I’m using the official Docker registry image, and have configured it as a pull though cache.

My clients can log in and push/pull local images, such as this:

docker login -u username -p secret docker.example.local:5000
docker pull docker.example.local:5000/myImage

I’ve configured my clients to use the Docker registry server as a proxy:

root@server:/# cat /etc/docker/daemon.json
  {
     "registry-mirrors": ["https://docker.example.local:5000"]
  }

But when my clients tries to pull images not already present on the registry server, I get an error. Example pull command:

docker pull alpine

The registry server then responds with this message in its log file:

error authorizing context: basic authentication challenge for realm \"Registry Realm\": invalid authorization credential
[...]
"GET /v2/ HTTP/1.1" 401

Then nothing. So it looks like the registry server return a 401 to the client, to make it authenticate itself, but that the client doesn’t respond.

I came across this SO post suggesting putting a Nginx proxy server in front, but this seems like a hack and I’d prefer some cleaner way of doing this if possible.

How have others set up their registry server in a pull through cache mode - did you find a better solution than setting up an Nginx proxy in front of the registry server?

PS. I posted this question on stackoverflow.com a few days ago, but as I still can’t get the pull through cache to work I’m posting here too.