自建docker hub 容器缓存加速器,只加速官方镜像
文档说明:只记录关键地方;
docker hub 加速器 要实现的要求
加速器只允许 GET HEAD 请求方法
只允许docker-library/official-images通过加速器
控制允许通过加速器的路径,自己用自己配置map选项即可
docker-compose 配置
作为 registry.k8s.io、 k8s.gcr.io、 gcr.io 的镜像缓存,
只需要把 REGISTRY_PROXY_REMOTEURL 分别换成换成 registry.k8s.io、 k8s.gcr.io、 gcr.io、 quay.io等即可
version: "3" services: docker-registry: image: registry:2 container_name: registry-01 restart: always expose: - "5000" volumes: - /data/tls:/tls # - /data/data-box/docker-registry:/data # 数据目录 environment: - REGISTRY_PROXY_REMOTEURL=https://registry-1.docker.io # - REGISTRY_PROXY_USERNAME=username # - REGISTRY_PROXY_PASSWORD=password - REGISTRY_HTTP_TLS_CERTIFICATE=/tls/wildcard.xiaoshuogeng.com.fullchain.pem - REGISTRY_HTTP_TLS_KEY=/tls/wildcard.xiaoshuogeng.com.key.pem - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data nginx-proxy: image: nginx:alpine container_name: nginx-proxy-docker-registry restart: always depends_on: - docker-registry ports: - "5000:443" volumes: - /data/tls:/tls - ./default.conf:/etc/nginx/conf.d/default.conf
nginx 配置
default.conf 配置信息
# 只允许docker-library/official-images通过 map $uri $allow_uri_flag { default 0 ; ~^/v2/library/.*? 1; ~^/v2/$ 1; } server { listen 443 ssl http2; server_name docker.xiaoshuogeng.com; charset utf-8; ssl_certificate /tls/wildcard.xiaoshuogeng.com.fullchain.pem; ssl_certificate_key /tls/wildcard.xiaoshuogeng.com.key.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; add_header Content-Security-Policy upgrade-insecure-requests; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Referrer-Policy "no-referrer"; # 判断请求方法是否是GET HEAD ,其他方法不允许 set $allow_allow_request_method_flag 0; if ( $request_method = "GET" ) { set $allow_allow_request_method_flag 1; } if ( $request_method = "HEAD" ) { set $allow_allow_request_method_flag 1; } if ( $allow_allow_request_method_flag != 1 ) { return 405 '{"status":"405","result":"请求方法不允许","message":"405"}'; } if ( $allow_uri_flag != 1 ) { return 403 '{"status":"403","result":"请求URI不允许","message":"403"}'; } location / { proxy_pass https://docker-registry:5000; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header User-Agent $http_user_agent; proxy_pass_request_headers on; proxy_pass_request_body on; proxy_read_timeout 30s; proxy_send_timeout 30s; proxy_http_version 1.1; proxy_ssl_protocols TLSv1.2 TLSv1.3; proxy_ssl_verify off; proxy_ssl_session_reuse on ; proxy_ssl_server_name on ; } } server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name _; ssl_protocols TLSv1.2 TLSv1.3; ssl_reject_handshake on; #非服务器名称的 SSL 握手直接拒绝 return 444; } server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 444; }
阻止服务被滥用的办法: nginx IP地址白名单机制
在nginx的 default.conf 文件中添加如下配置
IP 白名单机制
下面介绍2种方法
# 方法一: # 允许通过的白名单 map $remote_addr $allow_client_ip_flag { default 0; '42.83.144.13' 1; } # 白名单以外的IP地址处理逻辑 if ( $allow_client_ip_flag != 1) { return 403 '{"status":"403","result":"ip is refused","message":"403"}'; }
# 方法二: allow 192.168.1.0/24; allow 10.0.0.0/8; allow 172.16.0.0/12; allow 42.83.144.13; deny all;
备注
nginx的 这些配置项可以不要
proxy_set_header User-Agent $http_user_agent; proxy_pass_request_headers on; proxy_pass_request_body on; proxy_read_timeout 30s; proxy_send_timeout 30s; proxy_http_version 1.1; proxy_ssl_protocols TLSv1.2 TLSv1.3; proxy_ssl_verify off; proxy_ssl_session_reuse on ; proxy_ssl_server_name on ;
辅助工具,获取nginx 默认配置文件
#!/bin/bash set -eux __CURRENT__=`pwd` __DIR__=$(cd "$(dirname "$0")";pwd) cd ${__DIR__} mkdir -p conf container_id=$(docker create nginx:alpine) # returns container ID docker cp $container_id:/etc/nginx/nginx.conf conf/nginx.conf docker cp $container_id:/etc/nginx/mime.types conf/mime.types docker cp $container_id:/etc/nginx/conf.d/default.conf conf/default.conf docker rm $container_id
小工具 查看拉取容器速率和拉取次数 限制
TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token) # 查看信息 curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
· 地球OL攻略 —— 某应届生求职总结
· 周边上新:园子的第一款马克杯温暖上架
· Open-Sora 2.0 重磅开源!
· 提示词工程——AI应用必不可少的技术