基于前辈们整理使用 CF和nginx代理dockerHub

由于众所周知的原因,国内无法访问docker仓库，且目前很多国内镜像网站也不能使用了，想着于其到处去找镜像网站还如自己搭一个，一劳永逸。

根据各位飞友们的喂饭教程和网上的教程最后选择使用cf代理和海外服务器nginx代理，最后实现可一套配置代理多个镜像仓库

1. cf代理

根据多个代码稍微修改而来主要功能

默认域名访问会显示教程

可以多个域名代理多个仓库

// _worker.js

// Docker镜像仓库主机地址
let hub_host = 'registry-1.docker.io';
// Docker认证服务器地址
const auth_url = 'https://auth.docker.io';
let 屏蔽爬虫UA = ['netcraft'];

// 根据主机名选择对应的上游地址
function routeByHosts(host) {
	// 定义路由cr
	const routes = {
		// 生产环境
		"quay": "quay.io",
		"gcr": "gcr.io",
		"k8s-gcr": "k8s.gcr.io",
		"k8s": "registry.k8s.io",
		"ghcr": "ghcr.io",
		"cloudsmith": "docker.cloudsmith.io",
		"nvcr": "nvcr.io",
		
		// 测试环境
		"test": "registry-1.docker.io",
	};

	if (host in routes) return [ routes[host], false ];
	else return [ hub_host, true ];
}

/** @type {RequestInit} */
const PREFLIGHT_INIT = {
	// 预检请求配置
	headers: new Headers({
		'access-control-allow-origin': '*', // 允许所有来源
		'access-control-allow-methods': 'GET,POST,PUT,PATCH,TRACE,DELETE,HEAD,OPTIONS', // 允许的HTTP方法
		'access-control-max-age': '1728000', // 预检请求的缓存时间
	}),
}

/**
 * 构造响应
 * @param {any} body 响应体
 * @param {number} status 响应状态码
 * @param {Object<string, string>} headers 响应头
 */
function makeRes(body, status = 200, headers = {}) {
	headers['access-control-allow-origin'] = '*' // 允许所有来源
	return new Response(body, { status, headers }) // 返回新构造的响应
}

/**
 * 构造新的URL对象
 * @param {string} urlStr URL字符串
 */
function newUrl(urlStr) {
	try {
		return new URL(urlStr) // 尝试构造新的URL对象
	} catch (err) {
		return null // 构造失败返回null
	}
}

function isUUID(uuid) {
	// 定义一个正则表达式来匹配 UUID 格式
	const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
	
	// 使用正则表达式测试 UUID 字符串
	return uuidRegex.test(uuid);
}

export default {
	async fetch(request, env, ctx) {
		const getReqHeader = (key) => request.headers.get(key); // 获取请求头

		let url = new URL(request.url); // 解析请求URL
		const userAgentHeader = request.headers.get('User-Agent');
		const userAgent = userAgentHeader ? userAgentHeader.toLowerCase() : "null";
		if (env.UA) 屏蔽爬虫UA = 屏蔽爬虫UA.concat(await ADD(env.UA));
		const workers_url = `https://${url.hostname}`;
		const pathname = url.pathname;

		// 获取请求参数中的 ns
		const ns = url.searchParams.get('ns'); 
		const hostname = url.searchParams.get('hubhost') || url.hostname;
		const hostTop = hostname.split('.')[0]; // 获取主机名的第一部分

		let checkHost; // 在这里定义 checkHost 变量
		// 如果存在 ns 参数，优先使用它来确定 hub_host
		if (ns) {
			if (ns === 'docker.io') {
				hub_host = 'registry-1.docker.io'; // 设置上游地址为 registry-1.docker.io
			} else {
				hub_host = ns; // 直接使用 ns 作为 hub_host
			}
		} else {
			checkHost = routeByHosts(hostTop);
			hub_host = checkHost[0]; // 获取上游地址
		}

		const fakePage = checkHost ? checkHost[1] : false; // 确保 fakePage 不为 undefined
		console.log(`域名头部: ${hostTop}\n反代地址: ${hub_host}\n伪装首页: ${fakePage}`);
		const isUuid = isUUID(pathname.split('/')[1].split('/')[0]);

		if (屏蔽爬虫UA.some(fxxk => userAgent.includes(fxxk)) && 屏蔽爬虫UA.length > 0) {
			// 首页改成一个nginx伪装页
			return new Response(await getHtml(), {
				headers: {
					'Content-Type': 'text/html; charset=UTF-8',
				},
			});
		}

		const conditions = [
			isUuid,
			pathname.includes('/_'),
			pathname.includes('/r/'),
			pathname.includes('/v2/repositories'),
			pathname.includes('/v2/user'),
			pathname.includes('/v2/orgs'),
			pathname.includes('/v2/_catalog'),
			pathname.includes('/v2/categories'),
			pathname.includes('/v2/feature-flags'),
			pathname.includes('search'),
			pathname.includes('source'),
			pathname == '/',
			pathname == '/favicon.ico',
			pathname == '/auth/profile',
		];

		if (conditions.some(condition => condition) && (fakePage === true || hostTop == 'docker')) {
			if (env.URL302) {
				return Response.redirect(env.URL302, 302);
			} else if (env.URL) {
				 return fetch(new Request(env.URL, request));
			} else if (url.pathname == '/'){
				return new Response(await getHtml(), {
					headers: {
					  'Content-Type': 'text/html; charset=UTF-8',
					},
				});
			}
			
			const newUrl = new URL("https://registry.hub.docker.com" + pathname + url.search);

			// 复制原始请求的标头
			const headers = new Headers(request.headers);

			// 确保 Host 头部被替换为 hub.docker.com
			headers.set('Host', 'registry.hub.docker.com');

			const newRequest = new Request(newUrl, {
					method: request.method,
					headers: headers,
					body: request.method !== 'GET' && request.method !== 'HEAD' ? await request.blob() : null,
					redirect: 'follow'
			});

			return fetch(newRequest);
		}

		// 修改包含 %2F 和 %3A 的请求
		if (!/%2F/.test(url.search) && /%3A/.test(url.toString())) {
			let modifiedUrl = url.toString().replace(/%3A(?=.*?&)/, '%3Alibrary%2F');
			url = new URL(modifiedUrl);
			console.log(`handle_url: ${url}`);
		}

		// 处理token请求
		if (url.pathname.includes('/token')) {
			let token_parameter = {
				headers: {
					'Host': 'auth.docker.io',
					'User-Agent': getReqHeader("User-Agent"),
					'Accept': getReqHeader("Accept"),
					'Accept-Language': getReqHeader("Accept-Language"),
					'Accept-Encoding': getReqHeader("Accept-Encoding"),
					'Connection': 'keep-alive',
					'Cache-Control': 'max-age=0'
				}
			};
			let token_url = auth_url + url.pathname + url.search;
			return fetch(new Request(token_url, request), token_parameter);
		}

		// 修改 /v2/ 请求路径
		if ( hub_host == 'registry-1.docker.io' && /^\/v2\/[^/]+\/[^/]+\/[^/]+$/.test(url.pathname) && !/^\/v2\/library/.test(url.pathname)) {
			//url.pathname = url.pathname.replace(/\/v2\//, '/v2/library/');
			url.pathname = '/v2/library/' + url.pathname.split('/v2/')[1];
			console.log(`modified_url: ${url.pathname}`);
		}

		// 更改请求的主机名
		url.hostname = hub_host;

		// 构造请求参数
		let parameter = {
			headers: {
				'Host': hub_host,
				'User-Agent': getReqHeader("User-Agent"),
				'Accept': getReqHeader("Accept"),
				'Accept-Language': getReqHeader("Accept-Language"),
				'Accept-Encoding': getReqHeader("Accept-Encoding"),
				'Connection': 'keep-alive',
				'Cache-Control': 'max-age=0'
			},
			cacheTtl: 3600 // 缓存时间
		};

		// 添加Authorization头
		if (request.headers.has("Authorization")) {
			parameter.headers.Authorization = getReqHeader("Authorization");
		}

		// 发起请求并处理响应
		let original_response = await fetch(new Request(url, request), parameter);
		let original_response_clone = original_response.clone();
		let original_text = original_response_clone.body;
		let response_headers = original_response.headers;
		let new_response_headers = new Headers(response_headers);
		let status = original_response.status;

		// 修改 Www-Authenticate 头
		if (new_response_headers.get("Www-Authenticate")) {
			let auth = new_response_headers.get("Www-Authenticate");
			let re = new RegExp(auth_url, 'g');
			new_response_headers.set("Www-Authenticate", response_headers.get("Www-Authenticate").replace(re, workers_url));
		}

		// 处理重定向
		if (new_response_headers.get("Location")) {
			return httpHandler(request, new_response_headers.get("Location"));
		}

		// 返回修改后的响应
		let response = new Response(original_text, {
			status,
			headers: new_response_headers
		});
		return response;
	}
};

/**
 * 处理HTTP请求
 * @param {Request} req 请求对象
 * @param {string} pathname 请求路径
 */
function httpHandler(req, pathname) {
	const reqHdrRaw = req.headers;

	// 处理预检请求
	if (req.method === 'OPTIONS' &&
		reqHdrRaw.has('access-control-request-headers')
	) {
		return new Response(null, PREFLIGHT_INIT);
	}

	let rawLen = '';

	const reqHdrNew = new Headers(reqHdrRaw);

	const refer = reqHdrNew.get('referer');

	let urlStr = pathname;

	const urlObj = newUrl(urlStr);

	/** @type {RequestInit} */
	const reqInit = {
		method: req.method,
		headers: reqHdrNew,
		redirect: 'follow',
		body: req.body
	};
	return proxy(urlObj, reqInit, rawLen);
}

/**
 * 代理请求
 * @param {URL} urlObj URL对象
 * @param {RequestInit} reqInit 请求初始化对象
 * @param {string} rawLen 原始长度
 */
async function proxy(urlObj, reqInit, rawLen) {
	const res = await fetch(urlObj.href, reqInit);
	const resHdrOld = res.headers;
	const resHdrNew = new Headers(resHdrOld);

	// 验证长度
	if (rawLen) {
		const newLen = resHdrOld.get('content-length') || '';
		const badLen = (rawLen !== newLen);

		if (badLen) {
			return makeRes(res.body, 400, {
				'--error': `bad len: ${newLen}, except: ${rawLen}`,
				'access-control-expose-headers': '--error',
			});
		}
	}
	const status = res.status;
	resHdrNew.set('access-control-expose-headers', '*');
	resHdrNew.set('access-control-allow-origin', '*');
	resHdrNew.set('Cache-Control', 'max-age=1500');

	// 删除不必要的头
	resHdrNew.delete('content-security-policy');
	resHdrNew.delete('content-security-policy-report-only');
	resHdrNew.delete('clear-site-data');

	return new Response(res.body, {
		status,
		headers: resHdrNew
	});
}

async function ADD(envadd) {
	var addtext = envadd.replace(/[	 |"'\r\n]+/g, ',').replace(/,+/g, ',');	// 将空格、双引号、单引号和换行符替换为逗号
	if (addtext.charAt(0) == ',') addtext = addtext.slice(1);
	if (addtext.charAt(addtext.length - 1) == ',') addtext = addtext.slice(0, addtext.length - 1);
	const add = addtext.split(',');
	return add;
}

async function getHtml() {
	let context =  `
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>镜像加速说明</title>
    <style>
        body {
            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
            line-height: 1.6;
            color: #333;
            margin: 0;
            padding: 20px;
            background-image: url('https://objectstorage.ap-seoul-1.oraclecloud.com/n/cnmtldsuudsf/b/evil/o/backgroundpexels-christian-heitz-285904-842711.jpg'); /* Replace with your image path */
            background-size: cover;
            background-position: center;
            background-repeat: no-repeat;
            background-attachment: fixed;
        }
        .container {
            max-width: 800px;
            margin: 0 auto;
            padding: 20px;
            background: rgba(255, 255, 255, 0.8);
            border-radius: 8px;
            box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
        }
        h1 {
            font-size: 2em;
            margin-bottom: 0.5em;
            color: #007aff;
        }
        p {
            margin-bottom: 1em;
        }
        pre {
            background: #2d2d2d;
            color: #f8f8f2;
            padding: 20px;
            border-radius: 8px;
            overflow-x: auto;
            position: relative;
        }
        pre::before {
            content: " ";
            display: block;
            position: absolute;
            top: 10px;
            left: 10px;
            width: 12px;
            height: 12px;
            background: #ff5f56;
            border-radius: 50%;
            box-shadow: 20px 0 0 #ffbd2e, 40px 0 0 #27c93f;
        }
        code {
            font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, Courier, monospace;
            font-size: 0.875em;
        }
        .copy-button {
            position: absolute;
            top: 10px;
            right: 10px;
            background: #007aff;
            color: white;
            border: none;
            padding: 5px 10px;
            border-radius: 5px;
            cursor: pointer;
            opacity: 0;
            transition: opacity 0.3s;
        }
        pre:hover .copy-button {
            opacity: 1;
        }
        /*底部页脚css*/
        .github-badge {
          display: inline-block;
          border-radius: 4px;
          text-shadow: none;
          font-size: 12px;
          color: #fff;
          line-height: 15px;
          background-color: #abbac3;
          margin-bottom: 2px
        }
        
        .github-badge .badge-subject {
          display: inline-block;
          background-color: #4d4d4d;
          padding: 4px 4px 4px 6px;
          border-top-left-radius: 4px;
          border-bottom-left-radius: 4px
        }
        
        .github-badge .badge-value {
          display: inline-block;
          padding: 4px 6px 4px 4px;
          border-top-right-radius: 4px;
          border-bottom-right-radius: 4px
        }
        
        .github-badge .bg-blue {
          background-color: #007ec6
        }
        
        .github-badge .bg-orange {
          background-color: #ffa500
        }
        
        .github-badge .bg-green {
          background-color: #3bca6e
        }
    </style>
</head>
<body>
    <div class="container">
        <center><h1>镜像加速说明</h1></center>
        <h2>为了加速镜像拉取，使用以下命令设置<b>registry mirror</b>：</h2>
        <pre><code>
sudo tee /etc/docker/daemon.json &lt;&lt;EOF
{
    "registry-mirrors": [
		"https://{workers_host}"
	]
}
EOF</code><button class="copy-button" onclick="copyCode(this)">复制代码</button></pre>
        <pre><code>
sudo systemctl daemon-reload</code><button class="copy-button" onclick="copyCode(this)">复制代码</button></pre>
        <pre><code>
sudo systemctl restart docker</code><button class="copy-button" onclick="copyCode(this)">复制代码</button></pre>
        <h2>用法：</h2>
        <h3>原拉取镜像命令：</h3>
        <pre><code>
docker pull library/alpine:latest</code><button class="copy-button" onclick="copyCode(this)">复制代码</button></pre>
        <h3>加速拉取镜像命令：</h3>
        <pre><code>
docker pull {workers_host}/library/alpine:latest</code><button class="copy-button" onclick="copyCode(this)">复制代码</button></pre>

</div>
    <script>
        function copyCode(button) {
            const code = button.previousSibling;
            const textArea = document.createElement('textarea');
            textArea.value = code.textContent;
            document.body.appendChild(textArea);
            textArea.select();
            document.execCommand('copy');
            document.body.removeChild(textArea);
            button.textContent = '已复制';
            setTimeout(() => {
                button.textContent = '复制代码';
            }, 2000);
        }
    </script>
</body>
</html>`
return context;
}

代码中的 {workers_host} 可替换成自己的域名，只是页面显示不替换不影响功能。建议绑定自己的域名 自己的workers → 设置 → 域和路由 可绑定多个如果是

		"quay": "quay.io",
		"gcr": "gcr.io",
		"k8s-gcr": "k8s.gcr.io",
		"k8s": "registry.k8s.io",
		"ghcr": "ghcr.io",
		"cloudsmith": "docker.cloudsmith.io",
		"nvcr": "nvcr.io",

这些前缀的子域名可代理特定仓库，例如绑定的域名是 gcr.xxx.com 代理就是 gcr.io 除这些外代理的都是 registry-1.docker.io

1. nginx代理

网上找了很多nginx代理的教程，经过测试都不能正常使用，且只能代理 registry-1.docker.io这个一个仓库、查找多个资料后整理了一份可正常使用且和CF代理一样可通过子域名代理多个仓库

# 动态映射子域名到不同的后端
map $host $backend {
    docker.{domain} registry-1.docker.io;
    gcr.{domain} gcr.io;
    ghcr.{domain} ghcr.io;
    nvcr.{domain} nvcr.io;
    k8s-gc.{domain} k8s.gcr.io;
    k8s.{domain} registry.k8s.io;
}

# 使用 map 来匹配和替换 upstream 头部中的 auth.docker.io
map $upstream_http_www_authenticate $m_www_authenticate_replaced {
    "~auth\.docker\.io(.*)" "$1";
    default "";
}

map $m_www_authenticate_replaced $m_final_replaced {
    "~(.*)" 'Bearer realm=\"$scheme://$host$1';
    default "";
}

server {
    listen 443 ssl;
    server_name docker.{domain} gcr.{domain} ghcr.{domain} nvcr.{domain} k8s-gc.{domain} k8s.{domain};

    ssl_certificate /{domain泛证书公钥}; #(证书公钥)
    ssl_certificate_key /{domain泛证书私钥}; #(证书私钥)

    proxy_ssl_server_name on; # 启用SNI
    client_max_body_size 1024M;  #客户端最大上传量
    ssl_session_timeout 24h;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    proxy_ssl_server_name on;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # 修改jwt授权地址
    proxy_hide_header www-authenticate;
    add_header www-authenticate "$m_final_replaced" always;

    # 关闭缓存
    proxy_buffering off;
    # 转发认证相关
    proxy_set_header Authorization $http_authorization;
    proxy_pass_header  Authorization;

    # 对 upstream 状态码检查，实现 error_page 错误重定向
    proxy_intercept_errors on;
    recursive_error_pages on;
    # 根据状态码执行对应操作，以下为301、302、307状态码都会触发
    error_page 301 302 307 = @handle_redirect;

    error_page 429 = @handle_too_many_requests;

    # v1 api
    location /v1 {
        proxy_pass https://index.docker.io;
        proxy_set_header Host index.docker.io;
    }
    # v2 api
    location /v2 {
        proxy_pass https://index.docker.io;
        proxy_set_header Host index.docker.io;
    }
    # jwt授权地址
    location /token {
        proxy_pass https://auth.docker.io;
        proxy_set_header Host auth.docker.io;
    }
    location / {
        # Docker hub 的官方镜像仓库
        proxy_pass https://registry-1.docker.io;
        proxy_set_header Host registry-1.docker.io;
    }
   #处理重定向
   location @handle_redirect {
           resolver 1.1.1.1;
           set $saved_redirect_location '$upstream_http_location';
           proxy_pass $saved_redirect_location;
   }
   # 处理429错误
   location @handle_too_many_requests {
           proxy_set_header Host https://{cf配置的代理地址};  # 替换为另一个服务器的地址
           proxy_pass https://{cf配置的代理地址};
           proxy_set_header Host $http_host;
   }
}

{domain},{domain泛证书公钥},{domain泛证书私钥},{cf配置的代理地址} 替换成自己信息

效果图：

参考了这些教程

gist.github.com

https://gist.github.com/y0ngb1n/7e8f16af3242c7815e7ca2f0833d3ea6

docker-registry-mirrors.md

# Docker Hub 镜像加速器

国内从 Docker Hub 拉取镜像有时会遇到困难，此时可以配置镜像加速器。

> Dockerized 实践 https://github.com/y0ngb1n/dockerized

## 1️⃣ Docker daemon 配置代理（推荐）

参考 [Docker daemon 配置代理](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy)

This file has been truncated. show original

bid · 2024-10-14 21:35:22

不错的教程，飞友真给力！

handsome · 2024-10-14 21:35:22

感谢大佬分享

awourtr · 2024-10-14 21:35:22

感谢大佬分享

ccoo · 2024-10-14 21:35:22

想问下Nginx 中的429部分 CF应该要写什么内容

上面CF 做了多个域名的映射应该写哪个呢

“quay”: “quay.io”,

“gcr”: “gcr.io”,

“k8s-gcr”: “k8s.gcr.io”,

“k8s”: “registry.k8s.io”,

“ghcr”: “ghcr.io”,

“cloudsmith”: “docker.cloudsmith.io”,

“nvcr”: “nvcr.io”,

YL_SYS · 2024-10-14 21:35:22

很实用，感谢分享