# Docker registry with basic auth and SSL certificate Docker registry does not have authentication nor certificate mechanism so in case you have docker registry on the internet, you need something that support those in front of the registry. You can find examples using Nginx for it on the web and this is yet another one. # The architecture Client talks to Nginx. Nginx proxies the request to the docker registry. The nginx is on the host OS - not as a container. ``` +-----------+ +--------------------------------------------------------+ | | | Server Docker container | | | | +---------------------+ +------------+ | | | | | Nginx on hostOS | | Docker | | | Client | HTTPS | * Basic Auth | Proxy to | Registry | | | +--------> * SSL certificate +----------------> | | | | | | | localhost:5000 | | | | | | +---------------------+ +------------+ | +-----------+ +--------------------------------------------------------+ ``` # Docker registry ``` docker run -d -p 5000:5000 -v /images/docker-registry:/tmp/registry -e STORAGE_PATH=/tmp/registry registry ``` Let’s test if working on localhost. ``` curl localhost:5000 "\"docker-registry server\" ``` Good. # Nginx [This git repo](https://github.com/docker/docker-registry) has preset files for this configurations let’s use it. ``` sudo apt-get install nginx git clone https://github.com/docker/docker-registry sudo cp docker-registry/contrib/nginx/nginx_1-3-9.conf /etc/nginx/conf.d/. sudo cp docker-registry/contrib/nginx/docker-registry.conf /etc/nginx/. sudo apt-get install apache2-utils sudo htpasswd -bc /etc/nginx/docker-registry.htpasswd Adding password for user ``` Modify the `nginx_1-3-9.conf` matching with your environment such as `server_name`. Place certificate and key file to the right place with right name. The place is defined in the `nginx_1-3-9.conf` ``` sudo cp your.crt /etc/ssl/certs/docker-registry sudo cp your.key /etc/ssl/private/docker-registry ``` Restart nginx ``` service nginx restart ``` # Connecting to docker registry via Nginx Let’s test ``` $ curl -k --user : https:// | python -m json.tool "\"docker-registry server\"" ``` Good. Basic authentication, certificate and http proxy are working. Now let’s login with docker client. ``` $ docker login Username: Password: Email: WARNING: login credentials saved in /home/ubuntu/.dockercfg. Login Succeeded ``` If you success, the credential will be stored in `.dockercfg` file. Done. now you can pull, push, whatever. ``` docker push /ubuntu ``` Check inside of the registry **REST API** ``` curl --user : https:///v1/search | python -m json.tool https:///v1/repositories///tags ``` **CLI** ``` ubuntu@sensor-docker-registry:~$ sudo docker search localhost:5000/sensor NAME DESCRIPTION STARS OFFICIAL AUTOMATED sensors/kippo 0 sensors/dionaea 0 sensors/zabbix_agentd 0 sensors/suricata 0 sensors/p0f 0 sensors/datastore 0 ``` When you commit an image: ``` [user@analyze-001 ~]$ docker commit 8a5ee6989c37 / ce63a9ab63a6a7fdd6564ebb68e991d67029e37f6daf83cd988f2eb3b5e6f82d [user@analyze-001 ~]$ docker push / The push refers to a repository [/] (len: 1) Sending image list Please login prior to push: Username: Password: Email: WARNING: login credentials saved in /home//.dockercfg. Login Succeeded The push refers to a repository [/] (len: 1) Sending image list Pushing repository / (1 tags) e9e06b06e14c: Pushing [============================================> ] 174.8 MB/197.2 MB ```