我已经设置了只能通过localhost访问的docker注册表,然后设置了一个可以被外界访问的nginx代理,如果授权的话,该请求会将请求重定向到注册表。 我会根据this教程来使用客户端证书。
我终于让nginx运行并正确授权了来自浏览器的请求(如果我将.pfx证书导入浏览器服务器,则会响应。如果没有,则返回403,这是所需的行为)。
我现在尝试使用登录,拉入和推入通过docker客户端与我的注册表通信(通过nginx):
docker login 10.11.2.7:5043
docker pull 10.11.2.7:5043/my-ubuntu
docker push 10.11.2.7:5043/my-ubuntu
我面临的问题是,无论我尝试了什么,我总是得到400响应,上面写着一个小html:
No required SSL certificate was sent
注册表和执行拉/推的docker客户端都在ubuntu下运行。 从注册表/ ngnix运行的同一台计算机上请求拉/推,以及从另一个Docker客户端请求时,都会发生相同的问题。
我尝试过
将证书插入/ usr / local / share / ca-certificates / test下并运行
sudo update-ca-certificates
创建文件/etc/docker/daemon.json并插入以下内容:
{ “不安全的注册表”:[“ 10.11.2.7:5043”] }
在所有情况下都重新启动docker引擎。
仍然出现相同的错误。
这是我的/etc/docker/certs.d/内容:
10.11.2.7:5043/
user.cert
user.key
其他信息:注册表侦听端口5000。Nginx侦听5043(https)。每次拉/推尝试后,以下日志都会显示在nginx上:
Aug 17 15:55:15 alkis-Latitude-E6530 dockerd[18438]: time="2018-08-17T15:55:15.323847790+02:00" level=info msg="Attempting next endpoint for pull after error: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: \"<html>\\r\\n<head><title>400 No required SSL certificate was sent</title></head>\\r\\n<body bgcolor=\\\"white\\\">\\r\\n<center><h1>400 Bad Request</h1></center>\\r\\n<center>No required SSL certificate was sent</center>\\r\\n<hr><center>nginx/1.15.2</center>\\r\\n</body>\\r\\n</html>\\r\\n\""
Aug 17 15:55:15 alkis-Latitude-E6530 dockerd[18438]: time="2018-08-17T15:55:15.323944310+02:00" level=error msg="Handler for POST /v1.38/images/create returned error: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: \"<html>\\r\\n<head><title>400 No required SSL certificate was sent</title></head>\\r\\n<body bgcolor=\\\"white\\\">\\r\\n<center><h1>400 Bad Request</h1></center>\\r\\n<center>No required SSL certificate was sent</center>\\r\\n<hr><center>nginx/1.15.2</center>\\r\\n</body>\\r\\n</html>\\r\\n\""
我的nginx.conf:
events {
worker_connections 1024;
}
http {
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
upstream docker-registry {
server registry:5000;
}
server {
listen 443 ssl; #ngnix is itself a docker container. The actual port for the outside world is 5043.
server_name my_registry.com;
# SSL
ssl_certificate /etc/nginx/conf.d/domain_new.crt;
ssl_certificate_key /etc/nginx/conf.d/domain_new.key;
#ssl_dhparam /etc/nginx/conf.d/dhparam.pem;
# client certificate
ssl_client_certificate /etc/nginx/conf.d/user.crt;
# make verification optional, so we can display a 403 message to those
# who fail authentication
ssl_verify_client on;
#ssl_crl /etc/nginx/conf.d/ca.crl;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
client_max_body_size 0; # 0 means no limit
chunked_transfer_encoding on;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
if ($ssl_client_verify != SUCCESS) {
return 403;
}
# To add basic authentication to v2 use auth_basic setting.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
#the following "location" section is only for testing purposes. It serves a couple of small html files.
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}