Docker – TLS/SSL Reverse Proxy For Docker Notary Server

Docker Notary Server is necessary for applying proper Docker DCT. But the support for applying your own TLS/SSL Certificate is.. shall we say.. ancient. Sure, you can supply your own certificate, docker-compose build, docker-compose up -d aaaaand.. Docker Notary Server is running with the supplied certificate, generated with LetsEncrypt, valid for.. three months..

Here’s how to use NGinX as a reverse proxy, with LetsEncrypt certificate for Docker Notary Server Upstream.

First, Install Docker Notary Server as you normally would

~$ git clone
~$ docker-compose build
~$ docker-compose up -d

Second, Apply the following NGinX configuration on the front-end reverse proxy:

server {
  listen 4444 ssl http2;
  listen [::]:4444 ssl http2;
  server_name dockerreg.tld;
  error_log /var/log/nginx/dockrreg-tld-notary-error.log;
  access_log /var/log/nginx/dockrreg-tld-notary-access.log;
  ssl_certificate /etc/letsencrypt/live/dockerreg.tld/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/dockerreg.tld/privkey.pem; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;
  ssl_session_tickets off;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;

location / {
  proxy_pass                          https://localhost:4443/;
  proxy_set_header  Host              $http_host;
  proxy_set_header  X-Real-IP         $remote_addr;
  proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
  proxy_set_header  X-Forwarded-Proto $scheme;
  proxy_redirect                      off;
  proxy_read_timeout                  900;

Third, Set the Docker DCT environment variables as you normally would. Notice the port 4444

export DOCKER_CONTENT_TRUST_SERVER=https://dockerreg.tld:4444

Trust in the container 👾

Leave a Reply

Your email address will not be published. Required fields are marked *