我正在尝试在 nginx 代理后面设置一个私有(private) docker 注册表,该代理对每个人都是只读的(即允许拉取请求),但需要对推送请求进行身份验证。我遵循了各种指南,但仍然很难过。以下是我当前的 nginx 配置:
events {
worker_connections 1024;
}
http {
upstream docker-registry {
server registry:5000;
}
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header is unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'registry/2.0' '';
default registry/2.0;
}
server {
listen 80;
server_name docker-host.example.com;
location / {
rewrite ^(.*)$ https://docker-host.example.com$1 last;
}
}
server {
listen 443 ssl;
server_name docker-host.example.com;
ssl_certificate /etc/nginx/ssl/example.cert.pem;
ssl_certificate_key /etc/nginx/ssl/example.key.pem;
ssl_ciphers 'AES256+EECDH:AES256+EDH::!EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
client_max_body_size 0;
location / {
limit_except GET HEAD OPTIONS {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/users.pwd;
}
include proxy.conf;
}
}
}
它确实允许匿名拉取请求,但推送总是因“未经授权:需要身份验证”而失败。如果我删除条件
limit_except
,即需要对所有访问进行身份验证,登录后它就可以正常工作。当我从
nginx
中删除身份验证配置时完全,一切正常,但显然没有身份验证。任何帮助或指示将不胜感激。
最佳答案
我们一直在使用https://github.com/cesanta/docker_auth它工作得很好你可以设置许多身份验证方法
欲了解更多信息检查
https://github.com/cesanta/docker_auth/blob/master/README.md
关于docker - 仅针对推送请求使用基本身份验证保护 docker 注册表,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55009608/