0x3333 · March 11, 2020 14:56
diff --git a/nginx.conf b/nginx.conf
 server {
  listen 80;
  server_name docker.yourdomain.com;

  return 301 https://$server_name$request_uri;
 }


 upstream registry {
    server 192.168.3.10:5000;
 }

 ## Set a variable to help us decide if we need to add the
 ## 'Docker-Distribution-Api-Version' header.
 ## The registry always sets this header.
 ## In the case of nginx performing auth, the header is unset
 ## since nginx is auth-ing before proxying.
 map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
    '' 'registry/2.0';
 }

 server {
  listen 443 ssl http2;
  server_name docker.yourdomain.com;

  include include.d/00-ssl-yourdomain.com.conf;
  include include.d/10-ssl.conf;

  add_header Strict-Transport-Security max-age=31536000;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;

  # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
  chunked_transfer_encoding on;

  # Enable basic authentication
  auth_basic "Docker Registry's Area";
  auth_basic_user_file /var/lib/docker/volumes/v_registry/_data/passfile;

  location /health {
    allow all;
    access_log off;
    return 200 'OK';
  }

 # Registry passthrough
  location ~ /v2.* {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
        return 404;
    }

    # Disable push, except for ALLOW_USER_NAME
    if ( $request_method ~ ^(POST|PUT|PATCH|DELETE)$ ) {
      set $REGISTRY_WRITE_BLOCK_1 "1";
    }
    set $REGISTRY_WRITE_BLOCK_2 "1";
    if ( $remote_user = "ALLOW_USER_NAME" ) {
      set $REGISTRY_WRITE_BLOCK_2 "0";
    }
    if ( $REGISTRY_WRITE_BLOCK_1 = $REGISTRY_WRITE_BLOCK_2 ) {
      add_header 'Content-Type' 'application/json charset=UTF-8';
      return 401 '{"errors": [{"code": "UNAUTHORIZED", "message": "Access Denied!", "detail": "Your user doesn\'t have write permission." }]}';
    }

    ## If $docker_distribution_api_version is empty, the header is not added.
    ## See the map directive above where this variable is defined.
    add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

    # kill cache
    add_header Last-Modified $date_gmt;
    add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
    if_modified_since off;
    expires off;
    etag off;

    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout                 900;
    proxy_pass http://registry;
  }

 }
	server {
	listen 80;
	server_name docker.yourdomain.com;

	return 301 https://$server_name$request_uri;
	}


	upstream registry {
	server 192.168.3.10:5000;
	}

	## Set a variable to help us decide if we need to add the
	## 'Docker-Distribution-Api-Version' header.
	## The registry always sets this header.
	## In the case of nginx performing auth, the header is unset
	## since nginx is auth-ing before proxying.
	map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
	'' 'registry/2.0';
	}

	server {
	listen 443 ssl http2;
	server_name docker.yourdomain.com;

	include include.d/00-ssl-yourdomain.com.conf;
	include include.d/10-ssl.conf;

	add_header Strict-Transport-Security max-age=31536000;

	# disable any limits to avoid HTTP 413 for large image uploads
	client_max_body_size 0;

	# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
	chunked_transfer_encoding on;

	# Enable basic authentication
	auth_basic "Docker Registry's Area";
	auth_basic_user_file /var/lib/docker/volumes/v_registry/_data/passfile;

	location /health {
	allow all;
	access_log off;
	return 200 'OK';
	}

	# Registry passthrough
	location ~ /v2.* {
	# Do not allow connections from docker 1.5 and earlier
	# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
	if ($http_user_agent ~ "^(docker\/1\.(3\|4\|5(?!\.[0-9]-dev))\|Go ).*$" ) {
	return 404;
	}

	# Disable push, except for ALLOW_USER_NAME
	if ( $request_method ~ ^(POST\|PUT\|PATCH\|DELETE)$ ) {
	set $REGISTRY_WRITE_BLOCK_1 "1";
	}
	set $REGISTRY_WRITE_BLOCK_2 "1";
	if ( $remote_user = "ALLOW_USER_NAME" ) {
	set $REGISTRY_WRITE_BLOCK_2 "0";
	}
	if ( $REGISTRY_WRITE_BLOCK_1 = $REGISTRY_WRITE_BLOCK_2 ) {
	add_header 'Content-Type' 'application/json charset=UTF-8';
	return 401 '{"errors": [{"code": "UNAUTHORIZED", "message": "Access Denied!", "detail": "Your user doesn\'t have write permission." }]}';
	}

	## If $docker_distribution_api_version is empty, the header is not added.
	## See the map directive above where this variable is defined.
	add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

	# kill cache
	add_header Last-Modified $date_gmt;
	add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
	if_modified_since off;
	expires off;
	etag off;

	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_read_timeout 900;
	proxy_pass http://registry;
	}

	}