自建docker hub 容器缓存加速器,只加速官方镜像
文档说明:只记录关键地方;
docker hub 加速器 要实现的要求
加速器只允许 GET HEAD 请求方法
只允许docker-library/official-images通过加速器
控制允许通过加速器的路径,自己用自己配置map选项即可
docker-compose 配置
作为 registry.k8s.io、 k8s.gcr.io、 gcr.io 的镜像缓存,
只需要把 REGISTRY_PROXY_REMOTEURL 分别换成换成 registry.k8s.io、 k8s.gcr.io、 gcr.io、 quay.io等即可
version: "3"
services:
docker-registry:
image: registry:2
container_name: registry-01
restart: always
expose:
- "5000"
volumes:
- /data/tls:/tls
# - /data/data-box/docker-registry:/data # 数据目录
environment:
- REGISTRY_PROXY_REMOTEURL=https://registry-1.docker.io
# - REGISTRY_PROXY_USERNAME=username
# - REGISTRY_PROXY_PASSWORD=password
- REGISTRY_HTTP_TLS_CERTIFICATE=/tls/wildcard.xiaoshuogeng.com.fullchain.pem
- REGISTRY_HTTP_TLS_KEY=/tls/wildcard.xiaoshuogeng.com.key.pem
- REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data
nginx-proxy:
image: nginx:alpine
container_name: nginx-proxy-docker-registry
restart: always
depends_on:
- docker-registry
ports:
- "5000:443"
volumes:
- /data/tls:/tls
- ./default.conf:/etc/nginx/conf.d/default.conf
nginx 配置
default.conf 配置信息
# 只允许docker-library/official-images通过
map $uri $allow_uri_flag {
default 0 ;
~^/v2/library/.*? 1;
~^/v2/$ 1;
}
server {
listen 443 ssl http2;
server_name docker.xiaoshuogeng.com;
charset utf-8;
ssl_certificate /tls/wildcard.xiaoshuogeng.com.fullchain.pem;
ssl_certificate_key /tls/wildcard.xiaoshuogeng.com.key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy upgrade-insecure-requests;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer";
# 判断请求方法是否是GET HEAD ,其他方法不允许
set $allow_allow_request_method_flag 0;
if ( $request_method = "GET" ) {
set $allow_allow_request_method_flag 1;
}
if ( $request_method = "HEAD" ) {
set $allow_allow_request_method_flag 1;
}
if ( $allow_allow_request_method_flag != 1 ) {
return 405 '{"status":"405","result":"请求方法不允许","message":"405"}';
}
if ( $allow_uri_flag != 1 ) {
return 403 '{"status":"403","result":"请求URI不允许","message":"403"}';
}
location / {
proxy_pass https://docker-registry:5000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header User-Agent $http_user_agent;
proxy_pass_request_headers on;
proxy_pass_request_body on;
proxy_read_timeout 30s;
proxy_send_timeout 30s;
proxy_http_version 1.1;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_verify off;
proxy_ssl_session_reuse on ;
proxy_ssl_server_name on ;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_reject_handshake on; #非服务器名称的 SSL 握手直接拒绝
return 444;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
阻止服务被滥用的办法: nginx IP地址白名单机制
在nginx的 default.conf 文件中添加如下配置
IP 白名单机制
下面介绍2种方法
# 方法一:
# 允许通过的白名单
map $remote_addr $allow_client_ip_flag {
default 0;
'42.83.144.13' 1;
}
# 白名单以外的IP地址处理逻辑
if ( $allow_client_ip_flag != 1) {
return 403 '{"status":"403","result":"ip is refused","message":"403"}';
}
# 方法二:
allow 192.168.1.0/24;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 42.83.144.13;
deny all;
备注
nginx的 这些配置项可以不要
proxy_set_header User-Agent $http_user_agent;
proxy_pass_request_headers on;
proxy_pass_request_body on;
proxy_read_timeout 30s;
proxy_send_timeout 30s;
proxy_http_version 1.1;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_verify off;
proxy_ssl_session_reuse on ;
proxy_ssl_server_name on ;
辅助工具,获取nginx 默认配置文件
#!/bin/bash
set -eux
__CURRENT__=`pwd`
__DIR__=$(cd "$(dirname "$0")";pwd)
cd ${__DIR__}
mkdir -p conf
container_id=$(docker create nginx:alpine) # returns container ID
docker cp $container_id:/etc/nginx/nginx.conf conf/nginx.conf
docker cp $container_id:/etc/nginx/mime.types conf/mime.types
docker cp $container_id:/etc/nginx/conf.d/default.conf conf/default.conf
docker rm $container_id
小工具 查看拉取容器速率和拉取次数 限制
TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
# 查看信息
curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest