Merge pull request #458 from bacongobbler/230-auth-basic

dmp42 · dmp42 · commit 3be0e0ba11c4 · 2014-08-20T14:27:17.000-07:00
add auth basic to nginx configuration
diff --git a/contrib/nginx.conf b/contrib/nginx.conf
@@ -7,17 +7,27 @@ upstream docker-registry {
   server localhost:5000;
 }
 
+# uncomment if you want a 301 redirect for users attempting to connect
+# on port 80
+# NOTE: docker client will still fail. This is just for convenience
+# server {
+#   listen *:80;
+#   server_name my.docker.registry.com;
+#   return 301 https://$server_name$request_uri;
+# }
+
 server {
   listen 443;
   server_name my.docker.registry.com;
 
   ssl on;
   ssl_certificate /etc/ssl/certs/docker-registry;
   ssl_certificate_key /etc/ssl/private/docker-registry;
-  
-  proxy_set_header Host       $http_host;   # required for docker client's sake
-  proxy_set_header X-Real-IP  $remote_addr; # pass on real client's IP
-  
+
+  proxy_set_header Host           $http_host;   # required for docker client's sake
+  proxy_set_header X-Real-IP      $remote_addr; # pass on real client's IP
+  proxy_set_header Authorization  ""; # see https://github.com/dotcloud/docker-registry/issues/170
+
   client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
 
   # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
@@ -26,8 +36,21 @@ server {
   location @my_411_error {
     chunkin_resume;
   }
-  
+
   location / {
-    proxy_pass http://docker-registry;
+    proxy_pass          http://docker-registry;
+    proxy_set_header    Host  $host;
+    proxy_read_timeout  900;
+
+    auth_basic            "Restricted";
+    auth_basic_user_file  docker-registry.htpasswd;
+  }
+
+  location /_ping {
+    auth_basic off;
+  }
+
+  location /v1/_ping {
+    auth_basic off;
   }
 }
diff --git a/contrib/nginx_1-3-9.conf b/contrib/nginx_1-3-9.conf
@@ -5,23 +5,46 @@ upstream docker-registry {
   server localhost:5000;
 }
 
+# uncomment if you want a 301 redirect for users attempting to connect
+# on port 80
+# NOTE: docker client will still fail. This is just for convenience
+# server {
+#   listen *:80;
+#   server_name my.docker.registry.com;
+#   return 301 https://$server_name$request_uri;
+# }
+
 server {
   listen 443;
   server_name my.docker.registry.com;
 
   ssl on;
   ssl_certificate /etc/ssl/certs/docker-registry;
   ssl_certificate_key /etc/ssl/private/docker-registry;
-  
-  proxy_set_header Host       $http_host;   # required for docker client's sake
-  proxy_set_header X-Real-IP  $remote_addr; # pass on real client's IP
-  
+
+  proxy_set_header Host           $http_host;   # required for docker client's sake
+  proxy_set_header X-Real-IP      $remote_addr; # pass on real client's IP
+  proxy_set_header Authorization  ""; # see https://github.com/dotcloud/docker-registry/issues/170
+
   client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
 
   # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
   chunked_transfer_encoding on;
-  
+
   location / {
-    proxy_pass http://docker-registry;
+    proxy_pass          http://docker-registry;
+    proxy_set_header    Host  $host;
+    proxy_read_timeout  900;
+
+    auth_basic            "Restricted";
+    auth_basic_user_file  docker-registry.htpasswd;
+  }
+
+  location /_ping {
+    auth_basic off;
+  }
+
+  location /v1/_ping {
+    auth_basic off;
   }
 }
