docker - 在 Nginx 后面访问 Docker Hub
问题描述
我尝试通过 nginx 代理访问 Docker Hub。
以下是我的 nginx 代理配置。
server {
listen 800 ssl;
ssl on;
server_name nginx2 ;
client_max_body_size 0;
ssl_protocols SSLv3 SSLv2 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate ssl/cert.pem;
ssl_certificate_key ssl/cert.key;
location / {
proxy_pass https://{dockerhub_host};
proxy_ssl_server_name on;
proxy_set_header Host $http_host; # Required for Docker client sake
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
}
}
我已经尝试过两者registry-1.docker.io
并hub.docker.com
代替{dockerhub_host}
配置。
现在我尝试使用以下命令登录 Docker Hub。
docker login localhost:800
引发了以下错误:
来自守护进程的错误响应:登录尝试
http://localhost:800/v2/ failed with status: 400 Bad Request
以下是 nginx 代理的日志:
proxy_1 | 2018/06/12 22:24:42 [error] 5#5: *1 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 172.21.0.1, server: nginx2, request: "GET /v2/ HTTP/1.1", upstream: "https://34.232.188.57:80/v2/", host: "localhost:800"
proxy_1 | 2018/06/12 22:24:42 [warn] 5#5: *1 upstream server temporarily disabled while SSL handshaking to upstream, client: 172.21.0.1, server: nginx2, request: "GET /v2/ HTTP/1.1", upstream: "https://34.232.188.57:80/v2/", host: "localhost:800"
proxy_1 | 2018/06/12 22:24:42 [error] 5#5: *1 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 172.21.0.1, server: nginx2, request: "GET /v2/ HTTP/1.1", upstream: "https://52.3.45.201:80/v2/", host: "localhost:800"
proxy_1 | 2018/06/12 22:24:42 [warn] 5#5: *1 upstream server temporarily disabled while SSL handshaking to upstream, client: 172.21.0.1, server: nginx2, request: "GET /v2/ HTTP/1.1", upstream: "https://52.3.45.201:80/v2/", host: "localhost:800"
proxy_1 | 2018/06/12 22:24:42 [error] 5#5: *1 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 172.21.0.1, server: nginx2, request: "GET /v2/ HTTP/1.1", upstream: "https://54.209.102.157:80/v2/", host: "localhost:800"
proxy_1 | 2018/06/12 22:24:42 [warn] 5#5: *1 upstream server temporarily disabled while SSL handshaking to upstream, client: 172.21.0.1, server: nginx2, request: "GET /v2/ HTTP/1.1", upstream: "https://54.209.102.157:80/v2/", host: "localhost:800"
proxy_1 | 172.21.0.1 - - [12/Jun/2018:22:24:42 +0000] "GET /v2/ HTTP/1.1" 502 173 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
proxy_1 | 2018/06/12 22:24:42 [error] 5#5: *5 no live upstreams while connecting to upstream, client: 172.21.0.1, server: nginx2, request: "GET /v2/ HTTP/1.1", upstream: "https://docker_host/v2/", host: "localhost:800"
proxy_1 | 172.21.0.1 - - [12/Jun/2018:22:24:42 +0000] "GET /v2/ HTTP/1.1" 502 173 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
proxy_1 | 172.21.0.1 - - [12/Jun/2018:22:24:42 +0000] "GET /v2/ HTTP/1.1" 400 271 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
proxy_1 | 172.21.0.1 - - [12/Jun/2018:22:24:42 +0000] "GET /v2/ HTTP/1.1" 400 271 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
起初,我认为在访问端口 80 时会引发错误。因此,我已将端口明确设置为 443,例如,
>proxy_pass https://hub.docker.com:443
>proxy_pass https://registry-1.docker.io:443
现在尝试登录命令。我仍然看到同样的错误。以下是 nginx 代理的日志:
proxy_1 | 172.21.0.1 - - [12/Jun/2018:22:33:09 +0000] "GET /v2/ HTTP/1.1" 503 119 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
proxy_1 | 172.21.0.1 - - [12/Jun/2018:22:33:09 +0000] "GET /v2/ HTTP/1.1" 503 119 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
proxy_1 | 172.21.0.1 - - [12/Jun/2018:22:33:09 +0000] "GET /v2/ HTTP/1.1" 400 271 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
proxy_1 | 172.21.0.1 - - [12/Jun/2018:22:33:09 +0000] "GET /v2/ HTTP/1.1" 400 271 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
的输出docker version
Client:
Version: 18.03.1-ce
API version: 1.37
Go version: go1.9.5
Git commit: 9ee9f40
Built: Thu Apr 26 07:13:02 2018
OS/Arch: darwin/amd64
Experimental: false
Orchestrator: swarm
Server:
Engine:
Version: 18.03.1-ce
API version: 1.37 (minimum version 1.12)
Go version: go1.9.5
Git commit: 9ee9f40
Built: Thu Apr 26 07:22:38 2018
OS/Arch: linux/amd64
Experimental: true
的输出docker info
Containers: 2
Running: 2
Paused: 0
Stopped: 0
Images: 44
Server Version: 18.03.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 773c489c9c1b21a6d78b5c538cd395416ec50f88
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: 949e6fa
Security Options:
seccomp
Profile: default
Kernel Version: 4.9.87-linuxkit-aufs
Operating System: Docker for Mac
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.952GiB
Name: linuxkit-025000000001
ID: OCVQ:XRBF:3H7P:PB3A:YQUH:FU2O:6BVB:BMHR:G7HX:UK63:SDKU:NPVI
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
File Descriptors: 39
Goroutines: 63
System Time: 2018-06-13T23:16:57.569645612Z
EventsListeners: 3
HTTP Proxy: docker.for.mac.http.internal:3128
HTTPS Proxy: docker.for.mac.http.internal:3129
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
更新
在 Tarun 的解决方案的帮助下,我得到了登录的东西。我现在尝试将图像拉/推到 hub.docker.com 站点,但没有运气。
> docker push localhost:800/nadella/hello-world
Error:
The push refers to repository [localhost:800/nadella/helloworld]
2b8cbd0846c5: Pushing [==================================================>] 3.584kB
unauthorized: authentication required
日志:
proxy_1 | 172.21.0.1 - - [14/Jun/2018:04:57:26 +0000] "POST /v2/nadella/helloworld/blobs/uploads/ HTTP/1.1" 202 0 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
proxy_1 | 172.21.0.1 - - [14/Jun/2018:05:00:09 +0000] "GET /v2/ HTTP/1.1" 401 87 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
proxy_1 | 172.21.0.1 - - [14/Jun/2018:05:00:10 +0000] "HEAD /v2/nadella/helloworld/blobs/sha256:9bb5a5d4561a5511fa7f80718617e67cf2ed2e6cdcd02e31be111a8d0ac4d6b7 HTTP/1.1" 404 0 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
proxy_1 | 172.21.0.1 - - [14/Jun/2018:05:00:11 +0000] "POST /v2/nadella/helloworld/blobs/uploads/?from=helloworld&mount=sha256%3A9bb5a5d4561a5511fa7f80718617e67cf2ed2e6cdcd02e31be111a8d0ac4d6b7 HTTP/1.1" 401 307 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
proxy_1 | 172.21.0.1 - - [14/Jun/2018:05:00:11 +0000] "POST /v2/nadella/helloworld/blobs/uploads/ HTTP/1.1" 202 0 "-" "docker/18.03.1-ce go/go1.9.5 git-commit/9ee9f40 kernel/4.9.87-linuxkit-aufs os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.1-ce \x5C(darwin\x5C))" "-"
我看着~/.docker/config.json
{
"auths": {
"localhost:800": {}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.03.1-ce (darwin)"
},
"credsStore": "osxkeychain"
}
我什至在配置文件中添加了“ https://index.docker.io/v1/ ”: {} 并进行了检查。但它没有用。
解决方案
你唯一需要的是下面
location / {
proxy_pass https://registry-1.docker.io:443;
}
不需要发送其余的标头,因为当它是您自己的服务时您会这样做。然后它工作
更新 1
您还需要使用以下配置将授权标头与请求一起传递
location / {
client_max_body_size 1024M;
proxy_pass https://registry-1.docker.io:443;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
proxy_redirect https://registry-1.docker.io $scheme://$http_host;
}
一旦你这样做,它就像一个魅力。
推荐阅读
- sql - 如何在哪里格式化日期?
- kframework - 上下文在 K 中究竟做了什么?
- python - Tornado 在 chalice python 中抛出流关闭错误
- aws-lambda - AWS SAM 在 serverless.template 中设置基于 lambda 资源的策略
- python - 给定 N 的 toeplitz 矩阵
- bash - bash if "$1" == "0" 在运行 bash 提示符的函数时始终为 false
- python - 在 celery worker 退出之前对 KeyboardInterrupt 执行一些操作
- flutter - Flutter如何获取未知类型的父小部件
- python - 无法在python中使用pytesseract从tif图像中提取文本
- azure - 如何批量删除(比如数百万)分布在 Cosmos db sql api 中数百万个逻辑分区的文档?