Closed leleobhz closed 3 years ago
A comment: both FQDNs are served by nginx-proxy, so the map is:
fqdn_registry redirects entirely to registry fqdn_portus redirects entirely to portus
The secure scenario from example inducts there is a intermediate nginx to "merge" /v2/ and /v2/token. This can be avoidable?
Hi! That's how I did it, with my fictional domain mydomain.tld
:
Registry config: (Internal docker-compose hostname: registry
, Exposes port 5000)
REGISTRY_AUTH_TOKEN_REALM=https://portus.mydomain.tld/v2/token
REGISTRY_AUTH_TOKEN_SERVICE=registry.mydomain.tld
REGISTRY_AUTH_TOKEN_ISSUER=portus.mydomain.tld
REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/etc/letsencrypt/live/mydomain.tld/fullchain.pem
Portus config in the registry manager UI webpage: (internal docker-compose hostname: portus
, Exposes port 3000):
Hostname: registry:5000
External hostname: registry.mydomain.tld
Nginx config, which serves both the registry and portus, and handles tls via the same certificate as the registry uses for token signing:
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
server {
listen 443 ssl;
server_name registry.mydomain.tld;
resolver 127.0.0.11 valid=30s;
add_header Front-End-Https on;
location / {
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" ) {
return 404;
}
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
set $upstream http://registry:5000;
proxy_pass $upstream;
}
}
server {
listen 443 ssl;
server_name portus.mydomain.tld;
resolver 127.0.0.11 valid=30s;
add_header Front-End-Https on;
location / {
set $upstream http://portus:3000;
proxy_pass $upstream;
}
}
Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Hello
All documents assumes Portus are running on fqdn_x at port 3000 and registry is running at fqdn_x at port 5000 (And most times, port doesn't matter for this config.
But I have nginx-proxy configured to serve Portus at fqdn_portus at port 443 and registry at fqdn_registry at port 443.
I can't get how I can make the registry authentication to Portus work. What are the configuration I need for following variables:
REGISTRY_AUTH_TOKEN_REALM REGISTRY_AUTH_TOKEN_SERVICE REGISTRY_AUTH_TOKEN_ISSUER
Are other variables related to this authentication? (Please desconsider ssl issues, just auth)
Thanks