1# Docker registry proxy for api version 2
2
3upstream docker-registry-v2 {
4 server registryv2:5000;
5}
6
7# No client auth or TLS
8server {
9 listen 5000;
10 server_name localhost;
11
12 # disable any limits to avoid HTTP 413 for large image uploads
13 client_max_body_size 0;
14
15 # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
16 chunked_transfer_encoding on;
17
18 location /v2/ {
19 # Do not allow connections from docker 1.5 and earlier
20 # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
21 if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
22 return 404;
23 }
24
25 include docker-registry-v2.conf;
26 }
27}
28
29# No client auth or TLS (V2 Only)
30server {
31 listen 5002;
32 server_name localhost;
33
34 # disable any limits to avoid HTTP 413 for large image uploads
35 client_max_body_size 0;
36
37 # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
38 chunked_transfer_encoding on;
39
40 location / {
41 include docker-registry-v2.conf;
42 }
43}
44
45# TLS Configuration chart
46# Username/Password: testuser/passpassword
47# | ca | client | basic | notes
48# 5440 | yes | no | no | Tests CA certificate
49# 5441 | yes | no | yes | Tests basic auth over TLS
50# 5442 | yes | yes | no | Tests client auth with client CA
51# 5443 | yes | yes | no | Tests client auth without client CA
52# 5444 | yes | yes | yes | Tests using basic auth + tls auth
53# 5445 | no | no | no | Tests insecure using TLS
54# 5446 | no | no | yes | Tests sending credentials to server with insecure TLS
55# 5447 | no | yes | no | Tests client auth to insecure
56# 5448 | yes | no | no | Bad SSL version
57
58server {
59 listen 5440;
60 server_name localhost;
61 ssl on;
62 ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
63 ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
64 include registry-noauth.conf;
65}
66
67server {
68 listen 5441;
69 server_name localhost;
70 ssl on;
71 ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
72 ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
73 include registry-basic.conf;
74}
75
76server {
77 listen 5442;
78 listen 5443;
79 server_name localhost;
80 ssl on;
81 ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
82 ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
83 ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
84 ssl_verify_client on;
85 include registry-noauth.conf;
86}
87
88server {
89 listen 5444;
90 server_name localhost;
91 ssl on;
92 ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
93 ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
94 ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
95 ssl_verify_client on;
96 include registry-basic.conf;
97}
98
99server {
100 listen 5445;
101 server_name localhost;
102 ssl on;
103 ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
104 ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
105 include registry-noauth.conf;
106}
107
108server {
109 listen 5446;
110 server_name localhost;
111 ssl on;
112 ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
113 ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
114 include registry-basic.conf;
115}
116
117server {
118 listen 5447;
119 server_name localhost;
120 ssl on;
121 ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
122 ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
123 ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
124 ssl_verify_client on;
125 include registry-noauth.conf;
126}
127
128server {
129 listen 5448;
130 server_name localhost;
131 ssl on;
132 ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
133 ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
134 ssl_protocols SSLv3;
135 include registry-noauth.conf;
136}
137
138# Add configuration for localregistry server_name
139# Requires configuring /etc/hosts to use
140# Set /etc/hosts entry to external IP, not 127.0.0.1 for testing
141# Docker secure/insecure registry features
142server {
143 listen 5440;
144 server_name localregistry;
145 ssl on;
146 ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
147 ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
148 include registry-noauth.conf;
149}
150
151server {
152 listen 5441;
153 server_name localregistry;
154 ssl on;
155 ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
156 ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
157 include registry-basic.conf;
158}
159
160server {
161 listen 5442;
162 listen 5443;
163 server_name localregistry;
164 ssl on;
165 ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
166 ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
167 ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
168 ssl_verify_client on;
169 include registry-noauth.conf;
170}
171
172server {
173 listen 5444;
174 server_name localregistry;
175 ssl on;
176 ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
177 ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
178 ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
179 ssl_verify_client on;
180 include registry-basic.conf;
181}
182
183server {
184 listen 5445;
185 server_name localregistry;
186 ssl on;
187 ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
188 ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
189 include registry-noauth.conf;
190}
191
192server {
193 listen 5446;
194 server_name localregistry;
195 ssl on;
196 ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
197 ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
198 include registry-basic.conf;
199}
200
201server {
202 listen 5447;
203 server_name localregistry;
204 ssl on;
205 ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
206 ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
207 ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
208 ssl_verify_client on;
209 include registry-noauth.conf;
210}
211
212server {
213 listen 5448;
214 server_name localregistry;
215 ssl on;
216 ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
217 ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
218 ssl_protocols SSLv3;
219 include registry-noauth.conf;
220}
221
222
223# V1 search test
224# Registry configured with token auth and no tls
225# TLS termination done by nginx, search results
226# served by nginx
227
228upstream docker-registry-v2-oauth {
229 server registryv2tokenoauthnotls:5000;
230}
231
232server {
233 listen 5600;
234 server_name localregistry;
235 ssl on;
236 ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
237 ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
238
239 root /var/www/html;
240
241 client_max_body_size 0;
242 chunked_transfer_encoding on;
243 location /v2/ {
244 proxy_buffering off;
245 proxy_pass http://docker-registry-v2-oauth;
246 proxy_set_header Host $http_host; # required for docker client's sake
247 proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
248 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
249 proxy_set_header X-Forwarded-Proto $scheme;
250 proxy_read_timeout 900;
251 }
252
253 location /v1/search {
254 if ($http_authorization !~ "Bearer [a-zA-Z0-9\._-]+") {
255 return 401;
256 }
257 try_files /v1/search.json =404;
258 add_header Content-Type application/json;
259 }
260}
View as plain text