sharenet/registry/Caddyfile

# Unauthenticated pulls on 443 (GET requests only)
:443 {
  tls /etc/registry/certs/registry.crt /etc/registry/certs/private/registry.key
  log

  # Block all write operations explicitly
  @writes method PUT POST PATCH DELETE
  respond @writes "Method Not Allowed" 405

  # Allow all GET requests to v2 API (Docker Registry itself will handle security)
  reverse_proxy /v2/* registry:5000
}

# Auth-required pushes on 4443
:4443 {
  tls /etc/registry/certs/registry.crt /etc/registry/certs/private/registry.key
  log

  # require auth on writes
  @writes method PUT POST PATCH DELETE
  basic_auth @writes {
    registry-user {env.REGISTRY_PASSWORD_HASH}
  }

  # also require auth on the /v2/ ping so Docker sends creds
  @v2ping {
    path /v2/
    method GET
  }
  basic_auth @v2ping {
    registry-user {env.REGISTRY_PASSWORD_HASH}
  }

  reverse_proxy /v2/* registry:5000
}


# TODO: Add Option B: Let's Encrypt certificates (Domain name)