I’m trying to set up private registry which would be more like docker.io - all images are available for read and to upload you have to be authenticated. I’ve got apache running on the host with following configuration:
Header always set "Docker-Distribution-Api-Version" "registry/2.0"
Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0"
RequestHeader set X-Forwarded-Proto "https"
ProxyRequests off
ProxyPreserveHost on
# no proxy for /error/ (Apache HTTPd errors messages)
ProxyPass /error/ !
ProxyPass /v2 http://localhost:5000/v2
ProxyPassReverse /v2 http://localhost:5000/v2
ProxyPass /v1 http://localhost:5000/v1
ProxyPassReverse /v1 http://localhost:5000/v1
KrbVerifyKDC off
KrbServiceName HTTP/docker-repo.some.com
Krb5Keytab /etc/httpd/conf/docker-repo.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms some.com
KrbSaveCredentials on
<Location /v2>
Order allow,deny
AuthType Kerberos
AuthName "Docker Kerberos login"
Satisfy any
#
# Read access to all
<Limit GET HEAD>
Allow from all
# Require valid-user
</Limit>
</Location>
<Location /v2/private>
Order deny,allow
AuthType Kerberos
AuthName "Docker Kerberos login"
<Limit POST PUT DELETE PATCH>
Require valid-user
</Limit>
</Location>
above breaks with “docker login”. If I un-comment “Require valid-user” in “Location /v2” block - it always require authentication. Did anyone try to implement similar scenario?