DRP-70: add timeoutes as ENVs, update README.md, update nginx config (#73)
Authored-by: Bulent <bt.sezer29@gmail.com>pull/76/head 0.6.2
parent
c52c7d3741
commit
51585675e6
15
Dockerfile
15
Dockerfile
|
@ -97,5 +97,20 @@ ENV MANIFEST_CACHE_DEFAULT_TIME="1h"
|
||||||
# Should we allow actions different than pull, default to false.
|
# Should we allow actions different than pull, default to false.
|
||||||
ENV ALLOW_PUSH="false"
|
ENV ALLOW_PUSH="false"
|
||||||
|
|
||||||
|
# Timeouts
|
||||||
|
# ngx_http_core_module
|
||||||
|
ENV SEND_TIMEOUT="60s"
|
||||||
|
ENV CLIENT_BODY_TIMEOUT="60s"
|
||||||
|
ENV CLIENT_HEADER_TIMEOUT="60s"
|
||||||
|
ENV KEEPALIVE_TIMEOUT="300s"
|
||||||
|
# ngx_http_proxy_module
|
||||||
|
ENV PROXY_READ_TIMEOUT="60s"
|
||||||
|
ENV PROXY_CONNECT_TIMEOUT="60s"
|
||||||
|
ENV PROXY_SEND_TIMEOUT="60s"
|
||||||
|
# ngx_http_proxy_connect_module - external module
|
||||||
|
ENV PROXY_CONNECT_READ_TIMEOUT="60s"
|
||||||
|
ENV PROXY_CONNECT_CONNECT_TIMEOUT="60s"
|
||||||
|
ENV PROXY_CONNECT_SEND_TIMEOUT="60s"
|
||||||
|
|
||||||
# Did you want a shell? Sorry, the entrypoint never returns, because it runs nginx itself. Use 'docker exec' if you need to mess around internally.
|
# Did you want a shell? Sorry, the entrypoint never returns, because it runs nginx itself. Use 'docker exec' if you need to mess around internally.
|
||||||
ENTRYPOINT ["/entrypoint.sh"]
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
|
|
35
README.md
35
README.md
|
@ -63,7 +63,7 @@ for this to work it requires inserting a root CA certificate into system trusted
|
||||||
## master/:latest is unstable/beta
|
## master/:latest is unstable/beta
|
||||||
|
|
||||||
- `:latest` and `:latest-debug` Docker tag is unstable, built from master, and amd64-only
|
- `:latest` and `:latest-debug` Docker tag is unstable, built from master, and amd64-only
|
||||||
- Production/stable is `0.6.1`, see [0.6.1 tag on Github](https://github.com/rpardini/docker-registry-proxy/tree/0.6.1) - this image is multi-arch amd64/arm64
|
- Production/stable is `0.6.2`, see [0.6.2 tag on Github](https://github.com/rpardini/docker-registry-proxy/tree/0.6.2) - this image is multi-arch amd64/arm64
|
||||||
- The previous version is `0.5.0`, without any manifest caching, see [0.5.0 tag on Github](https://github.com/rpardini/docker-registry-proxy/tree/0.5.0) - this image is multi-arch amd64/arm64
|
- The previous version is `0.5.0`, without any manifest caching, see [0.5.0 tag on Github](https://github.com/rpardini/docker-registry-proxy/tree/0.5.0) - this image is multi-arch amd64/arm64
|
||||||
|
|
||||||
## Also hosted on GitHub Container Registry (ghcr.io)
|
## Also hosted on GitHub Container Registry (ghcr.io)
|
||||||
|
@ -79,6 +79,7 @@ for this to work it requires inserting a root CA certificate into system trusted
|
||||||
- Expose port 3128 to the network
|
- Expose port 3128 to the network
|
||||||
- Map volume `/docker_mirror_cache` for up to `CACHE_MAX_SIZE` (32gb by default) of cached images across all cached registries
|
- Map volume `/docker_mirror_cache` for up to `CACHE_MAX_SIZE` (32gb by default) of cached images across all cached registries
|
||||||
- Map volume `/ca`, the proxy will store the CA certificate here across restarts. **Important** this is security sensitive.
|
- Map volume `/ca`, the proxy will store the CA certificate here across restarts. **Important** this is security sensitive.
|
||||||
|
- Env `ALLOW_PUSH` : This bypasses the proxy when pushing, default to false - if kept to false, pushing will not work. For more info see this [commit](https://github.com/rpardini/docker-registry-proxy/commit/536f0fc8a078d03755f1ae8edc19a86fc4b37fcf).
|
||||||
- Env `CACHE_MAX_SIZE` (default `32g`): set the max size to be used for caching local Docker image layers. Use [Nginx sizes](http://nginx.org/en/docs/syntax.html).
|
- Env `CACHE_MAX_SIZE` (default `32g`): set the max size to be used for caching local Docker image layers. Use [Nginx sizes](http://nginx.org/en/docs/syntax.html).
|
||||||
- Env `ENABLE_MANIFEST_CACHE`, see the section on pull rate limiting.
|
- Env `ENABLE_MANIFEST_CACHE`, see the section on pull rate limiting.
|
||||||
- Env `REGISTRIES`: space separated list of registries to cache; no need to include DockerHub, its already done internally.
|
- Env `REGISTRIES`: space separated list of registries to cache; no need to include DockerHub, its already done internally.
|
||||||
|
@ -86,6 +87,18 @@ for this to work it requires inserting a root CA certificate into system trusted
|
||||||
- `hostname`s listed here should be listed in the REGISTRIES environment as well, so they can be intercepted.
|
- `hostname`s listed here should be listed in the REGISTRIES environment as well, so they can be intercepted.
|
||||||
- Env `AUTH_REGISTRIES_DELIMITER` to change the separator between authentication info. By default, a space: "` `". If you use keys that contain spaces (as with Google Cloud Registry), you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=";;;"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:user1:pass1;;;registry2.com:user2:pass2`.
|
- Env `AUTH_REGISTRIES_DELIMITER` to change the separator between authentication info. By default, a space: "` `". If you use keys that contain spaces (as with Google Cloud Registry), you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=";;;"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:user1:pass1;;;registry2.com:user2:pass2`.
|
||||||
- Env `AUTH_REGISTRY_DELIMITER` to change the separator between authentication info *parts*. By default, a colon: "`:`". If you use keys that contain single colons, you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=":::"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:::user1:::pass1 registry2.com:::user2:::pass2`.
|
- Env `AUTH_REGISTRY_DELIMITER` to change the separator between authentication info *parts*. By default, a colon: "`:`". If you use keys that contain single colons, you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=":::"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:::user1:::pass1 registry2.com:::user2:::pass2`.
|
||||||
|
- Timeouts ENVS - all of them can pe specified to control different timeouts, and if not set, the defaults will be the ones from `Dockerfile`. The directives will be added into `http` block.:
|
||||||
|
- SEND_TIMEOUT : see [send_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout)
|
||||||
|
- CLIENT_BODY_TIMEOUT : see [client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout)
|
||||||
|
- CLIENT_HEADER_TIMEOUT : see [client_header_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout)
|
||||||
|
- KEEPALIVE_TIMEOUT : see [keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
|
||||||
|
- PROXY_READ_TIMEOUT : see [proxy_read_timeout](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout)
|
||||||
|
- PROXY_CONNECT_TIMEOUT : see [proxy_connect_timeout](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout)
|
||||||
|
- PROXY_SEND_TIMEOUT : see [proxy_send_timeout](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout)
|
||||||
|
- PROXY_CONNECT_READ_TIMEOUT : see [proxy_connect_read_timeout](https://github.com/chobits/ngx_http_proxy_connect_module#proxy_connect_read_timeout)
|
||||||
|
- PROXY_CONNECT_CONNECT_TIMEOUT : see [proxy_connect_connect_timeout](https://github.com/chobits/ngx_http_proxy_connect_module#proxy_connect_connect_timeout)
|
||||||
|
- PROXY_CONNECT_SEND_TIMEOUT : see [proxy_connect_send_timeout](https://github.com/chobits/ngx_http_proxy_connect_module#proxy_connect_send_timeout))
|
||||||
|
|
||||||
|
|
||||||
### Simple (no auth, all cache)
|
### Simple (no auth, all cache)
|
||||||
```bash
|
```bash
|
||||||
|
@ -93,7 +106,7 @@ docker run --rm --name docker_registry_proxy -it \
|
||||||
-p 0.0.0.0:3128:3128 -e ENABLE_MANIFEST_CACHE=true \
|
-p 0.0.0.0:3128:3128 -e ENABLE_MANIFEST_CACHE=true \
|
||||||
-v $(pwd)/docker_mirror_cache:/docker_mirror_cache \
|
-v $(pwd)/docker_mirror_cache:/docker_mirror_cache \
|
||||||
-v $(pwd)/docker_mirror_certs:/ca \
|
-v $(pwd)/docker_mirror_certs:/ca \
|
||||||
rpardini/docker-registry-proxy:0.6.1
|
rpardini/docker-registry-proxy:0.6.2
|
||||||
```
|
```
|
||||||
|
|
||||||
### DockerHub auth
|
### DockerHub auth
|
||||||
|
@ -109,7 +122,7 @@ docker run --rm --name docker_registry_proxy -it \
|
||||||
-v $(pwd)/docker_mirror_certs:/ca \
|
-v $(pwd)/docker_mirror_certs:/ca \
|
||||||
-e REGISTRIES="k8s.gcr.io gcr.io quay.io your.own.registry another.public.registry" \
|
-e REGISTRIES="k8s.gcr.io gcr.io quay.io your.own.registry another.public.registry" \
|
||||||
-e AUTH_REGISTRIES="auth.docker.io:dockerhub_username:dockerhub_password your.own.registry:username:password" \
|
-e AUTH_REGISTRIES="auth.docker.io:dockerhub_username:dockerhub_password your.own.registry:username:password" \
|
||||||
rpardini/docker-registry-proxy:0.6.1
|
rpardini/docker-registry-proxy:0.6.2
|
||||||
```
|
```
|
||||||
|
|
||||||
### Simple registries auth (HTTP Basic auth)
|
### Simple registries auth (HTTP Basic auth)
|
||||||
|
@ -137,7 +150,7 @@ docker run --rm --name docker_registry_proxy -it \
|
||||||
-v $(pwd)/docker_mirror_certs:/ca \
|
-v $(pwd)/docker_mirror_certs:/ca \
|
||||||
-e REGISTRIES="reg.example.com git.example.com" \
|
-e REGISTRIES="reg.example.com git.example.com" \
|
||||||
-e AUTH_REGISTRIES="git.example.com:USER:PASSWORD" \
|
-e AUTH_REGISTRIES="git.example.com:USER:PASSWORD" \
|
||||||
rpardini/docker-registry-proxy:0.6.1
|
rpardini/docker-registry-proxy:0.6.2
|
||||||
```
|
```
|
||||||
|
|
||||||
### Google Container Registry (GCR) auth
|
### Google Container Registry (GCR) auth
|
||||||
|
@ -160,7 +173,7 @@ docker run --rm --name docker_registry_proxy -it \
|
||||||
-e AUTH_REGISTRIES_DELIMITER=";;;" \
|
-e AUTH_REGISTRIES_DELIMITER=";;;" \
|
||||||
-e AUTH_REGISTRY_DELIMITER=":::" \
|
-e AUTH_REGISTRY_DELIMITER=":::" \
|
||||||
-e AUTH_REGISTRIES="gcr.io:::_json_key:::$(cat servicekey.json);;;auth.docker.io:::dockerhub_username:::dockerhub_password" \
|
-e AUTH_REGISTRIES="gcr.io:::_json_key:::$(cat servicekey.json);;;auth.docker.io:::dockerhub_username:::dockerhub_password" \
|
||||||
rpardini/docker-registry-proxy:0.6.1
|
rpardini/docker-registry-proxy:0.6.2
|
||||||
```
|
```
|
||||||
|
|
||||||
## Configuring the Docker clients using Docker Desktop for Mac
|
## Configuring the Docker clients using Docker Desktop for Mac
|
||||||
|
@ -188,10 +201,18 @@ Environment="HTTP_PROXY=http://192.168.66.72:3128/"
|
||||||
Environment="HTTPS_PROXY=http://192.168.66.72:3128/"
|
Environment="HTTPS_PROXY=http://192.168.66.72:3128/"
|
||||||
EOD
|
EOD
|
||||||
|
|
||||||
|
### UBUNTU
|
||||||
# Get the CA certificate from the proxy and make it a trusted root.
|
# Get the CA certificate from the proxy and make it a trusted root.
|
||||||
curl http://192.168.66.72:3128/ca.crt > /usr/share/ca-certificates/docker_registry_proxy.crt
|
curl http://192.168.66.72:3128/ca.crt > /usr/share/ca-certificates/docker_registry_proxy.crt
|
||||||
echo "docker_registry_proxy.crt" >> /etc/ca-certificates.conf
|
echo "docker_registry_proxy.crt" >> /etc/ca-certificates.conf
|
||||||
update-ca-certificates --fresh
|
update-ca-certificates --fresh
|
||||||
|
###
|
||||||
|
|
||||||
|
### CENTOS
|
||||||
|
# Get the CA certificate from the proxy and make it a trusted root.
|
||||||
|
curl http://192.168.66.72:3128/ca.crt > /etc/pki/ca-trust/source/anchors/docker_registry_proxy.crt
|
||||||
|
update-ca-trust
|
||||||
|
###
|
||||||
|
|
||||||
# Reload systemd
|
# Reload systemd
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
|
@ -223,7 +244,7 @@ docker run --rm --name docker_registry_proxy -it
|
||||||
-p 0.0.0.0:3128:3128 -e ENABLE_MANIFEST_CACHE=true \
|
-p 0.0.0.0:3128:3128 -e ENABLE_MANIFEST_CACHE=true \
|
||||||
-v $(pwd)/docker_mirror_cache:/docker_mirror_cache \
|
-v $(pwd)/docker_mirror_cache:/docker_mirror_cache \
|
||||||
-v $(pwd)/docker_mirror_certs:/ca \
|
-v $(pwd)/docker_mirror_certs:/ca \
|
||||||
rpardini/docker-registry-proxy:0.6.1-debug
|
rpardini/docker-registry-proxy:0.6.2-debug
|
||||||
```
|
```
|
||||||
|
|
||||||
- `DEBUG=true` enables the mitmweb proxy between Docker clients and the caching layer, accessible on port 8081
|
- `DEBUG=true` enables the mitmweb proxy between Docker clients and the caching layer, accessible on port 8081
|
||||||
|
@ -234,7 +255,7 @@ docker run --rm --name docker_registry_proxy -it
|
||||||
|
|
||||||
- If you authenticate to a private registry and pull through the proxy, those images will be served to any client that can reach the proxy, even without authentication. *beware*
|
- If you authenticate to a private registry and pull through the proxy, those images will be served to any client that can reach the proxy, even without authentication. *beware*
|
||||||
- Repeat, **this will make your private images very public if you're not careful**.
|
- Repeat, **this will make your private images very public if you're not careful**.
|
||||||
- **Currently you cannot push images while using the proxy** which is a shame. PRs welcome.
|
- ~~**Currently you cannot push images while using the proxy** which is a shame. PRs welcome.~~ **SEE `ALLOW_PUSH` ENV FROM USAGE SECTION.**
|
||||||
- Setting this on Linux is relatively easy.
|
- Setting this on Linux is relatively easy.
|
||||||
- On Mac and Windows the CA-certificate part will be very different but should work in principle.
|
- On Mac and Windows the CA-certificate part will be very different but should work in principle.
|
||||||
- Please send PRs with instructions for Windows and Mac if you succeed!
|
- Please send PRs with instructions for Windows and Mac if you succeed!
|
||||||
|
|
|
@ -117,7 +117,7 @@ EOD
|
||||||
}
|
}
|
||||||
EOD
|
EOD
|
||||||
|
|
||||||
echo "Manifest caching config: ---"
|
echo -e "\nManifest caching config: ---\n"
|
||||||
cat /etc/nginx/nginx.manifest.caching.config.conf
|
cat /etc/nginx/nginx.manifest.caching.config.conf
|
||||||
echo "---"
|
echo "---"
|
||||||
|
|
||||||
|
@ -201,6 +201,33 @@ if [[ "a${DEBUG_NGINX}" == "atrue" ]]; then
|
||||||
NGINX_BIN="/usr/sbin/nginx-debug"
|
NGINX_BIN="/usr/sbin/nginx-debug"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# Timeout configurations
|
||||||
|
echo "" > /etc/nginx/nginx.timeouts.config.conf
|
||||||
|
cat <<EOD >>/etc/nginx/nginx.timeouts.config.conf
|
||||||
|
# Timeouts
|
||||||
|
|
||||||
|
# ngx_http_core_module
|
||||||
|
keepalive_timeout ${KEEPALIVE_TIMEOUT};
|
||||||
|
send_timeout ${SEND_TIMEOUT};
|
||||||
|
client_body_timeout ${CLIENT_BODY_TIMEOUT};
|
||||||
|
client_header_timeout ${CLIENT_HEADER_TIMEOUT};
|
||||||
|
|
||||||
|
# ngx_http_proxy_module
|
||||||
|
proxy_read_timeout ${PROXY_READ_TIMEOUT};
|
||||||
|
proxy_connect_timeout ${PROXY_CONNECT_TIMEOUT};
|
||||||
|
proxy_send_timeout ${PROXY_SEND_TIMEOUT};
|
||||||
|
|
||||||
|
# ngx_http_proxy_connect_module - external module
|
||||||
|
proxy_connect_read_timeout ${PROXY_CONNECT_READ_TIMEOUT};
|
||||||
|
proxy_connect_connect_timeout ${PROXY_CONNECT_CONNECT_TIMEOUT};
|
||||||
|
proxy_connect_send_timeout ${PROXY_CONNECT_SEND_TIMEOUT};
|
||||||
|
EOD
|
||||||
|
|
||||||
|
echo -e "\nTimeout configs: ---"
|
||||||
|
cat /etc/nginx/nginx.timeouts.config.conf
|
||||||
|
echo -e "---\n"
|
||||||
|
|
||||||
# Upstream SSL verification.
|
# Upstream SSL verification.
|
||||||
echo "" > /etc/nginx/docker.verify.ssl.conf
|
echo "" > /etc/nginx/docker.verify.ssl.conf
|
||||||
if [[ "a${VERIFY_SSL}" == "atrue" ]]; then
|
if [[ "a${VERIFY_SSL}" == "atrue" ]]; then
|
||||||
|
@ -217,7 +244,6 @@ else
|
||||||
echo "Upstream SSL certificate verification is DISABLED."
|
echo "Upstream SSL certificate verification is DISABLED."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
echo "Testing nginx config..."
|
echo "Testing nginx config..."
|
||||||
${NGINX_BIN} -t
|
${NGINX_BIN} -t
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,9 @@ http {
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
# Include nginx timeout configs
|
||||||
|
include /etc/nginx/nginx.timeouts.config.conf;
|
||||||
|
|
||||||
# Use a debug-oriented logging format.
|
# Use a debug-oriented logging format.
|
||||||
log_format debugging escape=json
|
log_format debugging escape=json
|
||||||
'{'
|
'{'
|
||||||
|
@ -73,7 +76,6 @@ http {
|
||||||
'"upstream":"$upstream_addr"'
|
'"upstream":"$upstream_addr"'
|
||||||
'}';
|
'}';
|
||||||
|
|
||||||
keepalive_timeout 300;
|
|
||||||
gzip off;
|
gzip off;
|
||||||
|
|
||||||
# Entrypoint generates the proxy_cache_path here, so it is configurable externally.
|
# Entrypoint generates the proxy_cache_path here, so it is configurable externally.
|
||||||
|
@ -131,7 +133,7 @@ http {
|
||||||
# The proxy director layer, listens on 3128
|
# The proxy director layer, listens on 3128
|
||||||
server {
|
server {
|
||||||
listen 3128;
|
listen 3128;
|
||||||
server_name _;
|
server_name proxy_director_;
|
||||||
|
|
||||||
# dont log the CONNECT proxy.
|
# dont log the CONNECT proxy.
|
||||||
#access_log /var/log/nginx/access.log debug_proxy;
|
#access_log /var/log/nginx/access.log debug_proxy;
|
||||||
|
@ -199,7 +201,7 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
|
||||||
# actually could be 443 or 444, depending on debug. this is now generated by the entrypoint.
|
# actually could be 443 or 444, depending on debug. this is now generated by the entrypoint.
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
include /etc/nginx/caching.layer.listen;
|
include /etc/nginx/caching.layer.listen;
|
||||||
server_name _;
|
server_name proxy_caching_;
|
||||||
|
|
||||||
# Do some tweaked logging.
|
# Do some tweaked logging.
|
||||||
access_log /var/log/nginx/access.log tweaked;
|
access_log /var/log/nginx/access.log tweaked;
|
||||||
|
|
Loading…
Reference in New Issue