devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve security #10
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-08-24 15:23:31 -04:00
parent a9cdd14ffc
commit 61acecc570
1 changed files with 21 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
Docker_Registry_Install_Guide.md
View file

@ -110,6 +110,20 @@ sudo chmod 750 /var/lib/registry
# Create log directory for nginx proxy # Create log directory for nginx proxy
sudo install -d -o registry-proxy -g registry-proxy /var/log/registry-proxy sudo install -d -o registry-proxy -g registry-proxy /var/log/registry-proxy
# Create logrotate configuration for registry proxy logs
sudo tee /etc/logrotate.d/registry-proxy > /dev/null << 'EOF'
/var/log/registry-proxy/*.log {
daily
rotate 14
compress
delaycompress
copytruncate
missingok
notifempty
create 644 registry-proxy registry-proxy
}
EOF
``` ```
### 2.4 Install Systemd Services ### 2.4 Install Systemd Services
@ -205,8 +219,12 @@ http {
server_tokens off; server_tokens off;
limit_req_zone $binary_remote_addr zone=reg_read:10m rate=10r/s; limit_req_zone $binary_remote_addr zone=reg_read:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=reg_write:10m rate=5r/s; limit_req_zone $binary_remote_addr zone=reg_write:10m rate=5r/s;
limit_conn_zone $binary_remote_addr zone=perip:10m;
client_max_body_size 2g; client_max_body_size 2g;
ssl_ciphers HIGH:!aNULL:!MD5; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_ecdh_curve X25519:P-256;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_verify_depth 2; ssl_verify_depth 2;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
@ -233,6 +251,7 @@ http {
location ~ ^/v2/.+/tags/list { return 403; } location ~ ^/v2/.+/tags/list { return 403; }
location /v2/ { location /v2/ {
limit_req zone=reg_read burst=20 nodelay; limit_req zone=reg_read burst=20 nodelay;
limit_conn perip 20;
proxy_pass http://reg; proxy_pass http://reg;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Proto https;
@ -253,6 +272,7 @@ http {
ssl_verify_client on; ssl_verify_client on;
location /v2/ { location /v2/ {
limit_req zone=reg_write burst=10; limit_req zone=reg_write burst=10;
limit_conn perip 20;
proxy_pass http://reg; proxy_pass http://reg;
proxy_set_header Host $host:$server_port; proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Proto https;