docker 私有 registry 透过 nginx 反向代理

Docker仓库实际上提供两方面的功能，一个是镜像管理，一个是认证。前者主要由docker-registry项目来实现，通过http服务来上传下载；后者可以通过docker-index（闭源）项目或者利用现成认证方案（如nginx）实现http请求管理。

---

一、安装 docker ，并且添加可信 registry，重启 docker 服务，准备镜像。

vim /usr/lib/systemd/system/docker.service

---

二、运行 registry

---

三、配置 nginx-proxy

1、安装依赖包及 nginx

yum <span class="hljs-attribute">-y</span> install wget httpd yum <span class="hljs-attribute">-y</span> install pcre pcre<span class="hljs-attribute">-devel</span> yum <span class="hljs-attribute">-y</span> install openssl openssl<span class="hljs-attribute">-devel</span> wget http: tar zxf tengine<span class="hljs-subst">-</span><span class="hljs-number">2.1</span><span class="hljs-number">.2</span><span class="hljs-built_in">.</span>tar<span class="hljs-built_in">.</span>gz <span class="hljs-built_in">.</span>/configure <span class="hljs-subst">--</span>prefix<span class="hljs-subst">=</span>/usr/<span class="hljs-built_in">local</span>/nginx <span class="hljs-subst">--</span><span class="hljs-keyword">with</span><span class="hljs-attribute">-http_stub_status_module</span> <span class="hljs-subst">--</span><span class="hljs-keyword">with</span><span class="hljs-attribute">-http_ssl_module</span> make <span class="hljs-subst">&&</span> make install
yum <span class="hljs-attribute">-y</span> install wget httpd yum <span class="hljs-attribute">-y</span> install pcre pcre<span class="hljs-attribute">-devel</span> yum <span class="hljs-attribute">-y</span> install openssl openssl<span class="hljs-attribute">-devel</span> wget http: tar zxf tengine<span class="hljs-subst">-</span><span class="hljs-number">2.1</span><span class="hljs-number">.2</span><span class="hljs-built_in">.</span>tar<span class="hljs-built_in">.</span>gz <span class="hljs-built_in">.</span>/configure <span class="hljs-subst">--</span>prefix<span class="hljs-subst">=</span>/usr/<span class="hljs-built_in">local</span>/nginx <span class="hljs-subst">--</span><span class="hljs-keyword">with</span><span class="hljs-attribute">-http_stub_status_module</span> <span class="hljs-subst">--</span><span class="hljs-keyword">with</span><span class="hljs-attribute">-http_ssl_module</span> make <span class="hljs-subst">&&</span> make install
yum -y install wget httpd yum -y install pcre pcre-devel yum -y install openssl openssl-devel wget http: tar zxf tengine-2.1.2.tar.gz ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module make && make install

2、配置 nginx

 <span class="hljs-title">upstream</span> docker-registry { <span class="hljs-title">server</span> <span class="hljs-number">10.1.0.50:5000</span>; }  <span class="hljs-title">server</span> { <span class="hljs-title">listen</span> <span class="hljs-number">443</span>; <span class="hljs-title">server_name</span> docker.showjoy.net;  <span class="hljs-title">client_max_body_size</span> <span class="hljs-number">300m</span>;  <span class="hljs-title">ssl</span> <span class="hljs-built_in">on</span>; <span class="hljs-title">ssl_certificate</span> /etc/ssl/certs/docker.showjoy.net.crt; <span class="hljs-title">ssl_certificate_key</span> /etc/ssl/certs/docker.showjoy.net.key;  <span class="hljs-title">proxy_set_header</span> Host <span class="hljs-variable">$http_host</span>; <span class="hljs-title">proxy_set_header</span> X-Real-IP <span class="hljs-variable">$remote_addr</span>; <span class="hljs-title">proxy_set_header</span> Authorization <span class="hljs-string">""</span>; <span class="hljs-title">proxy_set_header</span> Accept-Encoding <span class="hljs-string">""</span>; <span class="hljs-title">proxy_set_header</span> X-Forwarded-By <span class="hljs-variable">$server_addr</span>:<span class="hljs-variable">$server_port</span>; <span class="hljs-title">proxy_set_header</span> X-Forwarded-For <span class="hljs-variable">$remote_addr</span>;  <span class="hljs-title">location</span> / { <span class="hljs-title">auth_basic</span> <span class="hljs-string">"Restricted"</span>; <span class="hljs-title">auth_basic_user_file</span> /usr/local/nginx/auth/htpasswd.txt; <span class="hljs-title">proxy_pass</span> <span class="hljs-url">http://docker-registry</span>; }  <span class="hljs-title">location</span> /v1/search { <span class="hljs-title">auth_basic</span> <span class="hljs-built_in">off</span>; <span class="hljs-title">proxy_pass</span> <span class="hljs-url">http://docker-registry</span>; }  <span class="hljs-title">location</span> /<span class="hljs-number">1</span> { <span class="hljs-title">auth_basic</span> <span class="hljs-built_in">off</span>; <span class="hljs-title">root</span> /tmp/; <span class="hljs-title">autoindex</span> <span class="hljs-built_in">on</span>; } }
 <span class="hljs-title">upstream</span> docker-registry { <span class="hljs-title">server</span> <span class="hljs-number">10.1.0.50:5000</span>; }  <span class="hljs-title">server</span> { <span class="hljs-title">listen</span> <span class="hljs-number">443</span>; <span class="hljs-title">server_name</span> docker.showjoy.net;  <span class="hljs-title">client_max_body_size</span> <span class="hljs-number">300m</span>;  <span class="hljs-title">ssl</span> <span class="hljs-built_in">on</span>; <span class="hljs-title">ssl_certificate</span> /etc/ssl/certs/docker.showjoy.net.crt; <span class="hljs-title">ssl_certificate_key</span> /etc/ssl/certs/docker.showjoy.net.key;  <span class="hljs-title">proxy_set_header</span> Host <span class="hljs-variable">$http_host</span>; <span class="hljs-title">proxy_set_header</span> X-Real-IP <span class="hljs-variable">$remote_addr</span>; <span class="hljs-title">proxy_set_header</span> Authorization <span class="hljs-string">""</span>; <span class="hljs-title">proxy_set_header</span> Accept-Encoding <span class="hljs-string">""</span>; <span class="hljs-title">proxy_set_header</span> X-Forwarded-By <span class="hljs-variable">$server_addr</span>:<span class="hljs-variable">$server_port</span>; <span class="hljs-title">proxy_set_header</span> X-Forwarded-For <span class="hljs-variable">$remote_addr</span>;  <span class="hljs-title">location</span> / { <span class="hljs-title">auth_basic</span> <span class="hljs-string">"Restricted"</span>; <span class="hljs-title">auth_basic_user_file</span> /usr/local/nginx/auth/htpasswd.txt; <span class="hljs-title">proxy_pass</span> <span class="hljs-url">http://docker-registry</span>; }  <span class="hljs-title">location</span> /v1/search { <span class="hljs-title">auth_basic</span> <span class="hljs-built_in">off</span>; <span class="hljs-title">proxy_pass</span> <span class="hljs-url">http://docker-registry</span>; }  <span class="hljs-title">location</span> /<span class="hljs-number">1</span> { <span class="hljs-title">auth_basic</span> <span class="hljs-built_in">off</span>; <span class="hljs-title">root</span> /tmp/; <span class="hljs-title">autoindex</span> <span class="hljs-built_in">on</span>; } }
 upstream docker-registry { server 10.1.0.50:5000; }  server { listen 443; server_name docker.showjoy.net;  client_max_body_size 300m;  ssl on; ssl_certificate /etc/ssl/certs/docker.showjoy.net.crt; ssl_certificate_key /etc/ssl/certs/docker.showjoy.net.key;  proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Authorization ""; proxy_set_header Accept-Encoding ""; proxy_set_header X-Forwarded-By $server_addr:$server_port; proxy_set_header X-Forwarded-For $remote_addr;  location / { auth_basic "Restricted"; auth_basic_user_file /usr/local/nginx/auth/htpasswd.txt; proxy_pass http://docker-registry; }  location /v1/search { auth_basic off; proxy_pass http://docker-registry; }  location /1 { auth_basic off; root /tmp/; autoindex on; } }

---

四、生成 nginx 服务器 ssl 密钥

1、生成私钥文件

cd /etc/ssl/certs/
openssl genrsa -out docker.showjoy.net.key 2048

2、生成根证书文件

openssl req -newkey rsa:2048 -nodes -keyout docker.showjoy.net.key -x509 -days 3650 -out docker.showjoy.net.pem -subj “/C=CN/ST=state/L=city/O=xxx/OU=docker.showjoy.net/”

3、下面将pem编码格式的证书转换成crt扩展名证书，放到系统证书目录（用户访问registry之前需要这一步）

cat docker.showjoy.net.pem | tee -a /etc/ssl/certs/docker.showjoy.net.crt

---

五、 htpasswd 工具生成用户账户（用户名：hongxue）

mkdir -p /usr/local/nginx/auth
cd /usr/local/nginx/auth
htpasswd -c htpasswd.txt hongxue

---

六、其他

1、关闭 firewalld 防火墙
2、关闭 selinux
3、添加 /etc/hosts 映射（因为nginx部署在本地，没有域名可用）
4、设置 docker 开启自启动（systemctl enable docker.service）

5、启动 nginx

七、上传镜像

看到下面报错，是因为我没有通过nginx认证

当我第二次 login 之后，再一次 docker push docker.showjoy.net/nginx ，则成功！

可以看到，我已经在 registry 中上传了两个 images

原文链接：https://blog.csdn.net/wanglei_storage/article/details/51444432