Docker Community Forums

Share and learn in the Docker community.

How to build docker registry without SSL

I try to follow this instruction Authenticate proxy with nginx | Docker Documentation for build docker registry with SSL but failed - “X509: certificate signed by unknown authority”.

Than I try to build Docker Registry without SSL.
This is my Nginx.config

http {
  upstream docker-registry {
    server registry:5000;
  }
  map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
    '' 'registry/2.0';
  }
  server {
     listen 80;
    server_name registry.XXX.io;

    client_max_body_size 0;
    chunked_transfer_encoding on;

    location /v2/ {
      if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
        return 404;
      }
      auth_basic "Registry realm";
      auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
      add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
      proxy_pass                          http://docker-registry;
      proxy_set_header  Host              $http_host;   # required for docker client's sake
      proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
      proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Proto $scheme;
      proxy_read_timeout                  900;
    }
  }
}

and this is my compose file

nginx:
  image: "nginx:alpine"
  ports:
    - 5000:80
  links:
    - registry:registry
  volumes:
    - ./auth:/etc/nginx/conf.d
    - ./auth/nginx.conf:/etc/nginx/nginx.conf:ro

registry:
  image: registry:latest
  volumes:
    - ./registry-data:/var/lib/registry

I start docker registry on fly without additional parameters

sudo docker-compose -f registry-compose.yml up -d

And when I check my authentication

sudo docker login -u=registry  http://registry.XXXX.io:80

I receive unexpected result

Error response from daemon: Get https://registry.XXXX.io:80/v2/: dial tcp yyy.yyy.yyy.yyy:80: connect: connection refused 

So, where is SSL and httpS defined? I do not define httpS and SSL at all. What I need to change to full avoid SSL and httpS?

If you don’t want/need any authentication then why do you need the nginx proxy. Just launch the registry container. There won’t be any AuthN or AuthZ so you will be able to push to it immediately without the need for login (obviously you need to tag your images appropriately prior to push).

The docker-compose links construct has been deprecated for a long time so it’s best to avoid using that.

I need authentication, I don’t need SSL.

See: Test an insecure registry | Docker Documentation

After adding your registry to the “insecure-registries” array in /etc/docker/daemon.json, you should be able to access it via http, though I am unclear wether insecure regstries allow auth at all…

I am aware this is not the solution you are lookiing for, but actualy the cleanest approach is to stick with tls termination in your nginx basic-auth proxy and add the ca-certificate or the certififacte itself of the used tls key in etc/docker/certs.d/${fqdn:port}/ca.crt

Thank you, I have add insecure-registries key to config, but receive error
“One or more errors occurred. (No WWW-Authenticate challenge was found for schema Bearer)”
Maybe insecure registry don’t allow basic AU, will be thinking further and search new solution

Your post does not indicate wether you still try to follow the http approach or wether you switched to the recommended https approach.

If you would have clicked the link I shared, you would have seen following warning:

Warning : It’s not possible to use an insecure registry with basic authentication.

Thank you. I understand.