Skip to content

Instantly share code, notes, and snippets.

@hanrw

hanrw/nginx-config-for-nexus_registry

Last active May 22, 2020 13:34
Show Gist options
  • Save hanrw/08226e2f021c5aeb16972c34ff90e229 to your computer and use it in GitHub Desktop.
Save hanrw/08226e2f021c5aeb16972c34ff90e229 to your computer and use it in GitHub Desktop.
Download ZIP
nginx proxy nexus3 docker mirror
Raw
nginx-config-for-nexus_registry
upstream nexus_admin { server 192.168.2.233:8081 ; }
upstream nexus_registry { server 192.168.2.233:8082 ; }
server {
listen 80;
listen 443 ssl;
server_name registry.docker.com;
access_log /dev/null;
error_log /var/nginx/logs/registry.docker.com.error.log;
ssl_certificate /etc/nginx/cert/registry.docker.com_server.crt;
ssl_certificate_key /etc/nginx/cert/registry.docker.com.key;
ssl_session_timeout 20m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AES:EECDH+CHACHA20;
add_header X-Frame-Options SAMEORIGIN;
set $authorization $http_authorization;
## for fix issue when using nexus as docker mirror -->
# level=info msg="Attempting next endpoint for pull after error: unauthorized: access to the requested resource is not authorized"
# https://issues.sonatype.org/browse/NEXUS-10813
# https://github.com/moby/moby/issues/30880
if ($authorization = '') {
set $authorization "Basic YWRtaW46SGFuMTk4NzA2MTQ="; # anonymous:anonymous
}
location ~ ^/(v1|v2)/ { proxy_pass http://nexus_registry;
proxy_set_header Authorization $authorization;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
# add for npm mirror
location ~* ^/repository/npm-.+$ {
proxy_pass http://nexus_admin;
proxy_set_header Authorization $authorization;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
location / {
client_max_body_size 0;
chunked_transfer_encoding on;
add_header Docker-Distribution-Api-Version: registry/2.0 always;
proxy_http_version 1.1;
proxy_set_header Connection "";
if ($http_user_agent ~* "docker|jib|curl|Java") { proxy_pass http://nexus_registry; }
if ($http_user_agent ~* "Chrome|Mozilla|Firefox") { proxy_pass http://nexus_admin; }
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_redirect off;
}
}
@hanrw
Copy link
Author

hanrw commented May 22, 2020

Split docker proxy and docker hosted

upstream nexus_admin { server 192.168.2.233:8081 ; }
upstream nexus_registry { server 192.168.2.233:8082 ; }
upstream nexus_docker_hosted { server 192.168.2.233:8083 ; }

server {
    listen 80;
    listen 443 ssl;
    server_name registry.docker.com;
    access_log  /dev/null;
    error_log   /var/nginx/logs/registry.docker.com.error.log;
    ssl_certificate      /etc/nginx/cert/registry.docker.com_server.crt;
    ssl_certificate_key  /etc/nginx/cert/registry.docker.com.key;
    ssl_session_timeout  20m;
    ssl_protocols  TLSv1  TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AES:EECDH+CHACHA20;
    add_header X-Frame-Options SAMEORIGIN;

    # disable any limits to avoid HTTP 413 for large image uploads
    client_max_body_size 0;
    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
    chunked_transfer_encoding on;

    set $authorization $http_authorization;

    if ($authorization = '') {
        set $authorization "Basic YWRtaW46SGFuMTk4NzA2MTQ="; # anonymous:anonymous
    }

    location ~ ^/(v1|v2)/ { 
        
        set $upstream "nexus_docker_hosted";      
        
        if ( $request_method ~* 'GET') {
        set $upstream "nexus_registry";
        }       
        
        proxy_pass http://$upstream;
 
        proxy_set_header   Authorization $authorization;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   X-Forwarded-Port $server_port;
    }

    # Redirect to the target asset of Nexus3
    location ~* ^/repository/npm-.+$ {
        proxy_pass http://nexus_admin;
        proxy_set_header   Authorization $authorization;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   X-Forwarded-Port $server_port;
    }

    location / {
        client_max_body_size 0;
        chunked_transfer_encoding on;
        add_header Docker-Distribution-Api-Version: registry/2.0 always;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        
        # default for docker pull -> docker proxy       
        set $upstream "nexus_registry";
        # Post method for docker push -> docker hosted 
        if ( $request_method ~* 'POST') {
        set $upstream "nexus_docker_group";
        }
 
        if ($http_user_agent ~*  "docker|jib|curl|Java")   { proxy_pass http://$upstream; }
        if ($http_user_agent ~* "Chrome|Mozilla|Firefox")   { proxy_pass http://nexus_admin; }
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   X-Forwarded-Port $server_port;
        proxy_redirect off;
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment