Configuring a docker Proxy server with Sonatype Nexus

Nexus

First of all I created a repository with the “proxy” type.

For Quay.io

Nexus repo quayio

For Docker Hub

Nexus repo dockerhub

For JFrog

Nexus repo jfrog

After that I created a repository with the “group” type and port 5000.

Nexus docker group 01

And added the repositories to the group.

Nexus docker group 02

The list of all repositories looks something like this

Nexus repos

After that, I set up realm to anonymous “docker pull”.

Nexus realm

And “Anonymous Access”

Nexus realm anonymous

Need to add domains as secure. If no certificates are planned.

/etc/docker/daemon.json

I will explain a little later why a domain without a port

{
"insecure-registries": [
  "mydomain.loc",
  "mydomain.loc:5000"
],
"disable-legacy-registry": true
}

It is possible not to specify a unsecure domain, but I will have to put the root self-signed certificate everywhere.

I have to restart the daemon after setting sudo systemctl restart docker.

After that I pulled the images:

  • nginx - from Docker Hub
  • coreos/flannel - from RedHad registry
  • jfrog/artifactory-jcr - from JFrog registry
docker pull mydomain.loc:5000/nginx
docker pull mydomain.loc:5000/coreos/flannel:v0.13.1-rc2
docker pull mydomain.loc:5000/jfrog/artifactory-jcr
docker images
mydomain.loc:5000/jfrog/artifactory-jcr   latest        da6f84d1ad96   7 days ago    806MB
mydomain.loc:5000/nginx                   latest        35c43ace9216   2 weeks ago   133MB
mydomain.loc:5000/coreos/flannel          v0.13.1-rc2   dee1cac4dd20   5 weeks ago   64.3MB

So far, so good, but the port is upsetting me. I configured the nginx proxy to get rid of the port

upstream registry_server { server 127.0.0.1:5000 fail_timeout=0; }

server {
  listen 80;
  server_name mydomain.loc
  server_tokens off;
  reset_timedout_connection on;
  charset UTF-8;
  client_max_body_size 0;
  location / {
    proxy_read_timeout 900;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://registry_server/;
  }
}

It is always darkest before the dawn.

docker pull mydomain.loc/nginx
docker pull mydomain.loc/coreos/flannel:v0.13.1-rc2
docker pull mydomain.loc/jfrog/artifactory-jcr
docker images
mydomain.loc/jfrog/artifactory-jcr   latest        da6f84d1ad96   7 days ago    806MB
mydomain.loc/nginx                   latest        35c43ace9216   2 weeks ago   133MB
mydomain.loc/coreos/flannel          v0.13.1-rc2   dee1cac4dd20   5 weeks ago   64.3MB