Running a Container Registry Behind Apache HTTPD

Posted on by

I had originally run my container registry using a self signed certificate like this:

podman run --name mirror-registry -p 4000:5000     -v /opt/registry/data:/var/lib/registry:z      -v /opt/registry/auth:/auth:z      -e "REGISTRY_AUTH=htpasswd"      -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"      -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd      -v /opt/registry/certs:/certs:z      -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt      -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key      -e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true -d docker.io/library/registry:2

But now that I am using FreeIPA for my Bastion host, I want to use the IPA CA cert for signing the HTTPS request. The easiest thing to do is to run the registry in the container still, but then to front it with mod_proxy.

Note that I am doing the unthinkable: I am running the FreeIPA server as my Bastion host, and thus, I am running my container registry on my FreeIPA server. This is fine for a home lab, but not what I would do in production. You have been forewarned. But this means that the HTTPS server is already set up to Proxy to other ports.

The first step is to remove the Certificate setup from the container registry. This, it reduces to

podman run --name mirror-registry -p 4000:5000     -v /opt/registry/data:/var/lib/registry:z      -v /opt/registry/auth:/auth:z      -e "REGISTRY_AUTH=htpasswd"      -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"      -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd      -e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true -d docker.io/library/registry:2

This listens on port 5000. I’ll need to firewall that off for all but local traffic.

firewall-cmd --zone=public --remove-port=4000/tcp
firewall-cmd --reload

I went to a remote machine and used curl to confirm I could not talk to it.

Here is the proxy config I am using:

 cat /etc/httpd/conf.d/registry-proxy.conf 
ProxyRequests Off
 
<LocationMatch "^/v2">
    SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    SSLVerifyClient optional
    ProxyPassMatch http://localhost:4000
    ProxyPassReverse http://localhost:4000
</LocationMatch>

After creating that file, HTTPD needs a restart:

systemctl restart httpd

Check from a remote host that has the CA cert added to its trusted store:

curl -O https://nuzleaf.home.younglogic.net/ipa/config/ca.crt
cp ca.crt /etc/pki/ca-trust/source/anchors
update-ca-trust

And test:

curl http://nuzleaf.home.younglogic.net/v2/
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

2 thoughts on “Running a Container Registry Behind Apache HTTPD

  1. I believe running
    firewall-cmd
    is unnecessary if you add “127.0.0.1” like this
    -p 127.0.0.1:4000:5000
    to the second podman command.

  2. Possibly. It depends on how your firtewall is set up. Typically the internal zone alows traffic like that through. And, yes, that would be a better approach for production.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.