I am trying to set up a private docker registry behind an nginx proxy that is read-only (i.e. allows pull requests) for everyone but requires authentication for push requests. I have followed various guides but am still stumped. Below is my current nginx configuration:
events {
worker_connections 1024;
}
http {
upstream docker-registry {
server registry:5000;
}
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header is unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'registry/2.0' '';
default registry/2.0;
}
server {
listen 80;
server_name docker-host.example.com;
location / {
rewrite ^(.*)$ https://docker-host.example.com$1 last;
}
}
server {
listen 443 ssl;
server_name docker-host.example.com;
ssl_certificate /etc/nginx/ssl/example.cert.pem;
ssl_certificate_key /etc/nginx/ssl/example.key.pem;
ssl_ciphers 'AES256+EECDH:AES256+EDH::!EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
client_max_body_size 0;
location / {
limit_except GET HEAD OPTIONS {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/users.pwd;
}
include proxy.conf;
}
}
}
It does allow anonymous pull requests but push always fails with 'unauthorized: authentication required'. If I remove the conditional limit_except, i.e. require authentication for all access, it works just fine after logging in.
When I remove the authentication configuration from nginx entirely, everything works as well, but obviously without authentication.
Any help or pointers would be greatly appreciated.
We have been using https://github.com/cesanta/docker_auth and it works pretty well you can setup many authentication methods
For more info check
https://github.com/cesanta/docker_auth/blob/master/README.md
"unauthorized: authentication required" error comes from registry API. that means you have auth enabled in registry's itself. either disable auth in registry and use nginx basic auth only, or proxy pass "Authorization" header with related data (tricky).
Related
I have, what I hope is, a simple question. I am running Nginx and some applications in Docker containers. Some of the applications run on the same host as Nginx. I can access an application using, for example, app.example.com, but I want to access the same application using example.com/app. I cannot figure out how to define the server block with location /app. I would like to achieve something like:
server {
listen 80;
server_name app.example.com;
location / {
proxy_pass app-srv:port;
}
}
server {
listen 80;
server_name example.com;
location /app {
What do I place here?
}
}
Edit: with additional information.
My server configuration is:
server {
listen 80;
server_name openhab.aronica-sys;
location / {
proxy_pass http://openhab:8081;
}
}
server {
listen 80;
server_name aronica-sys;
location /openhab/ {
proxy_pass http://openhab:8081/;
}
}
openhab in the proxy_pass statements is the Docker virtual address for the openHAB server.
'openhab.aronica-sys' gets:
VM6:1 XHR finished loading: GET "http://openhab.aronica-sys/rest/ui/tiles".
VM6:1 XHR finished loading: GET "http://openhab.aronica-sys/rest/".
VM6:1 XHR finished loading: GET "http://openhab.aronica-sys/rest/habot/greet".
VM6:1 XHR finished loading: GET "http://openhab.aronica-sys/rest/ui/components/ui:widget".
VM6:1 XHR finished loading: GET "http://openhab.aronica-sys/rest/ui/components/ui:page".
VM6:1 XHR finished loading: GET "http://openhab.aronica-sys/rest/items?metadata=semantics,listWidget,widgetOrder".
VM6:1 XHR finished loading: POST "http://openhab.aronica-sys/rest/events/states/2e0eee99-770f-498b-bd9f-736777096c30".
VM6:1 XHR finished loading: POST "http://openhab.aronica-sys/rest/events/states/2e0eee99-770f-498b-bd9f-736777096c30".
aronica-sys/openhab gets:
VM6:1 GET http://aronica-sys/rest/ui/tiles 404 (Not Found)
VM6:1 GET http://aronica-sys/rest/ 404 (Not Found)
VM6:1 XHR failed loading: GET "http://aronica-sys/rest/ui/tiles".
aronica-sys/:1 Uncaught (in promise) Not Found
aronica-sys/:1 Uncaught (in promise) Not Found
VM6:1 XHR failed loading: GET "http://aronica-sys/rest/".
I do not know how to interpret the above information nor how to proceed.
You will need something like:
server {
listen 8080;
server_name app.example.com;
location / {
proxy_pass http://localhost:9090;
}
}
server {
listen 8080;
server_name example.com;
location /app/ {
proxy_pass http://localhost:9090/;
}
}
Please be careful with the slashes used in location and in proxy pass, they are quite important! For an explanation on the slashes, you can check: https://stackoverflow.com/a/51225241/83037
Edit: with the above configuration your actual sever process will receive the request without any modification to the host part. If you use in a browser http://app.example.com/file.html the server will receive a request for http://app.example.com/file.html (same host app.example.com). If you use in a browser http://example.com/app/file.html the server will receive a request for http://example.com/file.html (same host example.com, different path).
Generally, a server could "care" about the hostname, and/or could care "care" about the path, in the example above if it does not "care" about hostname will "interpret" the request as "give me /file.html", but if he "cares" about hostname, it will be configured to work only for a set of hostnames - server might answer or example.com but not for app.example.com.
Based on your addition, your server is configured to answer only to one specific hostname (he "cares" about hostname). In that case you can make nginx "rewrite" the incoming request such that your server "sees" only one hostname. Like if you use in a browser http://example.com/app/file.html the server will receive a request for http://app.example.com/file.html (notice example.com changed to app.example.com).
The configuration for that is:
server {
listen 8080;
server_name app.example.com;
location / {
proxy_pass http://localhost:9090;
proxy_set_header Host app.example.com;
}
}
server {
listen 8080;
server_name example.com;
location /app/ {
proxy_pass http://localhost:9090/;
proxy_set_header Host app.example.com;
}
}
WARNING! The server can still show you links to the domain it is configured to. In your case, the server might show (or build with javascript) a link to "http://openhab.aronica-sys/my_page.html". If that is an issue for you, I would suggest to open another question - this question is about the virtual directory.
I'm trying to use nginx to reverse proxy some services like Kanboard, PgAdmin, StackStorm, Grafana, etc. Using location /kanboard/ and /pgadmin/ i'm redirected correctly but the page can't import js and css files. Obs: I am using docker for the services and nginx.
I've already tried some proxy_pass params but didn't succeeded.
Nginx config
# /etc/nginx/nginx.conf
events {}
http {
server {
listen 80;
location /kanboard/ {
proxy_pass http://kanboard;
}
location /pgadmin/ {
proxy_pass http://pgadmin;
}
}
}
Accessing localhost/kanboard i was expected to be redirected to localhost/kanboard/login, but i am redirected to localhost/login.
When i access localhost/pgadmin the js and css files fail to import on the network tab, all the headers are to localhost/static/... instead of localhost/pgadmin/static/...
I'm trying to setup nginx to return https url for all http requests.
The problem is, that it returns https url without the www which results in invalid url.
Here is my config:
server {
listen 80; server_name my_server;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/my_pem.pem;
ssl_certificate_key /etc/ssl/my_key.key;
server_name my_server;
access_log /var/log/nginx/my_log.access.log;
...
}
I've tried including www in the server_name and also specifying the explicit url with www for the 301 return.
Everything resulted in invalid url.
I've noticed though that when I'm logged in the application and I change https to http and trigger the request the redirect works. When I'm logged out, the redirect fails and renders the https url without the www.
Then I tried with only server_name like so: return 301 https://$server_name but that didn't work either.
I'd like to have users not worrying about the url they specify. The url is as put together follows www.one.two-three.com
<<< EDIT >>>
This works: http://www.one.two-three.com/some_request
and this doesn't: http://www.one.two-three.com
<<< EDIT >>>
<<< EDIT 1 >>>
By typing www.one.two-three.com in the URL line in Chrome/Chromium it redirects to https://www.one.two-three.com.
In Firefox it returns https://one.two-three.com
<<< EDIT 1 >>>
Can someone help with this?
Thank you.
Seba
The pattern I use to solve this has 2 parts. First, I set up explicit redirects to go from HTTP to the correct HTTPS URL, as well as from the bare HTTP to "www" HTTPS. Second, this means I may not rely on $server_name and so I have a maintainable bit of duplication in my config.
server {
listen 80;
server_name www.example.com example.com example.biz example.us www.example.biz www.example.us;
return 301 https://www.example.com$request_uri;
}
server {
listen 443;
server_name example.com example.biz example.us www.example.biz www.example.us;
ssl on;
ssl_certificate /etc/ssl/com.example.crt;
ssl_certificate_key /etc/ssl/com.example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
return 301 https://www.example.com$request_uri;
}
server {
listen 443;
server_name www.example.com;
...
}
I need to set up HTTPS for my website (Nginx, Rails 4). I used the directions from this post.
I did everything up until the part where it says "Configure your Nginx server to use the new key and certificate".
The problem is that I don't know exactly what the nginx.conf file should look like. I found something that says how to set it up for Rails, and I tried that, but it failed to restart. This is what I added to my file (and it didn't work):
server {
listen 443;
ssl on;
# path to your certificate
ssl_certificate /etc/nginx/ssl/mysite.com.unified.crt;
# path to your ssl key
ssl_certificate_key /etc/nginx/ssl.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
# put the rest of your server configuration here.
#location / {
# set X-FORWARDED_PROTO so ssl_requirement plugin works
proxy_set_header X-FORWARDED_PROTO https;
# standard rails+mongrel configuration goes here.
}
}
I've got a Rails app deployed via nginx/passenger. It will have multiple domains pointing to it.
I'm wondering if it's possible to configure nginx so that any URL that matches [somedomain.com]/blog/ will be servered by PHP/WordPress located in a different directory.
So, for example:
domain1.com, domain2.com, & domain2.com/some-resource/1 point to the Rails app at /var/rails/mainapp/
but domain1.com/blog/ goes to /var/sites/domain1.com/
and domain2.com/blog/ goes to /var/sites/domain2.com/
server {
location /blog {
alias /var/sites/domain1.com/;
}
location / {
}
}
You need define you /blog before / location
Here is my config. Hope it helps someone.
# Redirect all requests containing 'www.your-website.ru'
# to 'your-website.ru'
server {
listen 80;
server_name www.your-website.ru;
rewrite ^(.*) http://your-website.ru$1 permanent;
}
server {
listen 80;
server_name your-website.ru;
access_log logs/your-website.ru.log;
root /path-to-your-website.ru/current/public;
#####################
# Rails
#####################
location / {
rails_env production; # this is a production server
passenger_enabled on; #