If you want to deploy the Docker registry on an actual server and not as a Docker container it makes sense to put it behind a load balancer. Here is how I managed to play Haproxy together with the docker registry.
global
log /dev/log local0
log /dev/log local1 notice
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ca-base /etc/haproxy/certs.d
crt-base /etc/haproxy/certs.d
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind *:443 ssl crt /etc/haproxy/certs.d/
default_backend registry
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
backend registry
server reg1 127.0.0.1:5000 weight 1 maxconn 100
My registry runs on a tightly controlled private network so I don’t use any authentication scheme.
You will have to put the SSL Certificate for the host in /etc/haproxy/certs.d. Haproxy
knows how to deal with one PEM containing the private key, certificate and intermediate certificate.
Photo Credits
Container by rauter25 (licensed under CC BY-NC 2.0).