## Set a variable to help us decide if we need to add the ## 'Docker-Distribution-Api-Version' header. ## The registry always sets this header. ## In the case of nginx performing auth, the header is unset ## since nginx is auth-ing before proxying. map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version { '' 'registry/2.0'; } server { # resolver 127.0.0.11 valid=30s; ## internal docker dns #listen [::]:3011 default ipv6only=on; ## listen for ipv6 listen 80; client_header_timeout 120s; client_body_timeout 120s; client_max_body_size 200m; # save logs here server_name ${SERVER_NAME}; # Pass this particular URL off to certbot, to authenticate HTTPS certificates location '/.well-known/acme-challenge' { default_type "text/plain"; proxy_pass http://localhost:1337; } location / { return 301 https://${DOLLAR}host${DOLLAR}request_uri; } } server { # resolver 127.0.0.11 valid=30s; ## internal docker dns #listen [::]:3011 default ipv6only=on; ## listen for ipv6 # listen 444 listen 5004 ssl; # this should allow large docs client_header_timeout 120s; client_body_timeout 120s; client_max_body_size 0; ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; # save logs here #access_log /var/log/nginx/access.log compression; # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) chunked_transfer_encoding on; server_name ${SERVER_NAME}; location /v2/ { # Do not allow connections from docker 1.5 and earlier # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { return 404; } add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always; proxy_set_header Host ${DOLLAR}http_host; proxy_set_header X-Real-IP ${DOLLAR}remote_addr; proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; proxy_buffering off; proxy_pass ${REGISTRY_PROXY_PASS}; } }