Skip to content

Instantly share code, notes, and snippets.

@parente parente/nginx.conf
Last active Sep 27, 2019

Embed
What would you like to do?
nginx.conf recipe for username-based authorization levels for a Docker registry
user www-data;
worker_processes 1;
daemon off;
events {
worker_connections 1024;
}
http {
upstream docker-registry {
server registry:5000;
}
server {
listen 443 ssl;
server_name registry.mydomain.org;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
client_max_body_size 0;
chunked_transfer_encoding on;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Authorization "";
# protected by basic authentication, delegates to /_auth for push/pull authorization
location / {
proxy_pass http://docker-registry;
proxy_set_header Host $host;
proxy_read_timeout 900;
auth_basic "Docker Registry";
auth_basic_user_file /etc/nginx/registry_users;
auth_request /_auth;
}
location /_auth {
if ($remote_user ~* "^admin-?.*$") {
# admin* is allowed to do anything
return 200;
}
if ($request_method ~* "^(GET|HEAD)$") {
# all other authed users can only GET/HEAD
return 200;
}
# anonymous users can do nothing
return 403;
}
# all users can access /v1/users to authenticate
location /v1/users {
proxy_pass http://docker-registry;
proxy_set_header Host $host;
proxy_read_timeout 900;
auth_basic "Docker Registry";
auth_basic_user_file /etc/nginx/registry_users;
}
# ping end points require no authentication
location /_ping {
proxy_pass http://docker-registry;
auth_basic off;
}
location /v1/_ping {
proxy_pass http://docker-registry;
auth_basic off;
}
}
}
@JumpingSpottedTiger

This comment has been minimized.

Copy link

commented Nov 6, 2015

it'd be great if you could update this to v2

@StefanPanait

This comment has been minimized.

Copy link

commented Dec 8, 2015

+1

@peebles

This comment has been minimized.

Copy link

commented Oct 26, 2016

+1

@s4l3h1

This comment has been minimized.

Copy link

commented Aug 17, 2017

Easy & Nice :) +1

@coolersport

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.