docker_registry_with_ldap.md

downlad nginx and compile with ldap_auth module

• downlad nginx : wget http://nginx.org/download/nginx-1.9.9.tar.gz
• download ldap_auth_module : git clone https://github.com/kvspb/nginx-auth-ldap
• decompression : tar -zxvf nginx-1.9.9.tar.gz
• move to nginx : cd nginx-1.9.9
• configure :

./configure /etc/nginx --conf-path=/etc/nginx/nginx.conf \
--sbin-path=/usr/bin/nginx \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/nginx.lock \
--user=http --group=http \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=stderr \
--http-client-body-temp-path=/var/lib/nginx/client-body \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-mail --with-mail_ssl_module --with-ipv6 \
--with-pcre-jit --with-file-aio --with-http_dav_module \
--with-http_gunzip_module --with-http_gzip_static_module \
--with-http_realip_module --with-http_v2_module \
--with-http_ssl_module --with-http_stub_status_module \
--with-http_addition_module --with-http_degradation_module \
--with-http_flv_module --with-http_mp4_module \
--with-http_secure_link_module --with-http_sub_module \
--with-threads --with-stream --add-module=/root/nginx-auth-ldap

• make and install : make install

#configure nginx conf

• nginx.conf

http {
    map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
        'registry/2.0' '';
        default registry/2.0;
    }
    ldap_server ldapserver {
        url "ldaps://ldapmaster/dc=XXXX,dc=XXXX,dc=XXXX,dc=XXXX?uid?sub?(objectClass=person)";
    }
  ...
}
server {
        listen 5000 ssl;
        server_name ***;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/***/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/***/privkey.pem;
        
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        client_max_body_size 0;

        chunked_transfer_encoding on;

        auth_ldap "Forbidden";
        auth_ldap_servers ldapserver;
        location  / {
                include servers/docker-client;
                include servers/docker-registry;
        }
}

• servers/docker-client

if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" ) {
      return 404;
}

• servers/docker-registry

add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass                          http://127.0.0.1:6000;
proxy_set_header  Host              $http_host;   # required for docker client's sake
proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header  X-Forwarded-Proto $scheme;
proxy_read_timeout                  900;

docker registry compose

• docker-compose.yml

registry:
  restart: always
  image: registry:2
  ports:
    - 6000:5000
  environment:
    REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
  volumes:
    - /root/registry/data:/var/lib/registry