Docker Registry Reverse Proxy with Basic Auth Nginx Server (marvambass/nginx-registry-proxy)
maintained by MarvAmBass
What is it
This Dockerfile (available as marvambass/nginx-registry-proxy) gives you a nginx reverse proxy with SSL and Basic Auth to use with your Docker Registry (registry)
View in Docker Registry marvambass/nginx-registry-proxy
View in GitHub MarvAmBass/docker-nginx-registry-proxy
Running marvambass/nginx-registry-proxy Container
To run this container, you need a running registry with the name registry for example:
docker run -d --name registry \ -v $YOUR_REGISTRY_DIR:/registry \ -e "SETTINGS_FLAVOR=local" \ -e "STORAGE_PATH=/registry" \ registry
Put the new files in a folder to get a result like this:
~/your/path/external$ ls cert.pem docker-registry.htpasswd key.pem
You're now ready to run the nginx-registry-proxy Server ;)
docker run -d -p 443:443 \ -v $PATH\_TO\_YOUR/external:/etc/nginx/external \ --link registry:registry --name nginx-registry-proxy \ marvambass/nginx-registry-proxy
Use your private Docker Registry
Let's asume, you followed all steps until now. You've a Server (https://mydockerreg.com:443) with https on port 443 and a basicauth user named tom with the password jerry.
Let's check if the Server is available by opening this URL _https://mydockerreg.com:443/v1/\_ping_. If the Server returns true your Registry is up and running.
Let's get a new Docker Image from the offical Registry, rename it, and publish it into your private Registry.
$ docker pull scratch # this pulls the scratch image from the offical registry
Now we have the image named scratch in our local Docker Image Registry. You can check that with the command:
$ docker images scratch latest 511136ea3c5a 16 months ago 0 B
Let's rename the Image and publish it into your private Registry
$ docker tag scratch mydockerreg.com:443/scratch
Now the command docker images will show another Image
scratch latest 511136ea3c5a 16 months ago 0 B mydockerreg.com:443/scratch latest 511136ea3c5a 16 months ago 0 B
At this Point we're able to publish it into your private Registry but first we need to login into the server
$ docker login https://mydockerreg.com:443 Username: tom Password: jerry Email: $ docker push mydockerreg.com:443/scratch
You're successfully published you're first Image into your private Registry.
Note that you need docker login on every Server (you can also use arguments for password and username, but this is not secure because of the process list of linux ps aux or the bash history)
Download the uploaded Image:
$ docker login https://mydockerreg.com:443 Username: tom Password: jerry Email: $ docker pull mydockerreg.com:443/scratch
That's it - Have fun!
This Dockerfile bases on the marvambass/nginx-ssl-secure Image.
I got inspired by the following DigitalOcean Tutorial https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04
Building the Dockerfile yourself
Just use the following command to build and publish your/this Docker Container.
docker build -t username/nginx-registry-proxy . docker push username/nginx-registry-proxy
Creating a self-signed ssl cert
Please note, that the Common Name (CN) is important and should be the FQDN to the secured server:
openssl req -x509 -newkey rsa:4086 -keyout key.pem -out cert.pem -days 3650 -nodes
Creating a htpasswd file
You need the htpasswd command (on Ubuntu you can simply install it with sudo apt-get install -y apache2-utils)
The first time you wanna create the htpasswd-file, you need to use the -c parameter (it stands for create).
htpasswd -c docker-registry.htpasswd user1
Any other new User you want to add, simply use the following command:
htpasswd docker-registry.htpasswd userN
if you use the -c on a existing htpasswd-file, all existing user will be deleted and you create a new file which only contains the new user
Could you please share the Dockerfile for this image:
This image is useful . Thanks a lot. ^_^
this doesn't have anything to do with ssl certificates, if you don't specify your own, the parent container marvambass/nginx-ssl-secure ensures to create the ssl certificates.
of course you need to trust self signed certificates on every machine who wants to connect to this registry - or you could just use paid or startssl certificates.
the registry doesn't know anything about TLS, because NGINX terminates it
The Digital Ocean tutorial you referenced includes several steps for setting up the CA certificate, establishing a CA trust for the self-signed SSL certificate that NGINX uses. How did you skip that step and get a working registry? The registry should be complaining about not trusting the certificate during login, unless you're using an older registry.
Excellent exactly what I needed put SSL to a private docker registry without dealing with nginx configuration. (I tried with apache with no success)
Thanks a lot.