{"id":15576614,"url":"https://github.com/abn/docker-registry-secure","last_synced_at":"2025-11-08T14:03:49.463Z","repository":{"id":33620214,"uuid":"37272453","full_name":"abn/docker-registry-secure","owner":"abn","description":"Secure Docker Registry Container (nginx + authn + ssl)","archived":false,"fork":false,"pushed_at":"2015-06-14T09:07:52.000Z","size":148,"stargazers_count":6,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-03-23T20:04:30.330Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/abn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-06-11T16:23:32.000Z","updated_at":"2022-07-05T07:45:47.000Z","dependencies_parsed_at":"2022-08-07T22:15:50.185Z","dependency_job_id":null,"html_url":"https://github.com/abn/docker-registry-secure","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abn%2Fdocker-registry-secure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abn%2Fdocker-registry-secure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abn%2Fdocker-registry-secure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abn%2Fdocker-registry-secure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/abn","download_url":"https://codeload.github.com/abn/docker-registry-secure/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248084347,"owners_count":21045125,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-02T18:53:06.663Z","updated_at":"2025-11-08T14:03:49.422Z","avatar_url":"https://github.com/abn.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Docker Registry: Secure Containerized Deployment\n\nSecure Docker Registry Container using nginx, htpasswd and ssl.\n\n## Usage\n```sh\n$ sudo docker run alectolytic/secure-registry:2.0.1 help\n\nUsage:\n /usr/bin/entrypoint [\u003ccommand\u003e] [arguments]\n\nCommands:\n gencert    Generate a self-signed certificate. Environment variables respected\n            include: C=AU, ST=Queensland, L=Brisbane, O=Void,CN=$SERVER_NAME\n            NOTE: This will rewrite any pre-existing certificates.\n\n help       Display this message.\n\n htpasswd   Run htpasswd command to set username/password. Expectes username and\n            password (if non-interactive) to be provided. Any additional options\n            to use when generating/modifying /config/.htpasswd can be specified\n            using the OPT environment variable.\n\n setup      Generate SSL cert and htpasswd; and extract all default confiuration\n            to /config. When generating htpasswd file the default user docker\n            is used if USERNAME env var is not set; and a random password is\n            generated and stored in /config/.password if PASSWORD env var is not\n            set or /config/.password is not provided.\n\n start      (DEFAULT) This command triggers a setup and starts the secure\n            registry. The registry with configuration loaded from /config\n            where available or generates initial config before start.\n```\n\n## Configuration files\nOnce setup completes (this is done on first start too if not done explicitly), the `config` directory will containe the following files. These files can be modified or replaced as required, and it would get picked up on next start.\n\n| File | Description |\n| ------------- | ------------- |\n| nginx.conf | This configures nginx as a proxy for the docker registry. |\n| openssl.cnf | This is used for when generating a self-signed certificate using the `gencert` command. This is required as GO does not like these certificates without IP SANs specifided. Note the the `alt_names` section. |\n| docker-registry.yml | This is the configuration used by the docker registry itself. |\n| docker-registry.crt | SSL certificate used by nginx. See nginx.conf file. |\n| docker-registry.key | SSL certificate key used by nginx. |\n| .htpasswd | Default htpasswd file created with either generated or provided credentials. |\n| .password | Created if `PASSWORD` env var was not set and .htpasswd file is generated. If one is provide when setting up, this is used instead of generating a random password. |\n\n### Custom SSL certificates\nTo use your own SSL certificate, you can replace the `docker-registry.{crt, key}` files.\n\n## Quickstarts\n\n### Start registry on localhost\n\n```sh\n# create config directory\nmkdir $(pwd)/config \u0026\u0026 chcon -Rt svirt_sandbox_file_t $(pwd)/config\n\n# start registry (with username=docker and random password)\n# once started see $(pwd)/config/.password for registry password for username:docker\n# SERVER_IP is used as an IP SAN for gneerated self-signed certs\ndocker run -d -v $(pwd)/config:/config -e SERVER_IP=127.0.0.1 -e SERVER_NAME=localhost -p 443:443 --name secure-registry\n```\n\nTo specify credentials; start container with `-e USERNAME=crazy -e PASSWORD=fool`.\n\n### Configuration\n\nTo customize configuration you can use the `setup` command to create initial configurations. This would allow you to modify where data is stored etc. See the [Docker Registry Configuration Reference](https://github.com/docker/distribution/blob/master/docs/configuration.md) and [Nginx Configuration](http://wiki.nginx.org/Configuration) for more information regarding component specific configurations.\n\n#### Command\n```sh\ndocker run -it -v $(pwd)/config:/config alectolytic/secure-registry:2.0.1 setup\n```\n\n#### Sample output\n```\nGenerating a 4096 bit RSA private key\n.........................++\n.................................................................................................++\nwriting new private key to 'docker-registry.key'\n-----\n[INFO] PASSWORD=ax5CrRKaRS4qVMqkUPo60xPvW2VUSUPZr8nsfjzMNO8=\nAdding password for user docker\n/config\n[abn@zoidberg docker-registry-secure (master)]$ tree -a config/\nconfig/\n├── docker-registry.crt\n├── docker-registry.key\n├── docker-registry.yml\n├── .htpasswd\n├── nginx.conf\n└── .password\n\n\n0 directories, 4 files\n```\n\n### Disposable Test instances\n#### Command\n```sh\ndocker run -it -p 443:443 alectolytic/secure-registry:2.0.1 start\n```\n\n#### Sample output\nNote the line with `PASSWORD`.\n\n```\nGenerating a 4096 bit RSA private key\n.......................................................................++\n............................................................................................++\nwriting new private key to 'docker-registry.key'\n-----\n[INFO] PASSWORD=s1bn3xBnvwkCi40tkYDwj71sM8v71Gy2IhpYkpOhF+I=\nAdding password for user docker\n/config\n2015-06-12 02:43:45,537 CRIT Set uid to user 0\n2015-06-12 02:43:45,539 INFO supervisord started with pid 35\n2015-06-12 02:43:46,541 INFO spawned: 'nginx' with pid 38\n2015-06-12 02:43:46,542 INFO spawned: 'registry' with pid 39\n2015-06-12 02:43:47,569 INFO success: nginx entered RUNNING state, process has stayed up for \u003e than 1 seconds (startsecs)\n2015-06-12 02:43:47,569 INFO success: registry entered RUNNING state, process has stayed up for \u003e than 1 seconds (startsecs)\n```\n\n### Makefile Targets\n\nFor convinience a Makefile is also provided. It provides the following targets.\n\n\n| Target  | Description |\n| ------------- | ------------- |\n| build  | Builds from the current directory with the correct tag |\n| tag_latest  | Tags the latest version build as the latest  |\n| clean | Cleans up image from using rmi and removes the config directory |\n| gencert | Runs the gencert command |\n| htpasswd | Runs the htpasswd command |\n| help | Shows the help document |\n| start | Starts the registry with the volumes mounted |\n| start-fg | Same as start, but do not detach |\n| test | Starts the registry with the volumes not mounted (not persisted) |\n| test-fg | Same as test but do not detach |\n| shell | Start a bash shell in the container |\n| $(pwd)/config | Create the configuration directory and apply `chcon` |\n\n## Troubleshooting\n\n### Using registry with self-signed SSL cert\nIn order to use the registry with a self-signed cert, you have to restart the docker daemon with '--insecure-registry ${SERVER}:443'. On a systemd based distro, this can be done by editing the '/etc/sysconfig/docker' file to containe the following line. This assumes you are using 127.0.0.1:443 as the registry.\n\n```\nINSECURE_REGISTRY='--insecure-registry 127.0.0.1:443'\n```\nOnce the daemon is restarted, you can login using:\n```sh\ndocker login -u docker -p password -e email@example.org 127.0.0.1:443\n```\n\n## References\n* http://container-solutions.com/2015/04/running-secured-docker-registry-2-0/\n* https://docs.docker.com/registry/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabn%2Fdocker-registry-secure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fabn%2Fdocker-registry-secure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabn%2Fdocker-registry-secure/lists"}