Nginx + Nexus3 https docker 告别配置 insecure-registries
1. 起因
公司用nexus3搭建docker的私仓,由于是http的所以到处都需要配置恶心的insecure-registries!?!
这都不是事儿,但是如果遇到要改这个配置,问题就严重了...
2. 解决办法
把私仓配置成https的就不需要配置了,所以赶紧找老板要了个证书,用nginx反代一波,
由于nexus pull 镜像是从聚合仓库,push镜像走私仓,所以pull跟push有两个端口,
需要根据http method反向代理一下,以下为nginx配置
server {
#SSL 访问端口号为 443
listen 443 ssl;
#填写绑定证书的域名
server_name xxx.xxx.xxx;
#证书文件名称
ssl_certificate /etc/nginx/certificates/xxx.xxx.xxx_bundle.crt;
#私钥文件名称
ssl_certificate_key /etc/nginx/certificates/xxx.xxx.xxx.key;
ssl_session_timeout 5m;
#请按照以下协议配置
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
# pull 镜像
if ($request_method ~* GET) {
proxy_pass http://xxx.xxx.xxx:xx;
}
# push 镜像
if ($request_method ~* POST) {
proxy_pass http://xxx.xxx.xxx:xx;
}
if ($request_method ~* HEAD) {
proxy_pass http://xxx.xxx.xxx:xx;
}
if ($request_method ~* PUT) {
proxy_pass http://xxx.xxx.xxx:xx;
}
if ($request_method ~* PATCH) {
proxy_pass http://xxx.xxx.xxx:xx;
}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # 转发时使用https协议
proxy_max_temp_file_size 0;
# This is the maximum upload size
client_max_body_size 1024m; #要设置大一点不然push镜像push不上去
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_temp_file_write_size 64k;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
}
}