在AWS上的Nginx后面部署https docker注冊表

Question

我正在嘗試在彈性負載均衡器后面的EC2實例上部署通用注冊表實例（npm私有注冊表+ docker私有注冊表），並使用nginx作為反向代理。 這樣做，我希望能夠通過https並通過身份驗證將npm軟件包和docker.mydomain.org映像分別推送到registry.mydomain.org和docker.mydomain.org 。

為此，我遵循以下步驟：

1. 我從AWS控制台創建了一個EC2實例，並從安全組選項中打開了HTTP端口（例如8080）
2. 我使用HTTPS創建了一個新的負載均衡器，將其連接到實例的HTTP端口。
3. 我使用此配置創建了一個docker-compose.yml文件（我將verdaccio用作npm私有注冊表，將Registry：2用作docker注冊表：

version: '3'
    services:
      nginx:
        image: nginx:alpine
        container_name: nginx
        restart: always
        ports:
          - "80:80"
        volumes:
          - ./nginx:/etc/nginx/conf.d/
          - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
        links:
          - verdaccio:verdaccio
          - docker:docker

      verdaccio:
        image: verdaccio/verdaccio:latest
        container_name: verdaccio    
        restart: always
        ports:
          - "4873:4873"
        volumes:
          - ./registry:/verdaccio/conf
          - ./database/verdaccio:/verdaccio/storage 

      docker:
        image: registry:2
        container_name: docker
        restart: always
        ports:
          - "5000:5000"
        volumes:
          - ./database/docker:/var/lib/registry

4. Nginx配置（ nginx.conf ）為：

events {
        worker_connections  1024;
    }

    http {
        upstream docker-registry {
            server docker:5000;
        }

        upstream npm-registry {
            server verdaccio:4873;
        }

        ## Set a variable to help us decide if we need to add the
        ## 'Docker-Distribution-Api-Version' header.
        ## The registry always sets this header.
        ## In the case of nginx performing auth, the header will be unset
        ## since nginx is auth-ing before proxying.
        map $upstream_http_docker_distribution_api_version     $docker_distribution_api_version {
            '' 'registry/2.0';
        }

        # Healtcheck
        server {
            listen 80;
            location /healthcheck {
                access_log off;
                return 200;
            }
        }

        server {
            # Server options
            listen 80;
            charset utf-8;
            client_max_body_size 0;

            server_name registry.mydomain.org;

            # Proxy settings
            location / {
                access_log /var/log/nginx/verdaccio.log;
                proxy_pass http://npm-registry;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-NginX-Proxy true;
                proxy_ssl_session_reuse off;
                proxy_redirect off;
            }
        }

        server {
            # Server options
            listen 80;
            charset utf-8;
            client_max_body_size 0;

            # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
            chunked_transfer_encoding on;

            server_name docker.mydomain.org;

            # Authentication
            auth_basic "Registry realm";
            auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;

            # Proxy settings
            location / {

                if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
                    return 404;
                }

                ## If $docker_distribution_api_version is empty, the header will not be added.
                ## See the map directive above where this variable is defined.
                add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

                access_log /var/log/nginx/docker.log;
                proxy_pass http://docker-registry;
                proxy_read_timeout 900;
            }
        }
    }

5. 我使用編碼的身份驗證信息創建了一個nginx.htpasswd文件。

現在，注冊表運行正常。 因此，如果我訪問https://registry.mydomain.org我可以看到它，並且可以通過npm login --registry=https://registry.mydomain.org --scope=@myscope將npm軟件包推送到它

但是，關於Docker注冊表 ，雖然我絕對可以使用docker login -u user -p password登錄到它，但是當我嘗試向其推送映像時，docker客戶端進入無限循環並繼續嘗試上傳映像（使用沒有成功）。 在服務器端，由於所有請求都以202 HTTP狀態結束，因此Docker注冊表的日志不會顯示有關正在進行的操作的有用信息。

關於如何解決的任何提示？

Answer 1

我想到了。 我缺少一個proxy_set_header Host $host; 在Nginx代理配置中。

這樣做：

server {
        # Server options
        listen 80;
        charset utf-8;
        client_max_body_size 0;

        # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
        chunked_transfer_encoding on;

        server_name docker.cubbit.net;

        # Authentication
        auth_basic "Registry realm";
        auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;

        # Proxy settings
        location / {
            # Do not allow connections from docker 1.5 and earlier
            # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
            if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
                return 404;
            }

            ## If $docker_distribution_api_version is empty, the header will not be added.
            ## See the map directive above where this variable is defined.
            add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

            access_log /var/log/nginx/docker.log;
            proxy_pass http://docker-registry;
            proxy_set_header Host $host;
            proxy_read_timeout 900;
        }
    }

它開始完美運行。 希望這可以幫助某人。 我花了兩天時間。