devteam/sharenet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Try to fix problem of registry being inaccessible
Some checks are pending
CI/CD Pipeline / Test Backend (push) Waiting to run
Details
CI/CD Pipeline / Test Frontend (push) Waiting to run
Details
CI/CD Pipeline / Build and Push Docker Images (push) Blocked by required conditions
Details
CI/CD Pipeline / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-06-28 23:12:33 -04:00
parent 66e641c3b7
commit 2c6597062b
3 changed files with 68 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CI_CD_PIPELINE_SETUP_GUIDE.md
View file

@ -546,6 +546,8 @@ docker compose up -d
exit
```
**Important**: The registry uses standard authentication, but nginx provides intelligent routing to enable public read access for specific operations (manifests, blobs, tags) while requiring authentication for write operations (push, delete). This implements the "public read, authenticated write" model through nginx configuration.
#### 5.7 Test Registry Setup
```bash

1
registry/docker-compose.yml
View file

@ -41,6 +41,7 @@ services:
- "8080:443"
volumes:
- /etc/ssl/registry:/etc/nginx/ssl:ro
- /etc/registry/auth/auth.htpasswd:/etc/nginx/auth/auth.htpasswd:ro
- /opt/APP_NAME/registry/nginx.conf:/etc/nginx/nginx.conf:ro
depends_on:
- registry-ui

66
registry/nginx.conf
View file

@ -20,8 +20,72 @@ http {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Proxy registry API requests
# Block all non-GET requests to public endpoints
location ~ ^/v2/([^/]+)/manifests/ {
limit_except GET {
deny all;
}
proxy_pass https://registry_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
proxy_ssl_verify off;
}
location ~ ^/v2/([^/]+)/blobs/ {
limit_except GET {
deny all;
}
proxy_pass https://registry_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
proxy_ssl_verify off;
}
location ~ ^/v2/([^/]+)/tags/list {
limit_except GET {
deny all;
}
proxy_pass https://registry_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
proxy_ssl_verify off;
}
location /v2/_catalog {
limit_except GET {
deny all;
}
proxy_pass https://registry_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
proxy_ssl_verify off;
}
# Require authentication for all other registry operations
location /v2/ {
auth_basic "Registry Realm";
auth_basic_user_file /etc/nginx/auth/auth.htpasswd;
proxy_pass https://registry_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;