events { worker_connections 1024; } http { upstream registry_ui { server registry-ui:80; } upstream registry_api { server registry:5000; } server { listen 443 ssl; server_name YOUR_CI_CD_IP; ssl_certificate /etc/nginx/ssl/registry.crt; ssl_certificate_key /etc/nginx/ssl/registry.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; # Block all non-GET requests to public endpoints location ~ ^/v2/([^/]+)/manifests/ { limit_except GET { deny all; } proxy_pass https://registry_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_ssl_verify off; } location ~ ^/v2/([^/]+)/blobs/ { limit_except GET { deny all; } proxy_pass https://registry_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_ssl_verify off; } location ~ ^/v2/([^/]+)/tags/list { limit_except GET { deny all; } proxy_pass https://registry_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_ssl_verify off; } location /v2/_catalog { limit_except GET { deny all; } proxy_pass https://registry_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_ssl_verify off; } # Require authentication for all other registry operations location /v2/ { auth_basic "Registry Realm"; auth_basic_user_file /etc/nginx/auth/auth.htpasswd; proxy_pass https://registry_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_ssl_verify off; } # Proxy registry UI requests location / { proxy_pass http://registry_ui; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; } } }