Pages

Tuesday, 12 December 2023

Deploy a container registry server in 3 ways

0 Facts

  • Server dns name: registry.example.com
  • Registry service has to been served as ROOT url

1 Without Proxy

The registry container can run independently by handling TLS itself.

1.1 folders and files

  • data/
  • certs/registry.example.com.crt
  • certs/registry.example.com.key
  • auth/htpasswd
  • compose.yml

1.2 compose.yml

services:
  registry:
    image: "registry:2"
    volumes:
      - ./data:/var/lib/registry
      - ./auth:/auth
      - ./certs:/certs
    environment:
      - REGISTRY_AUTH=htpasswd
      - REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm"
      - REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
      - REGISTRY_HTTP_ADDR="0.0.0.0:5000"
      - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.example.com.crt
      - REGISTRY_HTTP_TLS_KEY=/certs/registry.example.com.key
    ports:
      - "443:5000"

2 Apache httpd as proxy

In this case, Apache httpd works as a reverse proxy for registry. It's important to set necessary headers to make it work.

Httpd is not containerized in this case.

2.1 folders and files

  • data/
  • auth/htpasswd
  • compose.yml

2.2 complse.yml

services:
  registry:
    image: "registry:2"
    volumes:
      - ./data:/var/lib/registry
      - ./auth:/auth
    environment:
      - REGISTRY_AUTH=htpasswd
      - REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm"
      - REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
      - REGISTRY_HTTP_ADDR="0.0.0.0:5000"
    ports:
      - "5000:5000"

2.3 httpd conf

# .....
## registry
Header set Host "registry.example.com"
RequestHeader set X-Forwarded-Proto "https"
LimitRequestBody 500000000

ProxyPass "/" "http://127.0.0.1:5000/"

3 Nginx as proxy

Unlike apache httpd, Nginx automcatically set necessary headers. Here both Nginx and Registry are running as containers.

3.1 folders and files

  • nginx/templates/default.conf.template
  • nginx/certs/registry.example.com.crt
  • nginx/certs/registry.example.com.key
  • auth/htpasswd
  • compose.yml

3.2 complse.yml

# login as: docker login registry.example.com
services:
  nginx:
    image: nginx
    restart: always
    volumes:
      - ./nginx/templates:/etc/nginx/templates
      - ./nginx/certs:/etc/nginx/certs
    ports:
      - "443:443"
    networks:
      - frontend
      - backend

  registry:
    image: "registry:2"
    restart: always
    volumes:
      - data:/var/lib/registry
      - ./auth:/auth
    environment:
      - REGISTRY_AUTH=htpasswd
      - REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm"
      - REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
      - REGISTRY_HTTP_ADDR="0.0.0.0:5000"
    networks:
      - backend
volumes:
    data:

networks:
  frontend:
  backend:

3.3  nginx/templates/default.conf.template

server {
    listen       443 ssl;
    server_name  registry.example.com;
    ssl_certificate certs/registry.example.com.crt;
    ssl_certificate_key certs/registry.example.com.key;
    location / {
                allow 158.100.132.0/24;
                allow 112.150.249.38;
                deny all;
                client_max_body_size 500M;
                proxy_pass http://registry:5000/;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}



at

No comments:

Post a Comment