Create authenticated private docker registries
So I'm trying to run my own docker registry using authentication so that I can access it from the outside. To do this, I use the docker registry image from docker hub like so:
docker run -p 5000:5000 -d -v /opt/registry:/tmp/registry registry:0.8.1
Then I use HAProxy to bind this to the url reg.mydomain.com
and add authentication:
userlist auth_list
group registry users root
user root password [password]
backend docker-registry
mode http
server localhost:5000_localhost localhost:5000 cookie localhost:5000_localhost
frontend web
mode http
bind *:80
bind *:443 ssl crt /path/to/ssl.pem
acl domain hdr(host) -i reg.mydomain.com
acl auth_docker_registry http_auth_group(auth_list) registry
acl registry_ping url_sub _ping
http-request auth realm Registry if !auth_docker_registry domain !registry_ping
use_backend docker-registry if domain
Once it was running, I logged in using the following command:
root@mydomain:~# docker login https://reg.mydomain.com
Username: root
Password:
Email:
Login Succeeded
The problem is that when I run the command to either push or pull the registry, I get the following errors:
root@mydomain:~# docker pull reg.mydomain.com/project1
The push refers to a repository [reg.mydomain.com/project1] (len: 1)
Sending image list
Pushing repository reg.mydomain.com/project1 (1 tags)
511136ea3c5a: Pushing
2014/11/24 20:40:33 HTTP code 401, Docker will not send auth headers over HTTP.
root@mydomain:~# docker pull reg.mydomain.com/project1
Pulling repository reg.mydomain.com/project1
2014/11/24 20:40:38 Could not reach any registry endpoint
My guess is that the problem is that the HTTPS connection is complete in HAProxy and the rest of the connection (between the HAProxy container and the Docker Registry) is HTTP, but the validation header is still present, resulting in a push error. To test this, I add reqidel ^Authorization
to the HAProxy configuration backend section to no avail.
It is also worth noting that I can navigate https://reg.mydomain.com
and sub directories like /v1/_ping
in a web browser and everything works as expected (I need to be logged in, etc.). Also, at the time of this writing, I am using the docker version of the registry 0.8.1
, not 0.9
as the image 0.9
does not run.
If you need more information, please let me know.
Thanks, JamesStewy
source to share