From 531981761ed4bdb4deb1fc4722993b635079d303 Mon Sep 17 00:00:00 2001 From: TDDR Date: Wed, 2 Mar 2022 21:16:03 -0500 Subject: [PATCH] Testable version of initial draft --- config/etc/nginx/{conf.d => nginx.conf} | 13 +++++-------- config/registry-config.yaml | 24 ------------------------ docker-compose.yaml | 16 +++++----------- 3 files changed, 10 insertions(+), 43 deletions(-) rename config/etc/nginx/{conf.d => nginx.conf} (84%) diff --git a/config/etc/nginx/conf.d b/config/etc/nginx/nginx.conf similarity index 84% rename from config/etc/nginx/conf.d rename to config/etc/nginx/nginx.conf index 11b0832..3b64713 100644 --- a/config/etc/nginx/conf.d +++ b/config/etc/nginx/nginx.conf @@ -16,17 +16,18 @@ http { server { listen 443 ssl; - server_name ${DOMAIN}; + server_name docker.cdot.systems #${DOMAIN}; # SSL - ssl_certificate /etc/nginx/conf.d/domain.crt; - ssl_certificate_key /etc/nginx/conf.d/domain.key; + ssl_certificate /etc/letsencrypt/live/docker.cdot.systems/fullchain.pem + ssl_certificate_key /etc/letsencrypt/live/docker.cdot.systems/privkey.pem # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; + ssl_trusted_certificate /etc/letsencrypt/live/docker.cdot.systems/chain.pem # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; @@ -41,15 +42,11 @@ http { return 404; } - # To add basic authentication to v2 use auth_basic setting. - auth_basic "Registry realm"; - auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd; - ## If $docker_distribution_api_version is empty, the header is not added. ## See the map directive above where this variable is defined. add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; - proxy_pass http://registry:${PORT}; + proxy_pass http://registry:5000; #${PORT}; proxy_set_header Host $http_host; # required for docker client's sake proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/config/registry-config.yaml b/config/registry-config.yaml index bf2b2da..5172a89 100644 --- a/config/registry-config.yaml +++ b/config/registry-config.yaml @@ -13,29 +13,5 @@ storage: http: addr: 443:5000 # https://docs.docker.com/registry/configuration/#letsencrypt host: docker.cdot.systems - tls: - certificate: /path/to/x509/public - key: /path/to/x509/private - letsencrypt: - cachefile: /path/to/cache-file - email: emailused@letsencrypt.com - #hosts: [myregistryaddress.org] headers: X-Content-Type-Options: [nosniff] -auth: - token: - realm: token-realm - service: token-service - issuer: registry-token-issuer - rootcertbundle: /root/certs/bundle -# redis: -# addr: localhost:6379 -# password: asecret -# db: 0 -# dialtimeout: 10ms -# readtimeout: 10ms -# writetimeout: 10ms -# pool: -# maxidle: 16 -# maxactive: 64 -# idletimeout: 300s diff --git a/docker-compose.yaml b/docker-compose.yaml index fe63745..756b662 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -6,14 +6,16 @@ services: - 443:443 restart: unless-stopped volumes: - - ./config/etc/nginx/conf.d:/etc/nginx/conf.d + - ./config/etc/nginx/nginx.conf:/etc/nginx/nginx.conf + depends_on: + - registry # SSL certificate management for nginx certbot: image: certbot/certbot container_name: 'certbot' volumes: - - ./config/etc/letsencrypt:/etc/letsencrypt + - /etc/letsencrypt:/etc/letsencrypt restart: always # This will check if your certificate is up for renewal every 12 hours as recommended by Let’s Encrypt entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" @@ -21,14 +23,6 @@ services: registry: restart: always image: registry:2 - environment: - REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt - REGISTRY_HTTP_TLS_KEY: /certs/domain.key - REGISTRY_AUTH: token - REGISTRY_AUTH_TOKEN_REALM: Registry Realm - REGISTRY_AUTH_TOKEN_SERVICE: Token services - REGISTRY_AUTH_TOKEN_ISSUER: Registry token issuer - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /root/certs/bundle volumes: - /mnt/docker0storage/registry:/var/lib/registry - \ No newline at end of file + #- ./config/registry-config.yaml:/config/registry-config.yaml Untested use of the registry-config.yaml file