Improve security further #2
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
This commit is contained in:
parent
d7258dbd95
commit
195e82c8e4
1 changed files with 30 additions and 1 deletions
|
|
@ -42,7 +42,7 @@ This guide covers setting up a rootless Docker Registry v2 with host TLS reverse
|
|||
|
||||
```bash
|
||||
# Install Podman and related tools
|
||||
sudo apt install -y podman
|
||||
sudo apt install -y podman slirp4netns fuse-overlayfs
|
||||
|
||||
# Verify installation
|
||||
podman --version
|
||||
|
|
@ -178,6 +178,7 @@ MemoryDenyWriteExecute=yes
|
|||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
IPAddressDeny=any
|
||||
IPAddressAllow=127.0.0.1/8 ::1
|
||||
LimitNOFILE=65536
|
||||
ExecStart=/usr/sbin/nginx -g 'daemon off;' -c /etc/registry/nginx.conf
|
||||
Restart=on-failure
|
||||
|
||||
|
|
@ -204,10 +205,18 @@ http {
|
|||
client_max_body_size 2g;
|
||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_verify_depth 2;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Connection "";
|
||||
proxy_request_buffering off;
|
||||
proxy_read_timeout 300s;
|
||||
proxy_temp_path /run/registry-proxy/proxy_temp;
|
||||
client_body_temp_path /run/registry-proxy/client_temp;
|
||||
fastcgi_temp_path /run/registry-proxy/fastcgi_temp;
|
||||
uwsgi_temp_path /run/registry-proxy/uwsgi_temp;
|
||||
scgi_temp_path /run/registry-proxy/scgi_temp;
|
||||
upstream reg { server 127.0.0.1:5000; }
|
||||
|
||||
# 443: unauthenticated pulls only
|
||||
|
|
@ -360,6 +369,26 @@ sudo ufw allow from 192.168.0.0/16 to any port 4443 proto tcp
|
|||
# sudo ufw allow 4443/tcp
|
||||
|
||||
# Note: Port 5000 is NOT opened - registry runs loopback-only
|
||||
|
||||
## Client Trust Configuration
|
||||
|
||||
For clients to trust your registry certificates, they should install the server CA certificate:
|
||||
|
||||
**For pulls (port 443):**
|
||||
```bash
|
||||
# On client systems
|
||||
sudo mkdir -p /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS
|
||||
sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS/ca.crt
|
||||
```
|
||||
|
||||
**For pushes (port 4443, mTLS):**
|
||||
```bash
|
||||
# On client systems
|
||||
sudo mkdir -p /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443
|
||||
sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/ca.crt
|
||||
sudo cp /path/to/client.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/client.cert
|
||||
sudo cp /path/to/client.key /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/client.key
|
||||
```
|
||||
```
|
||||
|
||||
### 4.2 Enable and Start Services
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue