文档说明:只记录关键地方;
缘由: 折腾使用了各种各样的拉取镜像的办法,虽然实现了目的,但是耗费了大量的时间,同时随着时间的推移,很多办法逐渐失效了。决定自己实现
目的: 方便快捷的拉取容器镜像
试验环境: linux debian 11 docker
目标:实现能拉取 registry.k8s.io、 k8s.gcr.io、 gcr.io、 quay.io、 ghcr.io 容器镜像的服务
准备nginx配置文件 nginx.conf
# CONNECT HOST 允许通过代理的域名
map $host $tls_proxy_allow_url_flag {
default 0;
~^([\w|-]+?)\.googlesource\.com$ 1;
~^([\w|-]+?)\.googleapis\.com$ 1;
~^chrome-infra-packages\.appspot\.com$ 1;
registry-1.docker.io 1;
auth.docker.io 1;
production.cloudflare.docker.com 1;
k8s.gcr.io 1;
registry.k8s.io 1;
ghcr.io 1;
quay.io 1;
}
## 服务器允许的客户端IP白名单
map $remote_addr $allow_remote_addr_flag {
default 0;
'182.131.26.231' 1;
'42.83.144.13' 1;
}
server {
listen 443;
server_name http-proxy.xiaoshuogeng.com;
ssl_certificate /tls/wildcard.xiaoshuogeng.com.fullchain.pem;
ssl_certificate_key /tls/wildcard.xiaoshuogeng.com.key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# dns resolver used by forward proxying
resolver 1.0.0.1 1.0.0.2 1.0.0.3 1.1.1.1 8.8.8.8 8.8.4.4 ;
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow 443 80;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# 白名单里的IP允许通过代理服务器
if ( $allow_remote_addr_flag = 1 ) {
set $tls_proxy_allow_url_flag 1 ;
}
# 控制允许通过的域名
# forward proxy for non-CONNECT request
if ( $tls_proxy_allow_url_flag != 1) {
return 403 '{"status":"403","result":"no allow","message":"403"}';
}
location / {
charset utf-8;
default_type text/plain;
return 200 'yeah
标签:0.0,server,ssl,gcr,proxy,io,k8s,com
From: https://www.cnblogs.com/jingjingxyk/p/16830185.html