_header Access-Control-Allow-Methods "HEAD, GET, OPTIONS, DELETE";
# Do not allow connections from docker 1.5 and earlier
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
## If $docker_distribution_api_version is empty, the header is not added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
resolver 127.0.0.11;
set $upstream "http://registry:5000";
proxy_pass $upstream;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
# Registry traffic
add_header X-Request-ID $effective_request_id always;
proxy_set_header X-Request-ID $effective_request_id;
access_log /var/log/nginx/registry.zinomedia.de.access.json.log registry_json;
}
}
server {
listen 80;
listen [::]:80;
server_name registry.zinomedia.de;
return 301 https://$host$request_uri;
}
Reference in New Issue View Git Blame Copy Permalink