search

SUSE / Portus

Authorization service and frontend for Docker registry (v2)
http://port.us.org/
Apache License 2.0
3k stars 471 forks source link

[Clarification] How to configure registry/Portus auth if domains are different? #2301

Closed leleobhz closed 3 years ago

leleobhz commented 4 years ago

Hello

All documents assumes Portus are running on fqdn_x at port 3000 and registry is running at fqdn_x at port 5000 (And most times, port doesn't matter for this config.

But I have nginx-proxy configured to serve Portus at fqdn_portus at port 443 and registry at fqdn_registry at port 443.

I can't get how I can make the registry authentication to Portus work. What are the configuration I need for following variables:

REGISTRY_AUTH_TOKEN_REALM REGISTRY_AUTH_TOKEN_SERVICE REGISTRY_AUTH_TOKEN_ISSUER

Are other variables related to this authentication? (Please desconsider ssl issues, just auth)

Thanks

leleobhz commented 4 years ago

A comment: both FQDNs are served by nginx-proxy, so the map is:

fqdn_registry redirects entirely to registry fqdn_portus redirects entirely to portus

The secure scenario from example inducts there is a intermediate nginx to "merge" /v2/ and /v2/token. This can be avoidable?

StarGate01 commented 4 years ago

Hi! That's how I did it, with my fictional domain mydomain.tld: Registry config: (Internal docker-compose hostname: registry, Exposes port 5000)

REGISTRY_AUTH_TOKEN_REALM=https://portus.mydomain.tld/v2/token
REGISTRY_AUTH_TOKEN_SERVICE=registry.mydomain.tld
REGISTRY_AUTH_TOKEN_ISSUER=portus.mydomain.tld
REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/etc/letsencrypt/live/mydomain.tld/fullchain.pem

Portus config in the registry manager UI webpage: (internal docker-compose hostname: portus, Exposes port 3000):

Hostname: registry:5000
External hostname: registry.mydomain.tld

Nginx config, which serves both the registry and portus, and handles tls via the same certificate as the registry uses for token signing:

map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
    '' 'registry/2.0';
}

server {

    listen 443 ssl;
    server_name registry.mydomain.tld;
    resolver 127.0.0.11 valid=30s;

    add_header Front-End-Https on;

    location / {
        if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" ) {
            return 404;
        }

        add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

        set $upstream http://registry:5000;
        proxy_pass $upstream;
    }

}

server {

    listen 443 ssl;
    server_name portus.mydomain.tld;
    resolver 127.0.0.11 valid=30s;

    add_header Front-End-Https on;

    location / {
        set $upstream http://portus:3000;
        proxy_pass $upstream;
    }

}
stale[bot] commented 3 years ago

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.