continuist
0b4fb89e77
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
115 lines
3.5 KiB
Nginx Configuration File
115 lines
3.5 KiB
Nginx Configuration File
# Docker Registry Nginx Configuration
|
|
# Port 443: Unauthenticated pulls (GET requests only)
|
|
# Port 4443: Authenticated operations (login, logout, push, delete, etc.)
|
|
|
|
# Upstream Docker Registry
|
|
upstream registry {
|
|
server registry:5000;
|
|
}
|
|
|
|
# HTTP server for unauthenticated pulls on port 443
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name _;
|
|
|
|
# SSL Configuration
|
|
ssl_certificate /etc/registry/certs/registry.crt;
|
|
ssl_certificate_key /etc/registry/certs/private/registry.key;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
|
|
# Security headers
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
|
|
# Block all write operations explicitly
|
|
if ($request_method !~ ^(GET|HEAD)$) {
|
|
return 405 "Method Not Allowed";
|
|
}
|
|
|
|
# Allow all GET requests to v2 API (Docker Registry itself will handle security)
|
|
location /v2/ {
|
|
proxy_pass http://registry;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 900;
|
|
proxy_connect_timeout 60;
|
|
proxy_send_timeout 60;
|
|
}
|
|
|
|
# Health check endpoint
|
|
location /health {
|
|
access_log off;
|
|
return 200 "healthy\n";
|
|
add_header Content-Type text/plain;
|
|
}
|
|
|
|
# Default location - deny all
|
|
location / {
|
|
return 404;
|
|
}
|
|
|
|
# Logging
|
|
access_log /var/log/nginx/registry_access.log;
|
|
error_log /var/log/nginx/registry_error.log;
|
|
}
|
|
|
|
# HTTPS server for authenticated operations on port 4443
|
|
server {
|
|
listen 4443 ssl http2;
|
|
server_name _;
|
|
|
|
# SSL Configuration
|
|
ssl_certificate /etc/registry/certs/registry.crt;
|
|
ssl_certificate_key /etc/registry/certs/private/registry.key;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
|
|
# Security headers
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
|
|
# Basic authentication for write operations
|
|
location ~ ^/v2/.*$ {
|
|
# Require auth for all v2 API operations
|
|
auth_basic "Docker Registry";
|
|
auth_basic_user_file /etc/nginx/.htpasswd;
|
|
|
|
proxy_pass http://registry;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 900;
|
|
proxy_connect_timeout 60;
|
|
proxy_send_timeout 60;
|
|
}
|
|
|
|
# Default location - deny all
|
|
location / {
|
|
return 404;
|
|
}
|
|
|
|
# Logging
|
|
access_log /var/log/nginx/registry_auth_access.log;
|
|
error_log /var/log/nginx/registry_auth_error.log;
|
|
}
|
|
|
|
# Redirect HTTP to HTTPS (optional - for port 80 if needed)
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
return 301 https://$server_name$request_uri;
|
|
}
|