From 06c7b4b2115163dfe3cd4de9f59b393a98f12ff6 Mon Sep 17 00:00:00 2001
From: continuist <continuist02@gmail.com>
Date: Sun, 24 Aug 2025 15:08:52 -0400
Subject: [PATCH] Improve security further #8

---
 Docker_Registry_Install_Guide.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Docker_Registry_Install_Guide.md b/Docker_Registry_Install_Guide.md
index 736fc45..f8e6e46 100644
--- a/Docker_Registry_Install_Guide.md
+++ b/Docker_Registry_Install_Guide.md
@@ -229,6 +229,8 @@ http {
     ssl_certificate_key /etc/registry/certs/private/registry.key;
     ssl_protocols TLSv1.2 TLSv1.3;
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    location = /v2/_catalog      { return 403; }
+    location ~ ^/v2/.+/tags/list { return 403; }
     location /v2/ {
       limit_req zone=reg_read burst=20 nodelay;
       proxy_pass http://reg;
@@ -345,6 +347,13 @@ sudo chmod 644 requests/registry.csr requests/client.csr requests/openssl.conf
 sudo chgrp registry-proxy /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt
 sudo chmod 640 /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt
 
+# Allow traversal into the private key directory for the proxy
+sudo chgrp registry-proxy /etc/registry/certs/private
+sudo chmod 750 /etc/registry/certs/private
+
+# Ensure parent directory is traversable
+sudo chmod 755 /etc/registry/certs
+
 # Verify certificate creation
 sudo openssl x509 -in /etc/registry/certs/registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"