Nginx + Nexus3 https docker 告别配置 insecure-registries

1. 起因

公司用nexus3搭建docker的私仓,由于是http的所以到处都需要配置恶心的insecure-registries!?!
这都不是事儿,但是如果遇到要改这个配置,问题就严重了...

2. 解决办法

把私仓配置成https的就不需要配置了,所以赶紧找老板要了个证书,用nginx反代一波,
由于nexus pull 镜像是从聚合仓库,push镜像走私仓,所以pull跟push有两个端口,
需要根据http method反向代理一下,以下为nginx配置

server {
     #SSL 访问端口号为 443
     listen 443 ssl; 
     #填写绑定证书的域名
     server_name xxx.xxx.xxx; 
     #证书文件名称
     ssl_certificate /etc/nginx/certificates/xxx.xxx.xxx_bundle.crt; 
     #私钥文件名称
     ssl_certificate_key /etc/nginx/certificates/xxx.xxx.xxx.key; 
     ssl_session_timeout 5m;
     #请按照以下协议配置
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
     #请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 
     ssl_prefer_server_ciphers on;
     location / {
          # pull 镜像
          if ($request_method ~* GET) {
                proxy_pass http://xxx.xxx.xxx:xx;
          }
          # push 镜像
          if ($request_method ~* POST) {
                proxy_pass http://xxx.xxx.xxx:xx;
          }
          if ($request_method ~* HEAD) {
                proxy_pass http://xxx.xxx.xxx:xx;
          }
          if ($request_method ~* PUT) {
                proxy_pass http://xxx.xxx.xxx:xx;
          }
          if ($request_method ~* PATCH) {
                proxy_pass http://xxx.xxx.xxx:xx;
          }
          proxy_set_header  Host       $host;
          proxy_set_header  X-Real-IP    $remote_addr;
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header  X-Forwarded-Proto https; # 转发时使用https协议
          proxy_max_temp_file_size 0;
          # This is the maximum upload size
          client_max_body_size    1024m;             #要设置大一点不然push镜像push不上去
          client_body_buffer_size  128k;
          proxy_connect_timeout   90;
          proxy_send_timeout     90;
          proxy_read_timeout     90;
          proxy_temp_file_write_size 64k;
          # Required for new HTTP-based CLI
          proxy_http_version 1.1;
          proxy_buffering off; # Required for HTTP-based CLI to work over SSL
     }
}

刚开始按照腾讯云给的配置,pull镜像依然不对,百度好久得到一个大佬的解决方案

posted @ 2020-10-15 18:56  whyfate  阅读(2605)  评论(0编辑  收藏  举报