Docker Registry+ssl 用Nginx作反向代理而且用ldap作验证

时间 2020-07-20

标签 docker registry+ssl registry ssl nginx 反向代理而且 ldap 验证栏目 Docker 繁體版

原文原文链接

1、生成证书html

安装opensslnode

>>>yum -y install openssl
>>>yun -y install openssl-devel

生成openssl证书nginx

 >>>openssl req -x509 -nodes -days 365  -subj '/CN='test.registry.com  -newkey rsa:4096 -keyout certs/registry.key -out certs/registry.crt #把证书生成到certs/目录下，生成一个test.registry.com域名证书

2、启动容器git

启动Registry容器+证书github

>>>docker run -d -p 5000:5000 --restart=always --name registry   -v `pwd`/certs:/certs    -e REGISTRY_HTTP_TLS_CERTIFICATE=certs/registry.crt     -e REGISTRY_HTTP_TLS_KEY=certs/registry.key registry:0.9.1

3、测试Registry是否可用web

建立证书存放路径并拷贝证书
docker

>>>mkdir /etc/docker/certs.d/test.registry.com:5000/   #openssl的域名是什么就建立什么
>>>cp /root/certs/registry.crt  /etc/docker/certs.d/test.registry.com:5000/

若是域名不是公网能用的还得在/etc/hosts下写记录json

测试Registrydom

>>>curl --cacert /etc/docker/certs.d/test.registry.com\:5000/test.registry.cn.crt -XGET https://test.registry.cn:5000

4、配置Nginx+OpenLdapcurl

克隆Nginx+OpenLdap插件

>>>cd /usr/src/
>>>git clone https://github.com/kvspb/nginx-auth-ldap.git

下载OpenSSL

>>>cd /usr/src/
>>>tar zxvf openssl-1.0.1g.tar.gz #解压就行,不须要安装

安装Nginx

>>>./configure  --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-openssl=/usr/src/openssl-1.0.1g --add-module=/usr/src/nginx-auth-ldap
>>>make  && make install

配置Nginx

#nginx.conf 
user  nobody nobody;
worker_processes  auto;
error_log  /var/log/nginx_error.log  error;
#pid        logs/nginx.pid;

worker_rlimit_nofile 51200;

events {
    use epoll;
    worker_connections  51200;
    multi_accept on;
}

http {
  include       mime.types;
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$upstream_addr"';
  access_log  /var/log/nginx_access.log  main;


  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;


  sendfile        on;
  tcp_nopush      on;
  tcp_nodelay     on;
  keepalive_timeout  65;
#反向代理
  upstream registry {
    server 127.0.0.1:5000;
  }
#Ldap Server 
ldap_server docker_registry {
url ldap://10.10.212.71/ou=People,dc=wepaas,dc=com?uid?sub?(objectClass=*);
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
     }
#https:443
  server {
    listen       443 ssl;
    server_name  127.0.0.1 test.registry.com;

    ssl        on;
    ssl_certificate /root/certs/domain.crt;
    ssl_certificate_key /root/certs/domain.key;
    client_max_body_size 65535M;
    chunked_transfer_encoding on;

    location / {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      root   html;
      index  index.html index.htm;

      proxy_pass                  http://registry;
      proxy_set_header  Host           $http_host;
      proxy_set_header  X-Real-IP      $remote_addr;
      proxy_set_header  Authorization  "";

      client_body_buffer_size     65536k;
      proxy_connect_timeout       90;
      proxy_send_timeout          90;
      proxy_read_timeout          90;
      proxy_buffer_size           8k;
      proxy_buffers               4 32k;
      proxy_busy_buffers_size     64k;
      proxy_temp_file_write_size  64k;
    }
    location /_ping {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
    location /v1/_ping {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
   location /v2/_ping {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
  }
#代理到80端口,若是想test.registry.com:9000,这里就填9000
  server {
    listen       80;
    server_name  127.0.0.1 test.registry.com;
    client_max_body_size 65535M;
    chunked_transfer_encoding on;

    location / {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      root   html;
      index  index.html index.htm;

      proxy_pass                  http://registry;
      proxy_set_header  Host           $http_host;
      proxy_set_header  X-Real-IP      $remote_addr;
      proxy_set_header  Authorization  "";

      client_body_buffer_size     65536k;
      proxy_connect_timeout       90;
      proxy_send_timeout          90;
      proxy_read_timeout          90;
      proxy_buffer_size           8k;
      proxy_buffers               4 32k;
      proxy_busy_buffers_size     64k;
      proxy_temp_file_write_size  64k;
    }
    location /_ping {
      auth_ldap_servers   docker_registry;
      auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
    location /v1/_ping {
     auth_ldap_servers   docker_registry;
     auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
   location /v2/_ping {
      auth_ldap_servers  docker_registry;
      auth_ldap "Forbidden";
      proxy_pass http://registry;
    }
  }
}

启动Nginx

/usr/local/nginx/sbin/nginx

访问web界面测试

docker login 测试

#建立目录
mkdir /etc/docker/certs.d/test.registry.com/
#拷贝证书
cp /root/registry.crt  /etc/docker/certs.d/test.registry.com/
#测试
docker login  test.registry.com
Username : 
Password: 
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded