-
Notifications
You must be signed in to change notification settings - Fork 616
nginx proxy examples
The following nginx configurations will provide a proxy for both the registry, and this frontend-ui
These configurations expect that you're using DNS or a --link
in your docker run to
provide the correct names for your upstream
statements.
This nginx configuration expects you to have DNS or /etc/hosts entries so that machines & users can access the registry at https://privregistry.domain
and the frontendui at https://registryui.domain
Below the nginx configurations is a basic shell script to start the registry, redis, registry-frontend, and nginx to proxy both services.
etc/nginx/sites-enabled/registry-frontend.conf
# For versions of nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary
upstream registry-frontend {
server frontend:80;
}
# uncomment if you want a 301 redirect for users attempting to connect
# on port 80
# NOTE: docker client will still fail. This is just for convenience
# server {
# listen *:80;
# server_name my.docker.registry.com;
# return 301 https://$server_name$request_uri;
# }
server {
listen 443;
server_name registryui.domain;
ssl on;
ssl_certificate /etc/ssl/certs/docker-registry;
ssl_certificate_key /etc/ssl/private/docker-registry;
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
location / {
include /etc/nginx/conf.d/registry-frontend.conf;
}
}
etc/nginx/conf.d/registry-frontend.conf
proxy_pass http://registry-frontend;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
#proxy_set_header Authorization ""; # see https://github.com/dotcloud/docker-registry/issues/170
proxy_read_timeout 900;
etc/nginx/sites-enabled/privregistry.domain.conf
# For versions of nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary
upstream docker-registry {
server registry:5000;
}
# uncomment if you want a 301 redirect for users attempting to connect
# on port 80
# NOTE: docker client will still fail. This is just for convenience
# server {
# listen *:80;
# server_name my.docker.registry.com;
# return 301 https://$server_name$request_uri;
# }
server {
listen 443;
server_name privregistry.domain;
ssl on;
ssl_certificate /etc/ssl/certs/docker-registry;
ssl_certificate_key /etc/ssl/private/docker-registry;
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/docker-registry.htpasswd;
include /etc/nginx/conf.d/docker-registry.conf;
}
location /_ping {
auth_basic off;
include /etc/nginx/conf.d/docker-registry.conf;
}
location /v1/_ping {
auth_basic off;
include /etc/nginx/conf.d/docker-registry.conf;
}
}
etc/nginx/conf.d/docker-registry.conf
proxy_pass http://docker-registry;
client_body_timeout 30s;
client_body_in_single_buffer on;
client_body_temp_path /dev/nginx 1 2;
client_max_body_size 0;
chunked_transfer_encoding on;
tcp_nodelay on;
tcp_nopush off;
proxy_max_temp_file_size 3172m;
sendfile_max_chunk 0;
sendfile off;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header Authorization ""; # see https://github.com/dotcloud/docker-registry/issues/170
proxy_read_timeout 120s;
reset_timedout_connection on;
This is a more complex script to start
- redis for registry caching
- docker-registry
- docker-registry-frontend
- nginx proxy configured as above
#!/bin/sh
start () {
for i in registry_redis registry_registry registry_frontend registry_proxy ; do
docker start ${i}
done
}
run () {
REGDATA=$(pwd)/registry-data
docker run \
-d \
--restart=always \
--name=registry_redis \
shastafareye/redis \
&& docker run -d --restart=always \
-e LOGLEVEL=debug \
-e CORS_ORIGINS=[\'*\'] \
-e STORAGE_PATH=/registry \
-e SEARCH_BACKEND=sqlalchemy \
-e SQLALCHEMY_INDEX_DATABASE=sqlite:////registry-data/docker-registry.db \
-e CACHE_REDIS_HOST=redis \
-e CACHE_REDIS_PORT=6379 \
-e CACHE_REDIS_DB=0 \
-e CACHE_LRU_REDIS_HOST=redis \
-e CACHE_LRU_REDIS_PORT=6379 \
-e CACHE_LRU_REDIS_DB=1 \
-e GUNICORN_OPTS='[--preload]' \
-e WEB_CONCURRENCY=10 \
-e SETTINGS_FLAVOR=s3 \
-e AWS_REGION=us-west-2 \
-e AWS_SECURE=true \
-e AWS_BUCKET=[YOUR_AWS_BUCKET] \
-e STORAGE_PATH=/registry \
-e AWS_KEY=[YOUR_AWS_KEY] \
-e AWS_SECRET=[YOUR_AWS_SECRET] \
-e INDEX_ENDPOINT=https://index.docker.io \
-v ${REGDATA}:/registry-data \
--name registry_registry \
--link registry_redis:redis \
shastafareye/docker-registry \
&& docker run --restart=always \
-d \
-e ENV_DOCKER_REGISTRY_HOST=registry \
-e ENV_DOCKER_REGISTRY_PORT=5000 \
--name=registry_frontend \
--link registry_registry:registry \
konradkleine/docker-registry-frontend \
&& docker run -d --restart=always \
-p 443:443 \
--name=registry_proxy \
--link registry_registry:registry \
--link registry_frontend:frontend \
-v /some/dir/nginx:/etc/nginx \
shastafareye/nginx
}
stop () {
for r in `docker ps -a |grep registry_ | awk '{print $NF}'` ; do
docker stop ${r}
done
}
remove () {
for r in `docker ps -a|grep registry_ | awk '{print $NF}'` ; do
docker rm ${r}
done
}
case ${1} in
start) echo "starting registry..."
start
;;
stop) echo "stopping registry - dont forget to remove if needed"
stop
;;
run) run
;;
remove) echo "removing registry containers..."
remove
;;
whack) echo "stopping and removing registry containers..."
stop
remove
;;
*) echo "Usage: ${0} [start|stop|remove|whack]"
;;
esac