From 195e82c8e4ed20f2d536eb5e6f3680e43308f2e9 Mon Sep 17 00:00:00 2001
From: continuist <continuist02@gmail.com>
Date: Sun, 24 Aug 2025 14:27:24 -0400
Subject: [PATCH] Improve security further #2

---
 Docker_Registry_Install_Guide.md | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/Docker_Registry_Install_Guide.md b/Docker_Registry_Install_Guide.md
index e7bbe18..2dfc8e4 100644
--- a/Docker_Registry_Install_Guide.md
+++ b/Docker_Registry_Install_Guide.md
@@ -42,7 +42,7 @@ This guide covers setting up a rootless Docker Registry v2 with host TLS reverse
 
 ```bash
 # Install Podman and related tools
-sudo apt install -y podman
+sudo apt install -y podman slirp4netns fuse-overlayfs
 
 # Verify installation
 podman --version
@@ -178,6 +178,7 @@ MemoryDenyWriteExecute=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 IPAddressDeny=any
 IPAddressAllow=127.0.0.1/8 ::1
+LimitNOFILE=65536
 ExecStart=/usr/sbin/nginx -g 'daemon off;' -c /etc/registry/nginx.conf
 Restart=on-failure
 
@@ -204,10 +205,18 @@ http {
   client_max_body_size 2g;
   ssl_ciphers HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers on;
+  ssl_verify_depth 2;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 10m;
   proxy_http_version 1.1;
   proxy_set_header Connection "";
   proxy_request_buffering off;
   proxy_read_timeout 300s;
+  proxy_temp_path        /run/registry-proxy/proxy_temp;
+  client_body_temp_path  /run/registry-proxy/client_temp;
+  fastcgi_temp_path      /run/registry-proxy/fastcgi_temp;
+  uwsgi_temp_path        /run/registry-proxy/uwsgi_temp;
+  scgi_temp_path         /run/registry-proxy/scgi_temp;
   upstream reg { server 127.0.0.1:5000; }
 
   # 443: unauthenticated pulls only
@@ -360,6 +369,26 @@ sudo ufw allow from 192.168.0.0/16 to any port 4443 proto tcp
 # sudo ufw allow 4443/tcp
 
 # Note: Port 5000 is NOT opened - registry runs loopback-only
+
+## Client Trust Configuration
+
+For clients to trust your registry certificates, they should install the server CA certificate:
+
+**For pulls (port 443):**
+```bash
+# On client systems
+sudo mkdir -p /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS
+sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS/ca.crt
+```
+
+**For pushes (port 4443, mTLS):**
+```bash
+# On client systems
+sudo mkdir -p /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443
+sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/ca.crt
+sudo cp /path/to/client.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/client.cert
+sudo cp /path/to/client.key /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/client.key
+```
 ```
 
 ### 4.2 Enable and Start Services