Local Docker Registry with UI and Reverse Proxy

README.md

Local Docker Registry with UI and Reverse Proxy

This is using plain docker for starting a registry, adding a UI using https://joxit.dev/docker-registry-ui/ and a reverse proxy with authentication using https://caddyserver.com/

Configure and Prepare

• create a certificate for your registry (e.g. with https://github.com/Schm1tz1/certificates-docker)
• adapt the configs to your needs (especially host names and certificates) - the Caddyfile example is for user:password docker:docker

Running

• Start with compose docker compose up
• Modify the script to point to your registry, then import the images you need using ./import_images.sh <image-filter>
• That's it !

Caddyfile

(auth) {
    basicauth {
        docker $2a$14$YzNJVypCD8tl3PidqRs.N.qI1pVMIAGDyAEAnJ/Kwb.bRCId1Hdrq
    }
}

https:// {
    import auth
    reverse_proxy registry-ui:80
    tls /etc/caddy/docker-registry.pem /etc/caddy/docker-registry.key
}

config.yml

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  delete:
      enabled: true
  filesystem:
    rootdirectory: /data 
http:
  addr: :5000
  http:
    headers:
      X-Content-Type-Options: [nosniff]
      Access-Control-Allow-Origin: ['http://registry.schmitzi.internal']
      Access-Control-Allow-Credentials: [true]
      Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
      Access-Control-Allow-Headers: ['Authorization', 'Accept', 'Cache-Control']
      Access-Control-Expose-Headers: ['Docker-Content-Digest']
      http:
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

docker-compose.yml

version: '3.7'

networks:
  backend:
    external: false
    driver: bridge

volumes:
  caddy_data:
  caddy_config:

services:
  registry:
    image: registry:2
    restart: always
    volumes:
      - /opt/registry/data:/data
      - /opt/registry/config/config.yml:/etc/docker/registry/config.yml:ro
    networks:
      - backend

  registry-ui:
    image: joxit/docker-registry-ui:main
    restart: always
    ports:
      - 80:80
    environment:
      - SINGLE_REGISTRY=true
      - REGISTRY_TITLE=Schmitzi Internal Docker Registry UI
      - DELETE_IMAGES=true
      - SHOW_CONTENT_DIGEST=true
      - NGINX_PROXY_PASS_URL=http://registry:5000
      - SHOW_CATALOG_NB_TAGS=true
      - CATALOG_MIN_BRANCHES=1
      - CATALOG_MAX_BRANCHES=1
      - TAGLIST_PAGE_SIZE=100
      - REGISTRY_SECURED=false
      - CATALOG_ELEMENTS_LIMIT=1000
    networks:
      - backend

  caddy:
    image: caddy:2.7-alpine
    restart: unless-stopped
    ports:
      - "443:443"
    volumes:
      - /opt/registry/Caddyfile:/etc/caddy/Caddyfile
      - /opt/registry/docker-registry.pem:/etc/caddy/docker-registry.pem:ro
      - /opt/registry/docker-registry.key:/etc/caddy/docker-registry.key:ro
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - backend

import_images.sh

#!/usr/bin/env bash
IFS=$'\n'

# Set this to your local registry URL
LOCAL_REGISTRY=registry.schmitzi.internal

FILTER=$1
IMAGES=$(docker image ls | grep $FILTER)

for i in $IMAGES; do
    LINE=$(echo $i | tr -s ' ')
    ORIGINAL_IMAGE=$(echo $LINE | cut -d ' ' -f1)
    IMAGE=$(echo $ORIGINAL_IMAGE | cut -d '/' -f4)
    TAG=$(echo $LINE | cut -d ' ' -f2)
    HASH=$(echo $LINE | cut -d ' ' -f3)

    NEW_IMAGE=$LOCAL_REGISTRY/$IMAGE:$TAG

    echo Pushing to $NEW_IMAGE ....

    docker tag $HASH $NEW_IMAGE
    docker image remove --no-prune $ORIGINAL_IMAGE:$TAG

    docker push $NEW_IMAGE
done