Private registry behind apache public ro, authenticated rw

I’m trying to set up private registry which would be more like docker.io - all images are available for read and to upload you have to be authenticated. I’ve got apache running on the host with following configuration:

Header always set "Docker-Distribution-Api-Version" "registry/2.0"
Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0"
RequestHeader set X-Forwarded-Proto "https"

ProxyRequests     off
ProxyPreserveHost on

# no proxy for /error/ (Apache HTTPd errors messages)
ProxyPass /error/ !

ProxyPass        /v2 http://localhost:5000/v2
ProxyPassReverse /v2 http://localhost:5000/v2

ProxyPass        /v1 http://localhost:5000/v1
ProxyPassReverse /v1 http://localhost:5000/v1

 KrbVerifyKDC off
 KrbServiceName HTTP/docker-repo.some.com
 Krb5Keytab /etc/httpd/conf/docker-repo.keytab
 KrbMethodNegotiate on
 KrbMethodK5Passwd on
 KrbAuthRealms some.com
 KrbSaveCredentials on

<Location /v2>
  Order allow,deny
  AuthType Kerberos
  AuthName "Docker Kerberos login"
  Satisfy any
  #
  # Read access to all
  <Limit GET HEAD>
    Allow from all
    # Require valid-user
  </Limit>

</Location>

<Location /v2/private>
 Order deny,allow
 AuthType Kerberos
 AuthName "Docker Kerberos login"

  <Limit POST PUT DELETE PATCH>
    Require valid-user
  </Limit>

</Location>

above breaks with “docker login”. If I un-comment “Require valid-user” in “Location /v2” block - it always require authentication. Did anyone try to implement similar scenario?

I’m trying to implement the same scenario with an nginx proxy and run into the same problem.

I also opened a Stackoverflow question about it.

Apparently the only feasible way to meet the requirements is to use the JWT authentication method as described in the answer to the StackOverflow question.