导语:harbor通过域名push提示没有push权限
访问方式是nginx 80和443 都转发到harbor的80。因为我没有修改dns解析的权限,只能这样搞。
现象是使用域名的话docker login pull都没有问题,但是push会有问题。用ip地址的话 login pull push都没有问题。
nginx配置
# HTTP Server
server {
listen 80;
server_name harbor.deepwise.com;
location / {
proxy_pass http://10.10.3.246;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_max_temp_file_size 0;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
# HTTPS Server
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name harbor.deepwise.com;
access_log /var/log/nginx/harbor-access.log;
error_log /var/log/nginx/harbor-error.log;
keepalive_timeout 60;
#ssl on; 低版本需要注释掉
ssl_certificate /etc/nginx/conf.d/ssl/deepwise.com.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/deepwise.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
server_tokens off;
client_max_body_size 0;
location / {
proxy_pass http://10.10.3.246;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_max_temp_file_size 0;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
harbor.yaml
hostname: 10.10.3.246
http:
port: 80
harbor_admin_password: password
database:
password: Deepwise1718
max_idle_conns: 50
max_open_conns: 100
data_volume: /fc_san/harbor-update
clair:
updaters_interval: 12
trivy:
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.0.0
proxy:
http_proxy:
https_proxy:
no_proxy: 127.0.0.1,localhost,.local,.internal,log,db,redis,nginx,core,portal,postgresql,jobservice,registry,registryctl,clair
components:
- core
- jobservice
- clair
- trivy
auth_mode: ldap_auth
编辑 harbor.yml目前下的common/config/nginx/nginx.conf , 注释掉所有的 proxy_set_header X-Forwarded-Proto $scheme;
测试不能行
修改proxy_set_header X-Forwarded-Proto $scheme; 为proxy_set_header X-Forwarded-Proto https
可以啦!
有资料说是login的时候,会话只进行了一次,并且都走了https协议,所以没有出现问题。这就能解释为什么用ip login pull push都没有问题了(我给ip地址设置了insecure-registries)。
而push操作,分为2步:
- 验证: 和login类似,多了步去查你的权限;
- push: 这里恰恰出了问题,因为它走了http的协议,相关规则的文件:(https://github.com/docker/dist … ls.go )
而重新走了http的内容,会被认为是401的,所以会出了上边的报错。
不过这会导致push用ip地址不能用
等有权限了测试一下直接用harbor的80和443试试。
https://dockone.io/article/865
