一、服务端配置
创建ssl证书
# 1、首先,进入你想创建证书和私钥的目录,例如:
cd /etc/nginx/conf.d/
# 2、创建服务器私钥,命令会让你输入一个口令:
openssl genrsa -des3 -out ssl.key 2048
# 3、创建签名请求的证书(CSR):
openssl req -new -key ssl.key -out ssl.csr
# 4、在加载SSL支持的Nginx并使用上述私钥时除去必须的口令:
cp ssl.key ssl.key.org
openssl rsa -in ssl.key.org -out ssl.key
# 5、最后标记证书使用上述私钥和CSR:
openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt
编辑配置文件
vi /etc/nginx/conf.d/default.conf
# ip地址可以换成内网ip
upstream nexus_docker_get {
server 10.10.10.11:8082;
}
upstream nexus_docker_put {
server 10.10.10.11:8083;
}
server {
listen 80;
listen 443 ssl;
server_name idocker.io;
access_log /var/log/nginx/idocker.io.log;
# 证书
ssl_certificate /etc/nginx/conf.d/ssl.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
# 设置默认使用推送代理
set $upstream "nexus_docker_put";
# 当请求是GET,也就是拉取镜像的时候,这里改为拉取代理,如此便解决了拉取和推送的端口统一
if ( $request_method ~* 'GET') {
set $upstream "nexus_docker_get";
}
# 只有本地仓库才支持搜索,所以将搜索请求转发到本地仓库,否则出现500报错
if ($request_uri ~ '/search') {
set $upstream "nexus_docker_put";
}
index index.html index.htm index.php;
location / {
proxy_pass http://$upstream;
proxy_set_header Host $host;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
}
}
启动nginx镜像
vi docker-compose.yaml
version: "3"
services:
nginx:
image: nginx
container_name: nginx
restart: always
volumes:
- "/data/nginx/web:/usr/share/nginx/html"
- "/data/nginx/conf:/etc/nginx/conf.d"
ports:
- "80:80"
- "443:443"
二、客户端使用
修改hosts和拷贝证书
定义的是内部使用的域名,所以需要在测试机器上写hosts解析
并将证书拷贝过去,否则会报不信任的错误
# 客户端机器上的操作
echo "10.10.10.11 my.nginx.com" >> /etc/hosts
mkdir -p /etc/docker/certs.d/my.nginx.com
# 然后去nexus主机上,将刚才的证书拷过来
scp ssl.crt [email protected]:/etc/docker/certs.d/my.nginx.com
设置镜像加速
{
"registry-mirrors" : [ "https://my.nginx.com" ]
}
测试登录
docker login my.nginx.com