From 7b1e38fb95325cd95ca1f47e7445f03d53ba1219 Mon Sep 17 00:00:00 2001
From: continuist <continuist02@gmail.com>
Date: Sun, 24 Aug 2025 17:47:12 -0400
Subject: [PATCH] Improve security #14

---
 Docker_Registry_Install_Guide.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Docker_Registry_Install_Guide.md b/Docker_Registry_Install_Guide.md
index 2520f4b..733bcbf 100644
--- a/Docker_Registry_Install_Guide.md
+++ b/Docker_Registry_Install_Guide.md
@@ -221,6 +221,7 @@ http {
   limit_req_zone $binary_remote_addr zone=reg_read:10m rate=10r/s;
   limit_req_zone $binary_remote_addr zone=reg_write:10m rate=5r/s;
   limit_conn_zone $binary_remote_addr zone=perip:10m;
+  # Note: Tune these limits based on your expected load. Adjust if CI bursts cause 429s.
   client_max_body_size 2g;
   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
@@ -231,6 +232,8 @@ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 10m;
   ssl_session_tickets off;
+  ssl_stapling on;
+  ssl_stapling_verify on;
   proxy_http_version 1.1;
   proxy_set_header Connection "";
   proxy_request_buffering off;
@@ -276,7 +279,7 @@ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
       limit_req zone=reg_write burst=10;
       limit_conn perip 20;
       proxy_pass http://reg;
-      proxy_set_header Host $host;
+      proxy_set_header Host $host:$server_port;
       proxy_set_header X-Forwarded-Proto https;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       add_header Docker-Distribution-Api-Version "registry/2.0" always;
@@ -397,6 +400,9 @@ curl -fsSL -o /usr/local/bin/cosign "$COSIGN_URL"
 echo "${COSIGN_SHA256}  /usr/local/bin/cosign" | sha256sum -c -
 chmod +x /usr/local/bin/cosign
 
+# Verify installation
+cosign version --json
+
 # Generate Cosign key pair (or use keyless OIDC in CI)
 cosign generate-key-pair
 
@@ -470,6 +476,7 @@ sudo cp /path/to/org-cosign.pub /etc/containers/keys/org-cosign.pub
 **Security hardening notes:**
 - `:U` flag: ID-maps the host directory into the container's user namespace to avoid permission drift and tighten isolation.
 - `ssl_session_tickets off`: Avoids long-lived TLS ticket key reuse unless you manage ticket key rotation.
+- **Client policy enforcement**: The registry doesn't enforce signatures—clients do. Ensure `containers-policy.json` (with `sigstoreSigned` for `REGISTRY_HOST` and reject for `docker.io`) is deployed on every *pulling* host.
 
 ## Security Model