Improve security further #8
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
This commit is contained in:
parent
c024ad5d0e
commit
06c7b4b211
1 changed files with 9 additions and 0 deletions
|
|
@ -229,6 +229,8 @@ http {
|
|||
ssl_certificate_key /etc/registry/certs/private/registry.key;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
location = /v2/_catalog { return 403; }
|
||||
location ~ ^/v2/.+/tags/list { return 403; }
|
||||
location /v2/ {
|
||||
limit_req zone=reg_read burst=20 nodelay;
|
||||
proxy_pass http://reg;
|
||||
|
|
@ -345,6 +347,13 @@ sudo chmod 644 requests/registry.csr requests/client.csr requests/openssl.conf
|
|||
sudo chgrp registry-proxy /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt
|
||||
sudo chmod 640 /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt
|
||||
|
||||
# Allow traversal into the private key directory for the proxy
|
||||
sudo chgrp registry-proxy /etc/registry/certs/private
|
||||
sudo chmod 750 /etc/registry/certs/private
|
||||
|
||||
# Ensure parent directory is traversable
|
||||
sudo chmod 755 /etc/registry/certs
|
||||
|
||||
# Verify certificate creation
|
||||
sudo openssl x509 -in /etc/registry/certs/registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue