Docker Registry+ssl 用Nginx作反向代理而且用ldap作驗證

時間 2020-07-20

標籤 docker registry+ssl registry ssl nginx 反向代理而且 ldap 驗證欄目 Docker 简体版

原文原文鏈接

1、生成證書html

安裝opensslnode

>>>yum -y install openssl
>>>yun -y install openssl-devel

生成openssl證書nginx

 >>>openssl req -x509 -nodes -days 365  -subj '/CN='test.registry.com  -newkey rsa:4096 -keyout certs/registry.key -out certs/registry.crt #把證書生成到certs/目錄下，生成一個test.registry.com域名證書

2、啓動容器git

啓動Registry容器+證書github

>>>docker run -d -p 5000:5000 --restart=always --name registry   -v `pwd`/certs:/certs    -e REGISTRY_HTTP_TLS_CERTIFICATE=certs/registry.crt     -e REGISTRY_HTTP_TLS_KEY=certs/registry.key registry:0.9.1

3、測試Registry是否可用web

建立證書存放路徑並拷貝證書
docker

>>>mkdir /etc/docker/certs.d/test.registry.com:5000/   #openssl的域名是什麼就建立什麼
>>>cp /root/certs/registry.crt  /etc/docker/certs.d/test.registry.com:5000/

若是域名不是公網能用的還得在/etc/hosts下寫記錄json

測試Registrydom

>>>curl --cacert /etc/docker/certs.d/test.registry.com\:5000/test.registry.cn.crt -XGET https://test.registry.cn:5000

4、配置Nginx+OpenLdapcurl

克隆Nginx+OpenLdap插件

>>>cd /usr/src/
>>>git clone https://github.com/kvspb/nginx-auth-ldap.git

下載OpenSSL

>>>cd /usr/src/
>>>tar zxvf openssl-1.0.1g.tar.gz #解壓就行,不須要安裝

安裝Nginx

>>>./configure  --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-openssl=/usr/src/openssl-1.0.1g --add-module=/usr/src/nginx-auth-ldap
>>>make  && make install

配置Nginx

#nginx.conf 
user  nobody nobody;
worker_processes  auto;
error_log  /var/log/nginx_error.log  error;
#pid        logs/nginx.pid;

worker_rlimit_nofile 51200;

events {
    use epoll;
    worker_connections  51200;
    multi_accept on;
}

http {
  include       mime.types;
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$upstream_addr"';
  access_log  /var/log/nginx_access.log  main;


  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;


  sendfile        on;
  tcp_nopush      on;
  tcp_nodelay     on;
  keepalive_timeout  65;
#反向代理
  upstream registry {
    server 127.0.0.1:5000;
  }
#Ldap Server 
ldap_server docker_registry {
url ldap://10.10.212.71/ou=People,dc=wepaas,dc=com?uid?sub?(objectClass=*);
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
     }
#https:443
  server {
    listen       443 ssl;
    server_name  127.0.0.1 test.registry.com;

    ssl        on;
    ssl_certificate /root/certs/domain.crt;
    ssl_certificate_key /root/certs/domain.key;
    client_max_body_size 65535M;
    chunked_transfer_encoding on;

    location / {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      root   html;
      index  index.html index.htm;

      proxy_pass                  http://registry;
      proxy_set_header  Host           $http_host;
      proxy_set_header  X-Real-IP      $remote_addr;
      proxy_set_header  Authorization  "";

      client_body_buffer_size     65536k;
      proxy_connect_timeout       90;
      proxy_send_timeout          90;
      proxy_read_timeout          90;
      proxy_buffer_size           8k;
      proxy_buffers               4 32k;
      proxy_busy_buffers_size     64k;
      proxy_temp_file_write_size  64k;
    }
    location /_ping {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
    location /v1/_ping {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
   location /v2/_ping {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
  }
#代理到80端口,若是想test.registry.com:9000,這裏就填9000
  server {
    listen       80;
    server_name  127.0.0.1 test.registry.com;
    client_max_body_size 65535M;
    chunked_transfer_encoding on;

    location / {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      root   html;
      index  index.html index.htm;

      proxy_pass                  http://registry;
      proxy_set_header  Host           $http_host;
      proxy_set_header  X-Real-IP      $remote_addr;
      proxy_set_header  Authorization  "";

      client_body_buffer_size     65536k;
      proxy_connect_timeout       90;
      proxy_send_timeout          90;
      proxy_read_timeout          90;
      proxy_buffer_size           8k;
      proxy_buffers               4 32k;
      proxy_busy_buffers_size     64k;
      proxy_temp_file_write_size  64k;
    }
    location /_ping {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
    location /v1/_ping {
     auth_ldap_servers   docker_registry;
     auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
   location /v2/_ping {
      auth_ldap_servers  docker_registry;
      auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
  }
}

啓動Nginx

/usr/local/nginx/sbin/nginx

訪問web界面測試

docker login 測試

#建立目錄
mkdir /etc/docker/certs.d/test.registry.com/
#拷貝證書
cp /root/registry.crt  /etc/docker/certs.d/test.registry.com/
#測試
docker login  test.registry.com
Username : 
Password: 
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded