Create a gist now

Instantly share code, notes, and snippets.

@parente /nginx.conf
Last active Apr 11, 2017

What would you like to do?
nginx.conf recipe for username-based authorization levels for a Docker registry
user www-data;
worker_processes 1;
daemon off;
events {
worker_connections 1024;
}
http {
upstream docker-registry {
server registry:5000;
}
server {
listen 443 ssl;
server_name registry.mydomain.org;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
client_max_body_size 0;
chunked_transfer_encoding on;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Authorization "";
# protected by basic authentication, delegates to /_auth for push/pull authorization
location / {
proxy_pass http://docker-registry;
proxy_set_header Host $host;
proxy_read_timeout 900;
auth_basic "Docker Registry";
auth_basic_user_file /etc/nginx/registry_users;
auth_request /_auth;
}
location /_auth {
if ($remote_user ~* "^admin-?.*$") {
# admin* is allowed to do anything
return 200;
}
if ($request_method ~* "^(GET|HEAD)$") {
# all other authed users can only GET/HEAD
return 200;
}
# anonymous users can do nothing
return 403;
}
# all users can access /v1/users to authenticate
location /v1/users {
proxy_pass http://docker-registry;
proxy_set_header Host $host;
proxy_read_timeout 900;
auth_basic "Docker Registry";
auth_basic_user_file /etc/nginx/registry_users;
}
# ping end points require no authentication
location /_ping {
proxy_pass http://docker-registry;
auth_basic off;
}
location /v1/_ping {
proxy_pass http://docker-registry;
auth_basic off;
}
}
}

it'd be great if you could update this to v2

peebles commented Oct 26, 2016

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment