From 8112d01b9be3b42f78d031787042ba5789dff89a Mon Sep 17 00:00:00 2001 From: Per Lundberg Date: Wed, 20 Jun 2018 16:28:10 +0300 Subject: [PATCH] nginx.md: Add note about potential security isues I thought about this while setting this up, and then found this guide (I was setting it up without the guide first.) The potential security implications are important, so I think we should mention them here on this web page. (We could even go further by outright _warning_ people about this, but perhaps letting people know about it so they can make an informed decision is a better way to go. This can be perfectly fine for certain intranet scenarios.) --- docs/recipes/nginx.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/recipes/nginx.md b/docs/recipes/nginx.md index 73370f7e0..81c448467 100644 --- a/docs/recipes/nginx.md +++ b/docs/recipes/nginx.md @@ -38,6 +38,12 @@ you want through the secondary authentication mechanism implemented inside your proxy, it also requires that you move TLS termination from the Registry to the proxy itself. +> Another important thing to note is that by binding your registry to +> `localhost:5000` without authentication, you open up a potential loophole in +> your Docker Registry security - anyone who can log on to the server where your +> Docker Registry is running can push images to your registry, without +> authentication. This could have potentially devastating effects. + Furthermore, introducing an extra http layer in your communication pipeline makes it more complex to deploy, maintain, and debug. Make sure the extra complexity is required.