Up next in 10
Setup Secure Docker Private Registry in Linux | Step-by-Step Tutorial with SSL & Authentication
27 views
Jul 7, 2025
Want to host your own Docker Private Registry securely on Linux? In this step-by-step tutorial, you’ll learn how to deploy a **secure, self-hosted Docker Registry** using **Nginx reverse proxy, SSL encryption (SANs), and basic authentication**. 🔐 Perfect for DevOps engineers, developers, or anyone working with **CI/CD pipelines** and **container security**. ⏱️ **Timestamps:** 00:00 - Introduction 00:26 - Why You Need a Private Docker Registry 01:07 - Prerequisites 02:01 - Step 1: Generate SSL Certificate with SANs 04:39 - Step 2: Docker Compose Setup for Registry + Nginx 06:18 - Step 3: Configure Nginx Reverse Proxy with SSL 07:49 - Step 4: Add Basic Auth with htpasswd 09:13 - Step 5: Trust Self-Signed Cert on Docker Client 10:55 - Step 6: Push & Pull Docker Images Securely 13:23 - Troubleshooting Tips 📁 **Create SSL Certificates (with SANs):** mkdir -p ~/private-registry/certs && cd ~/private-registry/certs
View Video Transcript
0:00
Hi everyone, welcome back to the
0:01
channel. Today we will show you how to
0:04
set up a secure Docker private registry
0:06
in Linux. If you have ever worried about
0:09
the security of your Docker images or
0:11
needed a centralized private location to
0:13
store them, this video is for you. We
0:16
will walk you through an end toend
0:18
step-by-step process to get your own
0:20
secure registry up and running. So stay
0:23
tuned. Before we jump into the actual
0:25
steps, let's understand why a private
0:28
Docker registry is so important. Public
0:30
registries like Docker Hub are great,
0:32
but they come up with a limitation,
0:34
especially concerning security and
0:36
controls. Imagine you are working with a
0:38
proprietary software or sensitive data.
0:41
You would not want those Docker images
0:44
publicly accessible, right? A private
0:46
registry gives you enhanced security,
0:49
faster transfer, compliance, and version
0:51
control. In addition to this, a Docker
0:54
private registry offers centralized
0:56
image management, cost-saving, scanning
0:59
capabilities, and robust access control.
1:02
It is a critical component for any
1:05
serious Docker workflow. To follow along
1:07
with this tutorial, you will need a few
1:10
things set up. Don't worry, we will keep
1:12
it straightforward. We need two Linux
1:13
servers. One for the registry host,
1:15
another one is for the Docker client.
1:18
Docker and Docker Compose installed on
1:20
both the servers. We will assume you
1:22
have a basic Docker setup. If not, check
1:26
out the links in the description for the
1:27
installation guide. Domain name. This is
1:30
crucial for setting up SSL certificate.
1:32
We will use registry.lini.org
1:35
as an example domain throughout this
1:37
guide. Having these in place will make
1:39
the setup process much smoother. Let's
1:42
get our hand dirty. All right, let's
1:45
break down the step into a manageable
1:47
steps. We will be working primarily on
1:50
the registry host. For the interest of
1:51
time, I have already drafted the
1:53
commands and the files that I will use
1:55
during this video tutorial. I will share
1:58
these in the description of the video
1:59
for your reference. The first step is to
2:01
generate SSL certificate with sense. Why
2:04
sense? In order to avoid this error,
2:07
X509 certificate relies on legacy common
2:09
name field. Use SAS instead. So in order
2:13
to generate the certificate we will be
2:15
creating couple of folder first and then
2:17
we'll create this openslr.cnf
2:20
and then we'll generate our key CSR and
2:23
then finally generate our certificate.
2:25
All right let's move to our docker host.
2:28
So this is my docker host. I have
2:30
already taken the SSH session of my
2:33
docker host and this one is my docker
2:36
client. In docker host I will be running
2:38
open sl commands to generate the
2:40
certificate. For this tutorial, we will
2:42
create cells and certificates. For
2:44
production, consider using let's encrypt
2:47
or commercial CA. Let's first create the
2:50
folder.
2:54
All right. This will create a folder
2:56
private hyphen registry and then search.
2:58
Hit enter. Now move to this search
3:01
folder.
3:03
Now create an OpenSSL configuration file
3:07
named OpenSSL. CNF.
3:13
Copy this content
3:18
and make sure you replace this FQDN
3:22
according to your setup. In my case, I'm
3:24
using registry.linkstack.org
3:26
as a FQDN for my registry. Save and
3:28
close the file. Now, generate the
3:30
private key and CSR using this
3:33
configuration file.
3:39
This has created a private key with the
3:41
name registry.org.key.
3:45
Next, generate the CSR.
3:50
This will generate a CSR with the name
3:52
registry.org
3:55
using the config file that we have
3:56
created with the name openSsl.cnf.
3:59
Hit enter. And if you do ls, you will
4:01
see these files. Next, create the
4:03
certificate.
4:06
Copy this command.
4:09
So this will create a certificate which
4:11
will be valid for 365 days. It will use
4:14
this CSR file, this private key and will
4:18
generate a certificate with the name
4:20
registry.org.crt
4:23
using the file openslr.cnf.
4:26
Hit enter and do ls. You will see the
4:30
certificate key and csr files are
4:32
generated. This key and the certificate
4:34
file will be used by our engineext
4:36
container later in this uh tutorial.
4:39
Next step is to prepare docker compos
4:41
file with registry and engineext. We
4:43
will create a directory for our registry
4:45
configuration and data and then define
4:48
our docker registry and engineext
4:50
services in a docker compos file. Let's
4:52
first create a folder.
5:01
Now move to the private hyphen registry
5:03
folder.
5:07
Create a file with the name docker -
5:10
compose.
5:17
Copy this content.
5:23
Let's quickly break this down. This one
5:26
uses the official Docker uh registry
5:29
image. This maps the docker container
5:32
ports to the host port on 5,000. This
5:35
confirms that we are using stass WD for
5:38
the basic authentication. This specify
5:41
the path of our password file. This is
5:43
the location where the docker images are
5:46
stored. These volumes persist our
5:49
authentication data and register images
5:51
outside the container. This is the
5:54
latest engine x image. This expose the
5:57
enginex on standard HTTP and HTTPS
6:00
ports.
6:03
These volumes mounts our custom enginex
6:06
configuration and generated SSL
6:08
certificates into the container depends
6:10
on registry. Ensures that registry
6:13
starts before EngineX. Save and close
6:15
the file.
6:18
Move to the step three where we will
6:20
configure EngineX reverse proxy. Now we
6:23
need to create the engineext
6:24
configuration file that will be mounted
6:26
into our engineext container. This file
6:28
tells engineext how to proxy request to
6:31
our docker registry and use SSL
6:33
certificate. First create a file.
6:37
First create this default file in con.d
6:41
folder.
6:46
Copy this content.
6:53
Save and close the file.
6:56
Now let's bring up the docker
6:57
containers. Run the command.
7:04
So this will move to this private hyphen
7:06
registry and then run docker compose up
7:09
hyphen g.
7:12
As you can see in the output, it is
7:14
pulling the images first registry and
7:16
engine x and then we'll start the
7:19
containers. accordingly.
7:25
Once the command is executed
7:26
successfully, we'll see the output
7:28
something like this. Let's verify the
7:30
docker container status. Run the command
7:33
docker ps.
7:36
You should see two containers. One is
7:37
with the name engine x. Another one is
7:39
with registry. Engine x container is
7:42
exposing on the port 443 and 80 and
7:45
registry is exposed on the port 5,000.
7:48
Now move to the step four where we will
7:51
set up the basic authentication with
7:53
stpass WD to secure our registry. We
7:56
will implement basic authentication
7:58
using stpass WD. This ensures only
8:01
authorized users can push and pull the
8:04
images. In order to create users first
8:07
we need stpassd utility and by default
8:10
this is not available on Linux. We need
8:12
to install its package first with the
8:14
name Apache 2 - utils. As we are using
8:18
Ubuntu so we will be using app command.
8:31
In my case it is already installed. Now
8:34
we are good to create the first user.
8:37
I'm going to create a user with the name
8:39
DevOps.
8:44
Here hyphen B flag forces brypt
8:47
encryption and hyphen Creates the file.
8:50
For additional user in the next command
8:53
skip this hyphen C flag. So I'm creating
8:56
this user first time. So I will be using
8:58
both the options B and C. Hit enter. It
9:01
will prompt you to set the password for
9:03
this user. Set the some secure password.
9:07
All right. With this authentication
9:09
setup only the users with valid
9:10
credentials can access your registry.
9:12
Moving to the step five where we will
9:15
configure docker client to trust your
9:16
registry on your client second Linux
9:19
server you need to configure docker to
9:21
trust your new docker private registry
9:24
especially since we are using self-send
9:26
certificates this step is crucial for
9:28
your docker client to communicate
9:29
securely with your registry first copy
9:32
the self-send certificates that is cr
9:34
file that is registry
9:37
cert file from your registry host to the
9:40
client you can use SCP command so let me
9:42
Go to my registry host
9:45
source folder. Use the SCP command.
9:55
So 1.5 is my Docker client IP address.
10:01
Moving to the client machine.
10:06
Okay, this file is copied successfully.
10:09
Next, we need to create a folder with
10:11
the name registry.org
10:13
under the folder /c/docarchs.b.
10:21
Make sure this folder name should match
10:24
to the FQDN of your registry.
10:29
Next, copy this uh CRT file with the
10:32
name CA.
10:43
Now restart the docker demon for the
10:45
changes to take effect. Run the command
10:47
sudo.
10:54
Our last step, test your private
10:56
registry.
10:59
For the moment of truth, let's test our
11:01
secure private registry on the client
11:03
machine. Login to your registry using
11:05
the username and password you have
11:07
created. Use the command docker login
11:10
space registry.inus.org
11:13
col443.
11:19
Enter the username as devops and the
11:22
password that you have set during the
11:24
setting of this registry.
11:26
Once you are logged in, you will see the
11:29
message something like login succeeded.
11:32
Now let's say local docker image and
11:34
push it to your private registry. In
11:36
this case I will be using hello world
11:37
docker image. I will tag it with the
11:40
registry name.
11:47
Enter. Run docker images.
11:51
You will see two images. One with the
11:54
name hello world. Another one is with
11:56
the tag that we have just set. If you
11:58
see this command output carefully, we
12:01
have tagged this image
12:04
to this name. So this is our registry
12:07
FQDN.
12:08
This is a repository under this registry
12:12
and this is the name of my image. Now we
12:16
can push this image to our registry
12:19
using the command docker push.
12:27
output confirms that it has been posted.
12:29
To verify, let's remove the local images
12:31
and pull it back from our private
12:33
registry. First remove the image docker
12:36
rmi
12:40
use hyphen f.
12:44
If you run docker
12:47
images,
12:50
now pull this image.
12:54
Docker pull
13:00
output confirms that the image has been
13:02
downloaded from this registry or it is
13:05
pulled from this registry. You can the
13:08
command docker images again just to
13:11
verify output confirms that image has
13:13
been pulled successfully from our
13:16
private docker registry. That's all from
13:18
this video tutorial. I hope you have
13:19
found it useful and informative. In case
13:22
you have encountered any issues during
13:25
this setup, you you may have to follow
13:27
the troubleshooting steps. So some of
13:29
the common issues that you may face is
13:32
SSL certificate errors. For this, check
13:34
the certificate paths and send
13:36
configurations. You may face some
13:38
authentication issues. Just verify the
13:40
st pass downloaded file and credentials
13:43
that you updated correctly in docker
13:45
compose file and you are set the correct
13:48
credentials while while loging to the
13:50
docker uh private registry. You have to
13:52
also make sure that port 80 and 443 are
13:55
open in case firewall is enabled on the
13:57
docker host. So for DNS resolutions
14:00
confirm domain points to the registry
14:01
host. You can use the etc host file to
14:04
point your FQDN to the correct registry
14:06
host IP. You may also refer the
14:09
container logs in order to further
14:12
debugging. Thank you. That's all. Do not
14:14
forget to like, share, subscribe for
14:16
more DevOps tutorials. See you in the
14:18
next video. Bye.
#Computers & Electronics