- 论坛徽章:
- 18
|
一、生成证书
安装openssl
1
2
>>>yum -y install openssl
>>>yun -y install openssl-devel
生成openssl证书
1
>>>openssl req -x509 -nodes -days 365 -subj '/CN='test.registry.com -newkey rsa:4096 -keyout certs/registry.key -out certs/registry.crt #把证书生成到certs/目录下,生成一个test.registry.com域名证书
二、启动容器
启动Registry容器+证书
1
>>>docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=certs/registry.crt -e REGISTRY_HTTP_TLS_KEY=certs/registry.key registry:0.9.1
三、测试Registry是否可用
创建证书存放路径并拷贝证书
1
2
>>>mkdir /etc/docker/certs.d/test.registry.com:5000/ #openssl的域名是什么就创建什么
>>>cp /root/certs/registry.crt /etc/docker/certs.d/test.registry.com:5000/
测试Registry
1
>>>curl --cacert /etc/docker/certs.d/test.registry.com\:5000/test.registry.cn.crt -XGET https://test.registry.cn:5000
四、配置Nginx+OpenLdap
克隆Nginx+OpenLdap插件
1
2
>>>cd /usr/src/
>>>git clone https://github.com/kvspb/nginx-auth-ldap.git
下载OpenSSL
1
2
>>>cd /usr/src/
>>>tar zxvf openssl-1.0.1g.tar.gz #解压就行,不需要安装
安装Nginx
1
2
>>>./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-openssl=/usr/src/openssl-1.0.1g --add-module=/usr/src/nginx-auth-ldap
>>>make && make install
配置Nginx
#nginx.conf
user nobody nobody;
worker_processes auto;
error_log /var/log/nginx_error.log error;
#pid logs/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$upstream_addr"';
access_log /var/log/nginx_access.log main;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
#反向代理
upstream registry {
server 127.0.0.1:5000;
}
#Ldap Server
ldap_server docker_registry {
url ldap://10.10.212.71/ou=People,dc=wepaas,dc=com?uid?sub?(objectClass=*);
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
}
#https:443
server {
listen 443 ssl;
server_name 127.0.0.1 test.registry.com;
ssl on;
ssl_certificate /root/certs/domain.crt;
ssl_certificate_key /root/certs/domain.key;
client_max_body_size 65535M;
chunked_transfer_encoding on;
location / {
auth_ldap_servers docker_registry;
auth_ldap "Forbidden";
root html;
index index.html index.htm;
proxy_pass http://registry;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Authorization "";
client_body_buffer_size 65536k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 8k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
location /_ping {
auth_ldap_servers docker_registry;
auth_ldap "Forbidden";
proxy_pass http://registry;
}
location /v1/_ping {
auth_ldap_servers docker_registry;
auth_ldap "Forbidden";
proxy_pass http://registry;
}
location /v2/_ping {
auth_ldap_servers docker_registry;
auth_ldap "Forbidden";
proxy_pass http://registry;
}
}
#代理到80端口,如果想test.registry.com:9000,这里就填9000
server {
listen 80;
server_name 127.0.0.1 test.registry.com;
client_max_body_size 65535M;
chunked_transfer_encoding on;
location / {
auth_ldap_servers docker_registry;
auth_ldap "Forbidden";
root html;
index index.html index.htm;
proxy_pass http://registry;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Authorization "";
client_body_buffer_size 65536k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 8k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
location /_ping {
auth_ldap_servers docker_registry;
auth_ldap "Forbidden";
proxy_pass http://registry;
}
location /v1/_ping {
auth_ldap_servers docker_registry;
auth_ldap "Forbidden";
proxy_pass http://registry;
}
location /v2/_ping {
auth_ldap_servers docker_registry;
auth_ldap "Forbidden";
proxy_pass http://registry;
}
}
}
用Docker Registry+ssl组件Nginx平台做反向代理启动Nginx
1
/usr/local/nginx/sbin/nginx
并且用ldap做验证
访问web界面测试
docker login 测试
#创建目录
mkdir /etc/docker/certs.d/test.registry.com/
#拷贝证书
cp /root/registry.crt /etc/docker/certs.d/test.registry.com/
#测试
docker login test.registry.com
Username :
Password:
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded
|
|