我正在尝试在 EC2 instance 上使用 nginx 作为反向代理部署一个通用注册表实例(npm私有注册表docker私有注册表) . 这样做我希望能够通过https和身份验证将npm包和docker映像分别推送到 registry.mydomain.org 和 docker.mydomain.org .
为此,我按照以下步骤操作:
-
我从AWS控制台创建了一个EC2实例,从安全组选项打开HTTP端口(例如8080)
-
我使用HTTPS创建了一个新的Load Balancer,将其连接到实例的HTTP端口 .
-
我使用此配置创建了一个
docker-compose.yml文件(我使用verdaccio作为npm私有注册表和registry:2作为docker注册表:
version: '3'
services:
nginx:
image: nginx:alpine
container_name: nginx
restart: always
ports:
- "80:80"
volumes:
- ./nginx:/etc/nginx/conf.d/
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
links:
- verdaccio:verdaccio
- docker:docker
verdaccio:
image: verdaccio/verdaccio:latest
container_name: verdaccio
restart: always
ports:
- "4873:4873"
volumes:
- ./registry:/verdaccio/conf
- ./database/verdaccio:/verdaccio/storage
docker:
image: registry:2
container_name: docker
restart: always
ports:
- "5000:5000"
volumes:
- ./database/docker:/var/lib/registry
- nginx配置( nginx.conf )是:
events {
worker_connections 1024;
}
http {
upstream docker-registry {
server docker:5000;
}
upstream npm-registry {
server verdaccio:4873;
}
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header will be unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
# Healtcheck
server {
listen 80;
location /healthcheck {
access_log off;
return 200;
}
}
server {
# Server options
listen 80;
charset utf-8;
client_max_body_size 0;
server_name registry.mydomain.org;
# Proxy settings
location / {
access_log /var/log/nginx/verdaccio.log;
proxy_pass http://npm-registry;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_ssl_session_reuse off;
proxy_redirect off;
}
}
server {
# Server options
listen 80;
charset utf-8;
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
chunked_transfer_encoding on;
server_name docker.mydomain.org;
# Authentication
auth_basic "Registry realm";
auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
# Proxy settings
location / {
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
## If $docker_distribution_api_version is empty, the header will not be added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
access_log /var/log/nginx/docker.log;
proxy_pass http://docker-registry;
proxy_read_timeout 900;
}
}
}
- 我使用编码的身份验证信息创建了一个
nginx.htpasswd文件 .
现在,注册表完美地运作了 . 所以如果我访问 https://registry.mydomain.org 我可以看到它,我可以通过 npm login --registry=https://registry.mydomain.org --scope=@myscope 将npm包推送到它
然而,关于 docker registry ,虽然我绝对可以使用 docker login -u user -p password 登录它,但是当我尝试将图像推送到它时,docker客户端进入无限循环并继续尝试上传图像(没有成功) . 在服务器端,docker注册表的日志没有显示有关正在进行的操作的有用信息,因为所有请求都以202 HTTP状态结束 .
关于如何解决它的任何提示?
1 回答
我想到了 . 我在nginx代理配置中缺少
proxy_set_header Host $host;.这样做:
它开始完美运作 . 希望这可以帮助别人 . 我花了两天时间 .