首页 > 其他分享 >https_registry

https_registry

时间:2022-11-19 00:55:07浏览次数:54  
标签:domain https crt ca certs registry key

目录

下载 证书


mkdir cert

cd cert

curl -u admin:brysjhhrhL356126155165352237656123165615 -o test_zk_cert.zip  http://192.168.63.100:50000/remote.php/webdav/Documents/cert/5900588_test.zk.limengkai.work_other.zip

apt  install  unzip  -y

unzip test_zk_cert.zip 

ls
# 5900588_test.zk.limengkai.work.key  5900588_test.zk.limengkai.work.pem

mkdir -p certs
cat 5900588_test.zk.limengkai.work.pem > certs/domain.crt
cat 5900588_test.zk.limengkai.work.key > certs/domain.key


#   -v "$(pwd)"/certs:/certs \

# /mnt/registry_certs:/certs

cp -a ./certs/ /work_continer_data/mnt/register_certs


# 在 compose 文件中添加 映射
# docker -v /work_continer_data/mnt/register_certs:/certs

docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/certs:/certs \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -p 443:443 \
  registry.cn-hangzhou.aliyuncs.com/mkmk/all:registry-latest


# docker compose
environment:
  - RACK_ENV=development
  - SHOW=true
  - SESSION_SECRET


openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

生成 自己的 证书


/etc/ssl
编辑openssl.cnf,在[v3_ca]下面添加:subjectAltName = IP:域名|IP地址

[ v3_ca ]
subjectAltName = IP:192.168.164.180


openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout my.key -out my.pem


openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout domain.key -out domain.crt


docker rm -f registry

docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/certs:/certs \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -p 443:443 \
  registry.cn-hangzhou.aliyuncs.com/mkmk/all:registry-latest

docker logs registry


生成 ca 证书

CA根证书的生成步骤
生成CA私钥(.key)-->生成CA证书请求(.csr)-->自签名得到根证书(.crt)(CA给自已颁发的证书)。

 

# Generate CA private key 
openssl genrsa -out ca.key 2048 

# Generate CSR 
openssl req -new -key ca.key -out ca.csr

# Generate Self Signed certificate(CA 根证书)

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

mkdir certs
cat ca.key > certs/domain.key
cat ca.crt > certs/domain.crt


Use self-signed certificates

Warning: Using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below)

This is more secure than the insecure registry solution.

Generate your own certificate:


$ mkdir -p certs

$ openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -addext "subjectAltName = DNS:myregistry.domain.com" \
  -x509 -days 365 -out certs/domain.crt


  # -addext "subjectAltName = IP:192.168.164.180" \


Be sure to use the name myregistrydomain.com as a CN.

Use the result to start your registry with TLS enabled.

Instruct every Docker daemon to trust that certificate. The way to do this depends on your OS.


# Linux: Copy the domain.crt file to

/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt 
 
#  on every Docker host. You do not need to restart Docker.

Windows Server:

Open Windows Explorer, right-click the domain.crt file, and choose Install certificate. When prompted, select the following options:

Store location local machine
Place all certificates in the following store selected
Click Browser and select Trusted Root Certificate Authorities.

Click Finish. Restart Docker.

Docker Desktop for Mac: Follow the instructions in Adding custom CA certificates. Restart Docker.

Docker Desktop for Windows: Follow the instructions in Adding custom CA certificates. Restart Docker.
欢迎大家一起交流呀
qq群:3638803451
vx:wxid_sgdelhiwombj12

标签:domain,https,crt,ca,certs,registry,key
From: https://www.cnblogs.com/ltgybyb/p/16905328.html

相关文章

  • 浅浅理解一定要看哦-HTTPS - 揭秘 TLS 1.2 协议完整握手过程,一定要结合wirshark工具看
    winshark筛选条件为:tlsandip.src==xxx  本文通过对一次TLS握手过程的数据抓包分析做为切入点,希望能进一步的帮助大家理解HTTPS原理。HTTPS是建立在SSL/TLS......
  • HTTPS的优点和缺点解析
    https改造有什么好处?对于这个问题,站长首先想到应该是网站安全问题,可以说网站安全问题其实是个大问题,主要表现在以下方面:1、首页会被篡改,非法跳转;2、网站被灌入广告,但收入......
  • springboot的HTTP与HTTPS
    1.keytool生成证书windows下的生成:keytool-genkey-aliastomcat-storetypePKCS12-keyalgRSA-keysize2048-keystorekeystore.p12-validity3650linux......
  • [Java] HttpServletRequest
    HttpServletRequest位于javax.servlet.http,简单来说就是一个请求的封装[请求头数据+正文数据]一个域对象相关方法获取请求头方法StringgetHeader(Stringname):获取......
  • 常规web流量分析总结及例题(普通http流量,http传输文件流量,https加密流量,视频流)
    web流量分析基本套路流量分析传输了数据:ziprarpngjpgtxtmp3,特别是流量包比较大时需要注意binwalk分离文件,grep或者wireshark内ctrl+f搜索分情况使用导出对象,导出分组字......
  • Http和Https的区别?
    1.HTTP是什么?http是超文本传输协议用来在web浏览器和网站服务器之间传递数据信息,http以明文的方式发送内容,不提供任何方式的数据加密,如果攻击者截获了Web浏览器和网站服务......
  • javaweb 5、HttpServletResponse
    HttpServletResponseweb服务器接收到客户端的http请求,针对这个请求,分别创建一个代表请求的HttpServletRequest对象,代表响应的一个HttpServletResponse如果要获取客户端......
  • javaweb 6、HttpServletRequest
    HttpServletRequest代表客户端的请求,用户通过Http协议访问服务器,HTTP请求中所有信息会被封装到HttpServletRequet,通过这个HttpServletRequest的方法,获得客户端的所有信息......
  • http和https协议有什么区别
    我们平常用的最多的就是HTTP代理,其实HTTP只是代理IP的一种协议,那么还有哪些协议是我们需要知道的呢?今天就给大家说说代理IP的几种支持的协议。1、HTTP超文本......
  • QT客户端与Java服务端进行https通信_F_hawk189_新浪博客
    网上也有一部分教程,不过我还是踩了许多的坑,所以整理了一下网上看到的和自己的一些收获。首先:,Tomcat.truststore(包含信任库),首先说明一下这个两个文件   cl......