Skip to content

Instantly share code, notes, and snippets.

@parente
Last active April 3, 2023 16:00
Show Gist options
  • Save parente/c8900ec8877c9afd38e5 to your computer and use it in GitHub Desktop.
Save parente/c8900ec8877c9afd38e5 to your computer and use it in GitHub Desktop.
nginx.conf recipe for username-based authorization levels for a Docker registry
user www-data;
worker_processes 1;
daemon off;
events {
worker_connections 1024;
}
http {
upstream docker-registry {
server registry:5000;
}
server {
listen 443 ssl;
server_name registry.mydomain.org;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
client_max_body_size 0;
chunked_transfer_encoding on;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Authorization "";
# protected by basic authentication, delegates to /_auth for push/pull authorization
location / {
proxy_pass http://docker-registry;
proxy_set_header Host $host;
proxy_read_timeout 900;
auth_basic "Docker Registry";
auth_basic_user_file /etc/nginx/registry_users;
auth_request /_auth;
}
location /_auth {
if ($remote_user ~* "^admin-?.*$") {
# admin* is allowed to do anything
return 200;
}
if ($request_method ~* "^(GET|HEAD)$") {
# all other authed users can only GET/HEAD
return 200;
}
# anonymous users can do nothing
return 403;
}
# all users can access /v1/users to authenticate
location /v1/users {
proxy_pass http://docker-registry;
proxy_set_header Host $host;
proxy_read_timeout 900;
auth_basic "Docker Registry";
auth_basic_user_file /etc/nginx/registry_users;
}
# ping end points require no authentication
location /_ping {
proxy_pass http://docker-registry;
auth_basic off;
}
location /v1/_ping {
proxy_pass http://docker-registry;
auth_basic off;
}
}
}
@JumpingSpottedTiger
Copy link

it'd be great if you could update this to v2

@StefanPanait
Copy link

+1

@peebles
Copy link

peebles commented Oct 26, 2016

+1

@s4l3h1
Copy link

s4l3h1 commented Aug 17, 2017

Easy & Nice :) +1

Copy link

ghost commented Nov 7, 2017

@tboyer-idnum
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment