Create Docker image registry with Let’s Encrypt and NGINX reverse proxy doing SSL termination

Last updated on April 30, 2023

This bash script will automatically deploy a container image registry accessible via HTTPS in just a few minutes, using Docker and Nginx as reverse proxy doing SSL termination, along with Let’s Encrypt for obtaining SSL certificates.

Copy this code into new txt file, name it for example deploy.sh, and then make it executable with chmod +x deploy.sh. Once done, just start the script with ./deploy.sh, it will check if all prerequisites exist, ask you what domain you want to use for your registry, which email you want to register with on Let’s Encrypt, and then deploy everything acquiring needed certificates automatically on the way.

Before running the script, make sure you added your server’s IP address into your domain’s DNS records, and keep in mind your server needs to be reachable on port 80 while acquiring Let’s Encrypt certificates!

#!/bin/bash

# Check if Docker is installed
if ! command -v docker &> /dev/null; then
echo "Docker is not installed. Please install Docker and try again."
exit 1
fi

# Check if docker-compose is installed
if ! command -v docker-compose &> /dev/null; then
echo "docker-compose is not installed. Please install docker-compose and try again."
exit 1
fi

# Prompt for domain and email
read -p "Enter your domain name (e.g., registry.example.com): " DOMAIN
read -p "Enter your email address (for Let's Encrypt): " EMAIL

# Create necessary directories
mkdir -p ~/registry/{data,nginx,certs}

# Create docker-compose.yml
cat <<EOT > ~/registry/docker-compose.yml
version: '3.1'

services:
registry:
image: registry:2
restart: always
environment:
REGISTRY_HTTP_ADDR: 0.0.0.0:5000
volumes:
- ./data:/var/lib/registry
networks:
- registry

nginx:
image: nginx:1.19-alpine
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./certs:/etc/letsencrypt
networks:
- registry

certbot:
image: certbot/certbot
restart: always
command: certbot certonly --webroot -w /var/www/certbot --email $EMAIL --agree-tos --no-eff-email --staging -d $DOMAIN
volumes:
- ./certs:/etc/letsencrypt
- ./nginx/html:/var/www/certbot

networks:
registry:
EOT

# Create Nginx configuration file
cat <<EOT > ~/registry/nginx/nginx.conf
worker_processes 1;

events { worker_connections 1024; }

http {
include mime.types;

server {
listen 80;
server_name $DOMAIN;

location / {
return 301 https://\$host\$request_uri;
}

location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}

server {
listen 443 ssl;
server_name $DOMAIN;

ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/$DOMAIN/chain.pem;

ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128