docker-registry-proxy icon indicating copy to clipboard operation
docker-registry-proxy copied to clipboard

Published 20 hours ago verified publisher icon rpardini

Registry proxy behind nginx and ssl

Open rLoka opened this issue 1 year ago • 3 comments

Hi, I am trying to get this proxy working behind another nginx on 443.

This is my nginx configuration, could you help me to get this working? Unfortunately, I am limited to only 443 being open on a machine, and there are multiple services being proxified through 443 as well.

  # Proxy /v2 paths to docker registry proxy.
  location /v2 {
    set $registry_proxy registry_proxy;
    resolver 127.0.0.11;
    proxy_pass http://$registry_proxy:3128/$request_uri;
    proxy_read_timeout 7200; # 2 hours because that's the maximum web app expects.
    proxy_send_timeout 7200;
  }

rLoka avatar Jul 26 '24 14:07 rLoka

Same issue here although I'm limited to Port 80. Main issue does not seem to be the reverse proxy, this seems to work with these settings.

    # Docker Registry Proxy on /registry
    location /registry/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Strip the /registry prefix before proxying
        # rewrite ^/registry/(.*)$ /$1 break; # maybe not needed

        # Proxy pass to Docker Registry Proxy
        proxy_pass http://192.168.106.52:3128;

        # Add additional headers for Docker registry if needed
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;
    }

My main issue seems to be in the call from the client where I get a "Bad Request"

njoye avatar Oct 23 '24 08:10 njoye

Tried various ways to get this to run for the last 2-3 hours now and can't seem to figure it out. @rpardini - you mentioned in #80 that you had seen how this could be configured already? Or was that just in relation to a "normal" forwarding of "location /" to port 3128? Although I believe that even that would be very helpful already.

njoye avatar Oct 23 '24 10:10 njoye

Figured it out. Essentially the only way to properly get this done is by not terminating the TLS stuff, which you can only do if you proxy the TCP packets instead of the HTTP requests. This can be done by using the stream configuration in nginx.conf. Still have to figure out if it's possible to make it work with locations or how to distinguish between traffic for the normal webserver and for the docker registry, but that's a problem for another time.

njoye avatar Oct 23 '24 12:10 njoye