Secure a Docker Registry Using SSL

DZone 's Guide to

Secure a Docker Registry Using SSL

Ensuring your Docker registry is protected by SSL is of crucial importance. In this quick tutorial, we take a look at how to do just that.

· Security Zone ·
Free Resource

As mentioned in a previous article, having a registry with a username and password is not secure if the registry is not SSL configured.

So we are going to add the SSL certificates to our registry. To make things easier we will use Let's Encrypt, which is free.

Once we have generated the credentials we have to add them to the registry. We will create a directory called certificates which will contain the certificate pem file and the key pem file. Then we will move the generated certificates on the certificates directory with the names crt.pem and key.crt.

We will follow exactly the same steps we followed in the previous article to generate the password.

docker run --entrypoint htpasswd registry:2 -Bbn {your-user} {your-password} > auth/password-file

Now we are ready to create our registry by also specifying the certificates. To do so we will mount the certificates directory to our Docker container. Then we will specify where the registry is going to find the credentials on the container's filesystem.

docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/auth:/auth -v `pwd`/certificates:/certificates -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/password-file -e REGISTRY_HTTP_TLS_CERTIFICATE=/certificates/crt.pem -e REGISTRY_HTTP_TLS_KEY=/certificates/key.pem registry:2

So your registry will pick up the specified credentials and will also use the certificates created.
The next step is to do the DNS mapping and add a DNS entry which directs your subdomain to your registry's IP.

However, if you just want to test it, you can run your registry locally and just change your /etc/hosts and add this entry. registry.{your certificate's domain }

Once you navigate through your browser to https://registry.{your certificate's domain }:5000
you will get a 200 status code and your browser will identify your connection as secure.

docker ,security ,containers ,ssl ,docker security

Published at DZone with permission of Emmanouil Gkatziouras , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}