自建docker hub 容器缓存加速器，只加速官方镜像

墨少离

2023 年 06 月 16 日

1020 次浏览

暂无评论

5840字数

笔记

docker hub 加速器要实现的要求

加速器只允许 GET HEAD 请求方法

只允许docker-library/official-images通过加速器

控制允许通过加速器的路径，自己用自己配置map选项即可

docker-compose 配置

作为 registry.k8s.io、 k8s.gcr.io、 gcr.io 的镜像缓存，
只需要把 REGISTRY_PROXY_REMOTEURL 分别换成换成 registry.k8s.io、 k8s.gcr.io、 gcr.io、 quay.io等即可

version: "3"
services:
    docker-registry:
        image: registry:2
        container_name: registry-01
        restart: always
        expose:
            - "5000"
        volumes:
            - /data/tls:/tls
        #    - /data/data-box/docker-registry:/data   # 数据目录
        environment:
            - REGISTRY_PROXY_REMOTEURL=https://registry-1.docker.io
            #    - REGISTRY_PROXY_USERNAME=username
            #    - REGISTRY_PROXY_PASSWORD=password
            - REGISTRY_HTTP_TLS_CERTIFICATE=/tls/wildcard.xiaoshuogeng.com.fullchain.pem
            - REGISTRY_HTTP_TLS_KEY=/tls/wildcard.xiaoshuogeng.com.key.pem
            - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data
    nginx-proxy:
        image: nginx:alpine
        container_name: nginx-proxy-docker-registry
        restart: always
        depends_on:
            - docker-registry
        ports:
            - "5000:443"
        volumes:
            - /data/tls:/tls
            - ./default.conf:/etc/nginx/conf.d/default.conf

nginx 配置

default.conf 配置信息

# 只允许docker-library/official-images通过
 
map $uri $allow_uri_flag {
    default 0 ;
    ~^/v2/library/.*? 1;
    ~^/v2/$ 1;
}
server {
    listen       443 ssl http2;
    server_name  docker.xiaoshuogeng.com;
 
    charset utf-8;
 
    ssl_certificate     /tls/wildcard.xiaoshuogeng.com.fullchain.pem;
    ssl_certificate_key /tls/wildcard.xiaoshuogeng.com.key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;
 
    ssl_protocols  TLSv1.3;
    ssl_prefer_server_ciphers off;
 
 
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header Content-Security-Policy upgrade-insecure-requests;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Referrer-Policy "no-referrer";
 
 
    # 判断请求方法是否是GET HEAD ,其他方法不允许
    set $allow_allow_request_method_flag 0;
    if ( $request_method = "GET"  ) {
        set $allow_allow_request_method_flag 1;
    }
    if ( $request_method = "HEAD" ) {
        set $allow_allow_request_method_flag 1;
    }
 
    if ( $allow_allow_request_method_flag != 1 ) {
         return 405 '{"status":"405","result":"请求方法不允许","message":"405"}';
    }
 
    if ( $allow_uri_flag != 1  ) {
        return 403 '{"status":"403","result":"请求URI不允许","message":"403"}';
    }
 
 
    location / {
        proxy_pass              https://docker-registry:5000;
        proxy_set_header        Host $http_host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
 
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
 
        proxy_set_header User-Agent $http_user_agent;
        proxy_pass_request_headers  on;
        proxy_pass_request_body  on;
        proxy_read_timeout 30s;
        proxy_send_timeout 30s;
        proxy_http_version 1.1;
 
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_verify off;
        proxy_ssl_session_reuse on ;
        proxy_ssl_server_name on ;
    }
 
}
 
 
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name _;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_reject_handshake on; #非服务器名称的 SSL 握手直接拒绝
    return 444;
}
 
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 444;
}

阻止服务被滥用的办法： nginx IP地址白名单机制

在nginx的 default.conf 文件中添加如下配置
IP 白名单机制
下面介绍2种方法

# 方法一： 
 
# 允许通过的白名单
map $remote_addr $allow_client_ip_flag {
     default 0;
    '42.83.144.13'   1;
}
 
 
 
# 白名单以外的IP地址处理逻辑
if ( $allow_client_ip_flag != 1) {
     return 403 '{"status":"403","result":"ip is refused","message":"403"}';
}

 
# 方法二：
 
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    allow 172.16.0.0/12;
 
    allow 42.83.144.13;
    deny all;

备注

nginx的这些配置项可以不要

        proxy_set_header User-Agent $http_user_agent;
        proxy_pass_request_headers  on;
        proxy_pass_request_body  on;
        proxy_read_timeout 30s;
        proxy_send_timeout 30s;
        proxy_http_version 1.1;
 
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_verify off;
        proxy_ssl_session_reuse on ;
        proxy_ssl_server_name on ;

辅助工具，获取nginx 默认配置文件

#!/bin/bash
 
set -eux
__CURRENT__=`pwd`
__DIR__=$(cd "$(dirname "$0")";pwd)
cd ${__DIR__}
 
 mkdir -p conf
container_id=$(docker create nginx:alpine)  # returns container ID
docker cp $container_id:/etc/nginx/nginx.conf conf/nginx.conf
docker cp $container_id:/etc/nginx/mime.types conf/mime.types
docker cp $container_id:/etc/nginx/conf.d/default.conf conf/default.conf
 
docker rm $container_id

小工具查看拉取容器速率和拉取次数限制

TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
 
# 查看信息
curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest

转自：https://www.cnblogs.com/jingjingxyk/p/16863532.html

自建docker hub 容器缓存加速器，只加速官方镜像