Haproxy in front of the Docker registry

How to deploy the Docker registry behind Haproxy

Posted by Tobias Begalke on Wed Oct 5 2016
In Docker Haproxy
Tags haproxy docker-registry

If you want to deploy the Docker registry on an actual server and not as a Docker container it makes sense to put it behind a load balancer. Here is how I managed to play Haproxy together with the docker registry.

  log /dev/log local0
  log /dev/log local1 notice
  stats socket /run/haproxy/admin.sock mode 660 level admin
  stats timeout 30s
  user haproxy
  group haproxy

  ca-base /etc/haproxy/certs.d
  crt-base /etc/haproxy/certs.d
  ssl-default-bind-options no-sslv3

  log global
  mode  http
  option  httplog
  option  dontlognull
  timeout connect 5000
  timeout client  50000
  timeout server  50000
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
  bind *:443 ssl crt /etc/haproxy/certs.d/
  default_backend registry
  option forwardfor
  http-request set-header X-Forwarded-Proto https if { ssl_fc }

backend registry
  server reg1 weight 1 maxconn 100

My registry runs on a tightly controlled private network so I don’t use any authentication scheme.

You will have to put the SSL Certificate for the host in /etc/haproxy/certs.d. Haproxy knows how to deal with one PEM containing the private key, certificate and intermediate certificate.

Photo Credits

Container by rauter25 (licensed under CC BY-NC 2.0).