From 183b36a2dcccd45fd70bda4d389ecfa96cd1e678 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Tue, 12 Jan 2021 20:44:27 +0200
Subject: [PATCH] A more concrete Docker registry config.

2 services, the registry under /v2/ and a browsable frontend under /.
Allow uploading only from a local IP address (from the host itself).
I think that this way I can avoid having authentication and instead just
build and upload on the host.
---
 conf.d/registry.shore.co.il.conf | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/conf.d/registry.shore.co.il.conf b/conf.d/registry.shore.co.il.conf
index 07a2902..6989213 100644
--- a/conf.d/registry.shore.co.il.conf
+++ b/conf.d/registry.shore.co.il.conf
@@ -1,4 +1,5 @@
-map $host $registry { default registy; }
+map $host $registry { default registry; }
+map $host $registry_fe { default reg; }
 
 server {
     listen      80;
@@ -14,10 +15,23 @@ server {
     server_name registry.shore.co.il;
     include     snippets/ssl.conf;
 
+    location /v2/ {
+        proxy_pass                  http://$registry:5000$request_uri;
+        proxy_http_version          1.1;
+        include                     snippets/proxy-headers.conf;
+        # disable any limits to avoid HTTP 413 for large image uploads
+        client_max_body_size        0;
+        # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+        chunked_transfer_encoding   on;
+        limit_except GET HEAD OPTIONS {
+            allow   163.172.74.36;  # ns4.shore.co.il
+            include snippets/allow-private-ips.conf;
+        }
+    }
+
     location / {
-        proxy_pass          http://$registry$request_uri;
+        proxy_pass          http://$registry_fe:8080$request_uri;
         proxy_http_version  1.1;
         include             snippets/proxy-headers.conf;
-        include             snippets/allow-private-ips.conf;
     }
 }
-- 
GitLab