Nginx 如何在docker registry v2中公开需要登录的pull和push?
我使用以下指令将注册表作为组合容器启动: 不过,我想区分访问权限,这样任何未登录的人都可以从存储库中提取图像,但不能推送 在第一种方法中,我试图通过在nginx中设置limit_来实现这一点(因为我像在教程中一样将其用于前端) 不幸的是,pull工作得很顺利,但是docker login命令不起作用Nginx 如何在docker registry v2中公开需要登录的pull和push?,nginx,docker,privileges,basic-authentication,docker-registry,Nginx,Docker,Privileges,Basic Authentication,Docker Registry,我使用以下指令将注册表作为组合容器启动: 不过,我想区分访问权限,这样任何未登录的人都可以从存储库中提取图像,但不能推送 在第一种方法中,我试图通过在nginx中设置limit_来实现这一点(因为我像在教程中一样将其用于前端) 不幸的是,pull工作得很顺利,但是docker login命令不起作用 $ docker login myhost.example.net Username: myuser Password: Email: Error response from daemon:
$ docker login myhost.example.net
Username: myuser
Password:
Email:
Error response from daemon: no successful auth challenge for https://myhost.example.net/v2/ - errors: []
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
GET/v2/HTTP/1.1
主机:myhost.example.net
用户代理:docker/1.9.1 go/go1.4.2 git commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
接受编码:gzip
HTTP/1.1 401未经授权
服务器:nginx/1.9.9
日期:2016年1月5日星期二09:52:00 GMT
内容类型:text/html
内容长度:194
连接:保持活力
WWW-Authenticate:Basic realm=“Docker注册表”
Docker分发Api版本:registry/2.0
401需要授权
401需要授权
nginx/1.9.9
GET/v2/my ubuntu image/manifests/latest HTTP/1.1
主机:myhost.example.net
用户代理:docker/1.9.1 go/go1.4.2 git commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
授权:基本cmZzY206d2llbGJyZnNjbXBvd3N6ZWN6YXN5
接受编码:gzip
HTTP/1.1200ok
服务器:nginx/1.9.9
日期:2016年1月5日星期二09:52:00 GMT
内容类型:application/json;字符集=utf-8
内容长度:39196
连接:保持活力
Docker内容摘要:sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e
Docker分发Api版本:registry/2.0
Etag:“sha256:8B6BEF1314E51D06AB2F89AF1D1D2C486245D4C2B1B3C169812B479C12F5410E”
X-Content-Type-Options:nosniff
Docker分发Api版本:registry/2.0
... (截断)。。。
GET/v2/HTTP/1.1
主机:myhost.example.net
用户代理:docker/1.9.1 go/go1.4.2 git commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
接受编码:gzip
HTTP/1.1 401未经授权
服务器:nginx/1.9.9
日期:2016年1月5日星期二09:39:54 GMT
内容类型:text/html
内容长度:194
连接:保持活力
WWW-Authenticate:Basic realm=“Docker注册表”
Docker分发Api版本:registry/2.0
401需要授权
401需要授权
nginx/1.9.9
GET/v2/HTTP/1.1
主机:myhost.example.net
用户代理:docker/1.9.1 go/go1.4.2 git commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
接受编码:gzip
HTTP/1.1 401未经授权
服务器:nginx/1.9.9
日期:2016年1月5日星期二09:39:54 GMT
内容类型:text/html
内容长度:194
连接:保持活力
WWW-Authenticate:Basic realm=“Docker注册表”
Docker分发Api版本:registry/2.0
401需要授权
401需要授权
nginx/1.9.9
GET/v1/repositories/my ubuntu image/images HTTP/1.1
主机:myhost.example.net
用户代理:docker/1.9.1 go/go1.4.2 git commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
X-Docker-Token:正确
接受编码:gzip
未找到HTTP/1.1 404
服务器:nginx/1.9.9
日期:2016年1月5日星期二09:39:54 GMT
内容类型:text/html
内容长度:168
连接:保持活力
404找不到
404找不到
nginx/1.9.9
我希望我能彻底解释这个案例。我在Docker的github上找到了问题线索,我在回答自己。这个 这个案子似乎很复杂。因为注册表规范是开放的,所以很难说谁是罪魁祸首,是docker工具还是注册表 请看这里的问题和其他相关问题: 波尔图港似乎是一个有趣的选择。谢谢,{乔纳森·莱因哈特}!我以后会试一试的 现在,我将只限制POST请求,并将请求放在来自本地地址或本地主机的请求上(您可以推送ommiting nginx) 因此,我只限制GET和HEAD之外的所有内容(HEAD由GET表示,请参阅nginx手册) 这种方式会阻止推送:
Error parsing HTTP response: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx/1.9.9</center>\r\n</body>\r\n</html>\r\n"
解析HTTP响应时出错:无效字符“我想看一下。好的,我以前没见过这个工具,看起来很有希望,谢谢。是的。它很年轻。但我和你一样,在寻找一个好的auth&frontend,它很好地满足了我的需求。
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:40:40 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Authorization: Basic eHh4Onh4eAo=
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:40:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 10:09:26 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:53:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
{}GET /v2/my-ubuntu-image/manifests/latest HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:53:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 39196
Connection: keep-alive
Docker-Content-Digest: sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e"
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
{
... (truncated) ...
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:52:00 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/my-ubuntu-image/manifests/latest HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Authorization: Basic cmZzY206d2llbGJyZnNjbXBvd3N6ZWN6YXN5
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:52:00 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 39196
Connection: keep-alive
Docker-Content-Digest: sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e"
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
... (truncated) ...
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v1/repositories/my-ubuntu-image/images HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
X-Docker-Token: true
Accept-Encoding: gzip
HTTP/1.1 404 Not Found
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
POST /v2/superpartia/blobs/uploads/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Content-Length: 0
Authorization: Basic eHh4Onh4eA==
Content-Type:
Accept-Encoding: gzip
ked from local address
location /v2/ {
...
limit_except GET {
allow 172.x.x.x;
deny all;
}
...
Error parsing HTTP response: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx/1.9.9</center>\r\n</body>\r\n</html>\r\n"