Clever Geek Handbook

Create authenticated private docker registries

So I'm trying to run my own docker registry using authentication so that I can access it from the outside. To do this, I use the docker registry image from docker hub like so:

docker run -p 5000:5000 -d -v /opt/registry:/tmp/registry registry:0.8.1

Then I use HAProxy to bind this to the url reg.mydomain.com

and add authentication:

userlist auth_list
    group registry users root
    user root password [password]

backend docker-registry
    mode http
    server localhost:5000_localhost localhost:5000 cookie localhost:5000_localhost

frontend web
    mode http
    bind *:80
    bind *:443 ssl crt /path/to/ssl.pem
    acl domain hdr(host) -i reg.mydomain.com
    acl auth_docker_registry http_auth_group(auth_list) registry
    acl registry_ping url_sub _ping
    http-request auth realm Registry if !auth_docker_registry domain !registry_ping
    use_backend docker-registry if domain

Once it was running, I logged in using the following command:

root@mydomain:~# docker login https://reg.mydomain.com
Username: root
Password:
Email:
Login Succeeded

The problem is that when I run the command to either push or pull the registry, I get the following errors:

root@mydomain:~# docker pull reg.mydomain.com/project1
The push refers to a repository [reg.mydomain.com/project1] (len: 1)
Sending image list
Pushing repository reg.mydomain.com/project1 (1 tags)
511136ea3c5a: Pushing
2014/11/24 20:40:33 HTTP code 401, Docker will not send auth headers over HTTP.

root@mydomain:~# docker pull reg.mydomain.com/project1
Pulling repository reg.mydomain.com/project1
2014/11/24 20:40:38 Could not reach any registry endpoint

My guess is that the problem is that the HTTPS connection is complete in HAProxy and the rest of the connection (between the HAProxy container and the Docker Registry) is HTTP, but the validation header is still present, resulting in a push error. To test this, I add reqidel ^Authorization

to the HAProxy configuration backend section to no avail.

It is also worth noting that I can navigate https://reg.mydomain.com

and sub directories like /v1/_ping

in a web browser and everything works as expected (I need to be logged in, etc.). Also, at the time of this writing, I am using the docker version of the registry 0.8.1

, not 0.9

as the image 0.9

does not run.

If you need more information, please let me know.

Thanks, JamesStewy

+3


source to share


1 answer


Ok, so it turns out, just saying that using HTTPS is not enough for docker, you need to force it. For this, I added redirect scheme https if !{ ssl_fc } domain

to my frontend to redirect HTTP traffic to HTTPS which stopped the above errors.



+1


source






More articles:


All Articles