Setting up Nginx and Docker to work with multiple Artifactory repositories

Here is an example configuration of an NGINX server that is configured to serve two different repositories of Docker (for example: a local and remote repository):

 

server {

listen 443;

server_name artprod2.company.com;

 

ssl on;

#ssl_certificate /etc/ssl/certs/artprod2.company.com.crt;

#ssl_certificate_key /etc/ssl/private/artprod2.company.com.key;

ssl_certificate /home/idan/Documents/Docker/docker-registry.com.crt;

ssl_certificate_key /home/idan/Documents/Docker/docker-registry.com.key;

access_log /var/log/nginx/artprod2.company.com.access.log;

error_log /var/log/nginx/artprod2.company.com.error.log;

 

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Original-URI $request_uri;

proxy_read_timeout 900;

 

client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

 

# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)

chunked_transfer_encoding on;

 

location /v2 {

# Do not allow connections from docker 1.5 and earlier

# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents

if ($http_user_agent ~ "^(docker/1.(3|4|5(?!.[0-9]-dev))|Go ).*$" ) {

return 404;

}

 

proxy_pass http://artprod2.company.com:8085/artifactory/api/docker/docker-remote/v2;

}

}

 

 server {

listen 444;

server_name artprod2.company.com;

 

ssl on;

#ssl_certificate /etc/ssl/certs/artprod2.company.com.crt;

#ssl_certificate_key /etc/ssl/private/artprod2.company.com.key;

ssl_certificate /home/idan/Documents/Docker/docker-registry.com.crt;

ssl_certificate_key /home/idan/Documents/Docker/docker-registry.com.key;

access_log /var/log/nginx/artprod2.company.com.access.log;

error_log /var/log/nginx/artprod2.company.com.error.log;

 

proxy_set_header Host $host:444;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Original-URI $request_uri;

proxy_read_timeout 900;

 

client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

 

# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)

chunked_transfer_encoding on;

 

location /v2 {

# Do not allow connections from docker 1.5 and earlier

# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents

if ($http_user_agent ~ "^(docker/1.(3|4|5(?!.[0-9]-dev))|Go ).*$" ) {

return 404;

}

 

proxy_pass http://artprod2.company.com:8085/artifactory/api/docker/docker-local2/v2;

 

}

}

 

The 444 port is deploying artifacts to the local repository named "docker-local2" and the 443 port is configured to work with the remote repository "docker-remote". After this configuration, the image itself that should be pushed to docker-local2 (using the 444 port) needs to be tagged with the port itself:

 

docker tag nginx artprod2.company.com:444/nginx

 

This requires adding the credentials to the dockercfg file for this port:

 

curl -u{user}:{password} "https://{server_name}/{version-Docker}/auth"

 

For example:

 

curl -uadmin:password "https://artprod2.company.com/v2/auth"

 

The output of this command needs to be added to the dockercfg file:

 

{

"https://artprod2.company.com" : {

"auth" : "YWRtaW46QVA4dlZWUWp2Z0M2NjFuVHNxcUoxUGdrR1Zq",

"email" : ""

},

"https://artprod2.company.com:444" : {

"auth" : "dGVzdDpBUDROcTlSMnhaTW1yR3JY",

"email" : ""

}

}

 

After completing these configuration steps you can push the image to Artifactory:


For the repository that is configured for the 444 port: 

docker push artprod2.company.com:444/nginx


For the repository that is configured for the 443 port:

docker push artprod2.company.com/nginx

This would push the image to the defined repository in Artifactory (in this example docker-local2 that is configured for the 444 port):