About the docker registry authentication, I’ve seen 2 methods up to now: Password (https://docs.docker.com/registry/deploying/#native-basic-auth) and Token (https://docs.docker.com/registry/spec/auth/token/).
According to this question in the security stackexchange https://security.stackexchange.com/questions/230893/how-can-i-double-check-security-against-a-tls-on-a-public-ip a server using TLS listening in a public IP which only will allow a set of previously-know users scattered over the world could be secured by handling client-certificates in the TLS layer.
a) Does the registry support client-certificates auth? Can I make https://hub.docker.com/_/registry to handle client-certificates on the TLS layer so I can kick-out any user trying to enter which is not in the white-listed keys? If so, where’s the documentation entry point?
b) If not, is it possible to offload the TLS part to OpenSSL and piping it to a non-TLS registry, so the OpenSSL handles both the secure channel and the authentication part?
If this is the way to go, I’ve already seen that here https://docs.docker.com/registry/recipes/ there are 2 recipes: One for apache and one for nginx, both acting as proxies.
But, IMHO, setting a fully-featured web-server just for handling a TLS certificate is a complete overkill.
I wonder of we can set a “simple proxy” saying like “Hey proxy, listen in this port, here there are your provate keys and certs, here there are the public keys of the client, and the non-crypted docker is here”, nothing else.
Reducing to a single question
In other words: What’s the simplest configuration that allows me to have the users auth’ed via public/private key pairs safe enough to be in a public IP as indicated in the security stackeexchange link above?