1.配置https訪問:
yum install nginx httpd-tools
vim /etc/nginx/conf.d/docker-registry.conf
upstream docker-registry {
server localhost:5000;
}
server {
listen 8080;
server_name registry.wmj.com;
ssl on;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/nginx.key;
proxy_set_header Host $http_host; # required for Docker client sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client IP
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
chunked_transfer_encoding on;
location / {
# let Nginx know about our auth file
auth_basic "Docker";
auth_basic_user_file docker-registry.htpasswd;
proxy_pass http://docker-registry;
}
location /_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}
# htpasswd -c docker-registry.htpassw wmj #生成http密碼
2.手動生成證書:
生成根證書
# cd /etc/pki/CA/
# touch ./{serial,index.txt}
# echo "00" > serial
爲CA生成一個私鑰
# openssl genrsa -out private/cakey.pem 2048
簽發CA證書
# openssl req -new -x509 -key private/cakey.pem -days 3650 cacert.pem
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Changsha
Locality Name (eg, city) [Default City]:Changsha
Organization Name (eg, company) [Default Company Ltd]:wmj
Organizational Unit Name (eg, section) []:docker
Common Name (eg, your name or your server's hostname) []:docker.wmj.com
Email Address []:[email protected]
生成nginx的key:
# cd /etc/ssl/
# openssl genrsa -out nginx.key 2048
# openssl req -new -key nginx.key -out nginx.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Changsha
Locality Name (eg, city) [Default City]:Changsha
Organization Name (eg, company) [Default Company Ltd]:wmj
Organizational Unit Name (eg, section) []:docker
Common Name (eg, your name or your server's hostname) []:registry.wmj.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
簽發nginx證書:
# openssl ca -in nginx.csr -days 3650 -out nginx.crt #按兩個Y
讓系統接受自簽發的證書:
# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt