在AWS上的Nginx后面部署https docker注册表

Question

我正在尝试在弹性负载均衡器后面的EC2实例上部署通用注册表实例（npm私有注册表+ docker私有注册表），并使用nginx作为反向代理。 这样做，我希望能够通过https并通过身份验证将npm软件包和docker.mydomain.org映像分别推送到registry.mydomain.org和docker.mydomain.org 。

为此，我遵循以下步骤：

1. 我从AWS控制台创建了一个EC2实例，并从安全组选项中打开了HTTP端口（例如8080）
2. 我使用HTTPS创建了一个新的负载均衡器，将其连接到实例的HTTP端口。
3. 我使用此配置创建了一个docker-compose.yml文件（我将verdaccio用作npm私有注册表，将Registry：2用作docker注册表：

version: '3'
    services:
      nginx:
        image: nginx:alpine
        container_name: nginx
        restart: always
        ports:
          - "80:80"
        volumes:
          - ./nginx:/etc/nginx/conf.d/
          - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
        links:
          - verdaccio:verdaccio
          - docker:docker

      verdaccio:
        image: verdaccio/verdaccio:latest
        container_name: verdaccio    
        restart: always
        ports:
          - "4873:4873"
        volumes:
          - ./registry:/verdaccio/conf
          - ./database/verdaccio:/verdaccio/storage 

      docker:
        image: registry:2
        container_name: docker
        restart: always
        ports:
          - "5000:5000"
        volumes:
          - ./database/docker:/var/lib/registry

4. Nginx配置（ nginx.conf ）为：

events {
        worker_connections  1024;
    }

    http {
        upstream docker-registry {
            server docker:5000;
        }

        upstream npm-registry {
            server verdaccio:4873;
        }

        ## Set a variable to help us decide if we need to add the
        ## 'Docker-Distribution-Api-Version' header.
        ## The registry always sets this header.
        ## In the case of nginx performing auth, the header will be unset
        ## since nginx is auth-ing before proxying.
        map $upstream_http_docker_distribution_api_version     $docker_distribution_api_version {
            '' 'registry/2.0';
        }

        # Healtcheck
        server {
            listen 80;
            location /healthcheck {
                access_log off;
                return 200;
            }
        }

        server {
            # Server options
            listen 80;
            charset utf-8;
            client_max_body_size 0;

            server_name registry.mydomain.org;

            # Proxy settings
            location / {
                access_log /var/log/nginx/verdaccio.log;
                proxy_pass http://npm-registry;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-NginX-Proxy true;
                proxy_ssl_session_reuse off;
                proxy_redirect off;
            }
        }

        server {
            # Server options
            listen 80;
            charset utf-8;
            client_max_body_size 0;

            # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
            chunked_transfer_encoding on;

            server_name docker.mydomain.org;

            # Authentication
            auth_basic "Registry realm";
            auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;

            # Proxy settings
            location / {

                if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
                    return 404;
                }

                ## If $docker_distribution_api_version is empty, the header will not be added.
                ## See the map directive above where this variable is defined.
                add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

                access_log /var/log/nginx/docker.log;
                proxy_pass http://docker-registry;
                proxy_read_timeout 900;
            }
        }
    }

5. 我使用编码的身份验证信息创建了一个nginx.htpasswd文件。

现在，注册表运行正常。 因此，如果我访问https://registry.mydomain.org我可以看到它，并且可以通过npm login --registry=https://registry.mydomain.org --scope=@myscope将npm软件包推送到它

但是，关于Docker注册表 ，虽然我绝对可以使用docker login -u user -p password登录到它，但是当我尝试向其推送映像时，docker客户端进入无限循环并继续尝试上传映像（使用没有成功）。 在服务器端，由于所有请求都以202 HTTP状态结束，因此Docker注册表的日志不会显示有关正在进行的操作的有用信息。

关于如何解决的任何提示？

Answer 1

我想到了。 我缺少一个proxy_set_header Host $host; 在Nginx代理配置中。

这样做：

server {
        # Server options
        listen 80;
        charset utf-8;
        client_max_body_size 0;

        # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
        chunked_transfer_encoding on;

        server_name docker.cubbit.net;

        # Authentication
        auth_basic "Registry realm";
        auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;

        # Proxy settings
        location / {
            # Do not allow connections from docker 1.5 and earlier
            # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
            if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
                return 404;
            }

            ## If $docker_distribution_api_version is empty, the header will not be added.
            ## See the map directive above where this variable is defined.
            add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

            access_log /var/log/nginx/docker.log;
            proxy_pass http://docker-registry;
            proxy_set_header Host $host;
            proxy_read_timeout 900;
        }
    }

它开始完美运行。 希望这可以帮助某人。 我花了两天时间。