devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve security further #8
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-08-24 15:08:52 -04:00
parent c024ad5d0e
commit 06c7b4b211
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
Docker_Registry_Install_Guide.md
View file

@ -229,6 +229,8 @@ http {
ssl_certificate_key /etc/registry/certs/private/registry.key; ssl_certificate_key /etc/registry/certs/private/registry.key;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location = /v2/_catalog { return 403; }
location ~ ^/v2/.+/tags/list { return 403; }
location /v2/ { location /v2/ {
limit_req zone=reg_read burst=20 nodelay; limit_req zone=reg_read burst=20 nodelay;
proxy_pass http://reg; proxy_pass http://reg;
@ -345,6 +347,13 @@ sudo chmod 644 requests/registry.csr requests/client.csr requests/openssl.conf
sudo chgrp registry-proxy /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt sudo chgrp registry-proxy /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt
sudo chmod 640 /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt sudo chmod 640 /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt
# Allow traversal into the private key directory for the proxy
sudo chgrp registry-proxy /etc/registry/certs/private
sudo chmod 750 /etc/registry/certs/private
# Ensure parent directory is traversable
sudo chmod 755 /etc/registry/certs
# Verify certificate creation # Verify certificate creation
sudo openssl x509 -in /etc/registry/certs/registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)" sudo openssl x509 -in /etc/registry/certs/registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"