docker-registry-ui/examples/token-auth-keycloak/conf/proxy/nginx.conf

server {
    listen       80;
    server_name  localhost;
    resolver 127.0.0.11 valid=30s;

    set $keycloak "http://keycloak:8080";
    set $registry "http://registry:5000";
    set $ui "http://ui";

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    # disable any limits to avoid HTTP 413 for large image uploads
    client_max_body_size 0;

    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
    chunked_transfer_encoding on;
    # required for strict SNI checking: see Issue #70 (https://github.com/Joxit/docker-registry-ui/issues/70)
    proxy_ssl_server_name on;
    proxy_buffering off;
    proxy_ignore_headers "X-Accel-Buffering";

    location /v2 {
      # Do not allow connections from docker 1.5 and earlier
      # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
      if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
          return 404;
      }
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host               $host;
      proxy_set_header X-Forwarded-Host   $host;
      proxy_pass $registry;
    }

    location /auth {
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host               $host;
      proxy_set_header X-Forwarded-Host   $host;
      proxy_pass $keycloak;
    }

    location /auth/realms/master/protocol/docker-v2/auth {
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host               $host;
      proxy_set_header X-Forwarded-Host   $host;

      if ($request_method = "OPTIONS") {
        add_header Access-Control-Allow-Origin $http_origin always;
        add_header Access-Control-Allow-Methods "OPTIONS, GET" always;
        add_header Access-Control-Allow-Headers "Content-Type, Accept, Authorization" always;
        add_header Access-Control-Allow-Credentials true always;
        add_header Content-Type "text/plain charset=UTF-8";
        add_header Content-Length 0;
        return 204;
      }

      if ($http_authorization = "") {
        add_header Access-Control-Allow-Origin $http_origin always;
        add_header Access-Control-Allow-Methods "OPTIONS, GET" always;
        add_header Access-Control-Allow-Headers "Content-Type, Accept, Authorization" always;
        add_header Access-Control-Allow-Credentials true always;
        add_header WWW-Authenticate 'Basic realm="Keycloak login"' always;
        return 401;
      }

      add_header Access-Control-Allow-Origin $http_origin always;
      add_header Access-Control-Allow-Methods "OPTIONS, GET" always;
      add_header Access-Control-Allow-Headers "Content-Type, Accept, Authorization" always;
      add_header Access-Control-Allow-Credentials true always;
      proxy_pass $keycloak;
    }

    location /ui {
      rewrite  ^/ui/(.*) /$1 break;
      proxy_pass $ui;
    }

    location / {
      root   /usr/share/nginx/html;
      index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}