Deploy caches with TLS
Estimated reading time: 1 minuteWhen running DTR caches on a production environment, you should secure them with TLS. In this example we’re going to deploy a DTR cache that uses TLS.
DTR caches use the same configuration file format used by Docker Registry. You can learn more about the supported configuration in the Docker Registry documentation.
Get the TLS certificate and keys
Before deploying a DTR cache with TLS you need to obtain a public key certificate for the domain name where you deploy the cache, as well as the public and private key files for that certificate.
Once you have then, transfer those file to the host where you plan to deploy the DTR cache.
Create the cache configuration
Use SSH to log into the host where you plan to deploy the DTR cache, and navigate to the directory where you’ve stored the TLS certificate and keys.
Create the config.yml
file with the following content:
version: 0.1
storage:
delete:
enabled: true
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
tls:
certificate: /certs/dtr-cache-ca.pem
key: /certs/dtr-cache-key.pem
middleware:
registry:
- name: downstream
options:
blobttl: 24h
upstreams:
- https://<dtr-url>
cas:
- /certs/dtr-ca.pem
The configuration file mentions:
- /certs/dtr-cache-ca.pem: this is the public key certificate the cache will use
- /certs/dtr-cache-key.pem: this is the TLS private key
- /certs/dtr-ca.pem is the CA certificate used by DTR
Run this command to download the CA certificate used by DTR:
curl -k https://<dtr-url>/ca > dtr-ca.pem
Now that we’ve got the cache configuration file and TLS certificates, we can deploy the cache by running:
docker run --detach --restart always \
--name dtr-cache \
--publish 5000:5000 \
--volume $(pwd)/dtr-cache-ca.pem:/certs/dtr-cache-ca.pem \
--volume $(pwd)/dtr-cache-key.pem:/certs/dtr-cache-key.pem \
--volume $(pwd)/dtr-ca.pem:/certs/dtr-ca.pem \
--volume $(pwd)/config.yml:/config.yml \
docker/dtr-content-cache:2.4.11 /config.yml
Use Let’s Encrypt
You can also use Let’s Encrypt to automatically generate TLS certificates that are trusted by most clients.
Learn more about Let’s Encrypt, and how to create a configuration file that leverages it.