自建docker hub 容器缓存加速器,只加速官方镜像

文档说明:只记录关键地方;

docker hub 加速器 要实现的要求

加速器只允许 GET HEAD 请求方法

只允许docker-library/official-images通过加速器

控制允许通过加速器的路径,自己用自己配置map选项即可

docker-compose 配置

作为 registry.k8s.io、 k8s.gcr.io、 gcr.io 的镜像缓存,
只需要把 REGISTRY_PROXY_REMOTEURL 分别换成换成 registry.k8s.io、 k8s.gcr.io、 gcr.io、 quay.io等即可

version: "3"
services:
    docker-registry:
        image: registry:2
        container_name: registry-01
        restart: always
        expose:
            - "5000"
        volumes:
            - /data/tls:/tls
        #    - /data/data-box/docker-registry:/data   # 数据目录
        environment:
            - REGISTRY_PROXY_REMOTEURL=https://registry-1.docker.io
            #    - REGISTRY_PROXY_USERNAME=username
            #    - REGISTRY_PROXY_PASSWORD=password
            - REGISTRY_HTTP_TLS_CERTIFICATE=/tls/wildcard.xiaoshuogeng.com.fullchain.pem
            - REGISTRY_HTTP_TLS_KEY=/tls/wildcard.xiaoshuogeng.com.key.pem
            - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data
    nginx-proxy:
        image: nginx:alpine
        container_name: nginx-proxy-docker-registry
        restart: always
        depends_on:
            - docker-registry
        ports:
            - "5000:443"
        volumes:
            - /data/tls:/tls
            - ./default.conf:/etc/nginx/conf.d/default.conf



nginx 配置

default.conf 配置信息

# 只允许docker-library/official-images通过

map $uri $allow_uri_flag {
    default 0 ;
    ~^/v2/library/.*? 1;
    ~^/v2/$ 1;
}
server {
    listen       443 ssl http2;
    server_name  docker.xiaoshuogeng.com;

    charset utf-8;

    ssl_certificate     /tls/wildcard.xiaoshuogeng.com.fullchain.pem;
    ssl_certificate_key /tls/wildcard.xiaoshuogeng.com.key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols  TLSv1.3;
    ssl_prefer_server_ciphers off;


    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header Content-Security-Policy upgrade-insecure-requests;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Referrer-Policy "no-referrer";


    # 判断请求方法是否是GET HEAD ,其他方法不允许
    set $allow_allow_request_method_flag 0;
    if ( $request_method = "GET"  ) {
        set $allow_allow_request_method_flag 1;
    }
    if ( $request_method = "HEAD" ) {
        set $allow_allow_request_method_flag 1;
    }

    if ( $allow_allow_request_method_flag != 1 ) {
         return 405 '{"status":"405","result":"请求方法不允许","message":"405"}';
    }

    if ( $allow_uri_flag != 1  ) {
        return 403 '{"status":"403","result":"请求URI不允许","message":"403"}';
    }


    location / {
        proxy_pass              https://docker-registry:5000;
        proxy_set_header        Host $http_host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;

        proxy_set_header User-Agent $http_user_agent;
        proxy_pass_request_headers  on;
        proxy_pass_request_body  on;
        proxy_read_timeout 30s;
        proxy_send_timeout 30s;
        proxy_http_version 1.1;

        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_verify off;
        proxy_ssl_session_reuse on ;
        proxy_ssl_server_name on ;
    }

}


server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name _;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_reject_handshake on; #非服务器名称的 SSL 握手直接拒绝
    return 444;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 444;
}


阻止服务被滥用的办法: nginx IP地址白名单机制

在nginx的 default.conf 文件中添加如下配置
IP 白名单机制
下面介绍2种方法

# 方法一: 

# 允许通过的白名单
map $remote_addr $allow_client_ip_flag {
     default 0;
    '42.83.144.13'   1;
}



# 白名单以外的IP地址处理逻辑
if ( $allow_client_ip_flag != 1) {
     return 403 '{"status":"403","result":"ip is refused","message":"403"}';
}


# 方法二:

    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    allow 172.16.0.0/12;

    allow 42.83.144.13;
    deny all;

备注

nginx的 这些配置项可以不要

        proxy_set_header User-Agent $http_user_agent;
        proxy_pass_request_headers  on;
        proxy_pass_request_body  on;
        proxy_read_timeout 30s;
        proxy_send_timeout 30s;
        proxy_http_version 1.1;

        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_verify off;
        proxy_ssl_session_reuse on ;
        proxy_ssl_server_name on ;

辅助工具,获取nginx 默认配置文件

#!/bin/bash

set -eux
__CURRENT__=`pwd`
__DIR__=$(cd "$(dirname "$0")";pwd)
cd ${__DIR__}

 mkdir -p conf
container_id=$(docker create nginx:alpine)  # returns container ID
docker cp $container_id:/etc/nginx/nginx.conf conf/nginx.conf
docker cp $container_id:/etc/nginx/mime.types conf/mime.types
docker cp $container_id:/etc/nginx/conf.d/default.conf conf/default.conf

docker rm $container_id


小工具 查看拉取容器速率和拉取次数 限制

TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
 
# 查看信息
curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest

参考文档

  1. 自建 docker hub 容器镜像缓存服务和加速服务
  2. containerd 使用加速器缓存
  3. nginx中自带的一些变量参数说明
  4. nginx regular-expression
  5. Nginx 位置正则表达式用法
  6. Nginx 位置正则表达式 验证
  7. 正则表达式
  8. ustclug/mirrorrequest/issues/276 提供常见docker镜像
  9. 容器的5种网络模式
  10. AtomHub 可信镜像中心
posted @ 2022-11-06 20:20  jingjingxyk  阅读(1143)  评论(0编辑  收藏  举报