modified

README.md

@@ -1,2 +1,2 @@
-# docker-registry-keese
+# registry.docker.keese.zinomedia.de
 

auth/htpasswd

@@ -0,0 +1 @@
+zino:$apr1$SZM7dK4p$p3S2DBdWQOmPsUldgIUhb1

docker-compose-autossh.yml

@@ -0,0 +1,21 @@
+version: "3"
+services:
+      autossh:
+            container_name: autossh-keese-registry
+            restart: always
+            image: jnovack/autossh
+            network_mode: host
+            volumes:
+                  - ./ssh/id_rsa:/id_rsa 
+            environment:                                
+                  - AUTOSSH_GATETIME=0
+                  - PubkeyAuthentication=yes
+                  - StrictHostKeyChecking=false
+                  - PasswordAuthentication=no
+                  - SSH_SERVER_ALIVE_INTERVAL=30
+                  - ExitOnForwardFailure=yes
+                  - SSH_REMOTE_USER=autotunnel
+                  - SSH_REMOTE_HOST=arwing.zinomedia.de
+                  - SSH_REMOTE_PORT=1337   
+                  - SSH_TUNNEL_PORT=8060 # incoming port on remote server
+                  - SSH_TARGET_PORT=5000 # port of application to forward 

docker-compose-registry.yml

@@ -0,0 +1,10 @@
+version: "3"
+services:
+      registry:
+            container_name: registry
+            restart: always
+            image: registry:2
+            ports:
+                  - 5000:5000
+            volumes:
+                  - /mnt/NASbarracuda1TB/keese/registry:/var/lib/registry

docker-compose.yml

@@ -0,0 +1,32 @@
+version: "3"
+services:
+      registry:
+            container_name: registry
+            restart: always
+            image: registry:2
+            ports:
+                  - 5000:5000
+            volumes:
+                  - /mnt/NASbarracuda1TB/keese/registry:/var/lib/registry
+
+      autossh:
+            container_name: autossh-keese-registry
+            restart: always
+            image: jnovack/autossh
+            network_mode: host
+            depends_on:
+                  - registry
+            volumes:
+                  - ./ssh/id_rsa:/id_rsa 
+            environment:                                
+                  - AUTOSSH_GATETIME=0
+                  - PubkeyAuthentication=yes
+                  - StrictHostKeyChecking=false
+                  - PasswordAuthentication=no
+                  - SSH_SERVER_ALIVE_INTERVAL=30
+                  - ExitOnForwardFailure=yes
+                  - SSH_REMOTE_USER=autotunnel
+                  - SSH_REMOTE_HOST=arwing.zinomedia.de
+                  - SSH_REMOTE_PORT=1337   
+                  - SSH_TUNNEL_PORT=8060 # incoming port on remote server
+                  - SSH_TARGET_PORT=5000 # port of application to forward  

nginx/registry.docker.keese.zinomedia.de.conf

@@ -0,0 +1,63 @@
+## Set a variable to help us decide if we need to add the
+## 'Docker-Distribution-Api-Version' header.
+## The registry always sets this header.
+## In the case of nginx performing auth, the header is unset
+## since nginx is auth-ing before proxying.
+map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+    '' 'registry/2.0';
+}
+
+server {
+    listen 443 ssl;
+    server_name registry.docker.keese.zinomedia.de;
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/registry.docker.keese.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/registry.docker.keese.zinomedia.de/privkey.pem;
+
+    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+    ssl_protocols TLSv1.1 TLSv1.2;
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+    chunked_transfer_encoding on;
+
+    location /v2/ {
+        # Do not allow connections from docker 1.5 and earlier
+        # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+        if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+            return 404;
+        }
+
+        # To add basic authentication to v2 use auth_basic setting.
+        auth_basic "Registry realm";
+        auth_basic_user_file /home/zino/projects/dockers/registry.docker.keese.zinomedia.de/auth/htpasswd;
+
+        ## If $docker_distribution_api_version is empty, the header is not added.
+        ## See the map directive above where this variable is defined.
+        add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
+
+        proxy_pass http://127.0.0.1:8050;
+        proxy_set_header Host $http_host; # required for docker client's sake
+        proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+    }
+}
+
+server {
+    if ($host = registry.docker.keese.zinomedia.de) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    listen 80;
+    listen [::]:80;
+    server_name registry.docker.keese.zinomedia.de;
+    return 404; # managed by Certbot
+}

ssh/id_rsa

@@ -0,0 +1,27 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAQEAzdlVUjk8K/BQXhqao1lkjkjwEMJwB+S4IfkJF/XAHHXDEcpG32jv
+eSsngCTMdgR9H3Z4gD1bVhKseHAeCtauDRSs2QVlRE9zmx8XYcGbsLa0HjC2NlbmTfu79i
++giwaC7TQsP+TrKk6DHpCLZbIx5sUm6FuSvbolMefyAWZS2vh16UDNjovENH2YpCULnuvO
+E11hxgNjcSx6WSbYP6SYvH4tqaX9JNLSJagPpAEJ8FJSkSd6GuPETfUmdHLzh/1eVHGsZI
+Q3ubnnZ9h+5gjbSJ5fVjlW+RCAjXPnvuRyA089QHibvsXDBExz+gbd/BN/mGOugQf4qukR
+FQ3VEJtv+QAAA9C/GIx2vxiMdgAAAAdzc2gtcnNhAAABAQDN2VVSOTwr8FBeGpqjWWSOSP
+AQwnAH5Lgh+QkX9cAcdcMRykbfaO95KyeAJMx2BH0fdniAPVtWEqx4cB4K1q4NFKzZBWVE
+T3ObHxdhwZuwtrQeMLY2VuZN+7v2L6CLBoLtNCw/5OsqToMekItlsjHmxSboW5K9uiUx5/
+IBZlLa+HXpQM2Oi8Q0fZikJQue684TXWHGA2NxLHpZJtg/pJi8fi2ppf0k0tIlqA+kAQnw
+UlKRJ3oa48RN9SZ0cvOH/V5UcaxkhDe5uedn2H7mCNtInl9WOVb5EICNc+e+5HIDTz1AeJ
+u+xcMETHP6Bt38E3+YY66BB/iq6REVDdUQm2/5AAAAAwEAAQAAAQAE1xhnf4sHqXXqUIvU
+TXTM17A1ZK0HsnwV6GorUw76XFaC45O5CxmeasJaBAN+vupGRB3fPhIYuwWtK025iYS8MA
+FEdRkFeyzHt/pvxQKpLBKeJx0RuAdgTAwGZOZMfpGzjCeCNRrGeuQgYtu0P3Vm7LnWeti/
+d1IKk16gY8yM84HZhTYcpSwdDCORXjY4YOGLDm45kWzL89W4hOIIpx0pRV3t3ISTnFxEsr
+j4mhePtnoib+wbetsewql1vlsDsHnGIeQwa1XuZdolXHoQXi1y5ygnd2XR0ChVBdQ9wAFO
+GrlxlmV8WzRgfFIwlUMflcA0BtFEW513Db5haDTWgZCRAAAAgDAKJQAh3r6t6rD6qzmesM
+X7QjogYvs1L15Ickn9lyAEjQrBAWNQWYi2tTLEVDF7eH+OyscRXjuwUxK43QANOL7KE7jI
+3Ql/hnf0TiTGGNjqBB/h506NC+qvQfson7oj16AUwrHHb9GIRvRcZdy9tsU9TiAtrcgOOi
+qa5SJ/yWIjAAAAgQDz4yRkwFEI80NnSGDsMERHzW/6pcA7SREpEAIbICpgsHRGuYHtIwVF
+RsvVkPxe6fFcuMUYso67RdNELvPI/6h+endE4heNodC00mytI7nIva4sbU1TIqAzBsEJhT
+1A5d7WNCIehQxbbCi3mdEiN4r47176TZdKuE2xl5Kc0rXbzQAAAIEA2BKPbfq0NacvynE7
+or1hmTjOyfidzQ6Vo/UmTuR6anxAhjcAmt3uIYsiYw2xFGGTUmRAu4wOKnyfcD3itzvVC/
+CgehBf+wp9n7FkmvaZMe1ZrefVX9YcOBDjf8T95oGbq5s7kImEH2GIy1fUGad7b/Ad6ADK
+lT/8ppEnHoo/cN0AAAAXYXV0b3R1bm5lbEByYXNwYmVycnlwaTIBAgME
+-----END OPENSSH PRIVATE KEY-----