You can use a proxy cache to pull images from a target Harbor or non-Harbor registry in an environment with limited or no access to the internet. You can also use a proxy cache to limit the amount of requests made to a public registry, avoiding consuming too much bandwidth or being throttled by the registry server.

    Harbor supports proxy caching for the following registries:

    • Harbor
    • Docker Hub
    • Docker registry
    • AWS Elastic Container Registry
    • Google Container Registry
    • Quay

    A Harbor system administrator configures a proxy cache by creating a proxy cache project, which connects to a target registry using a registry endpoint you have configured. A proxy cache project works similarly to a normal Harbor project, except that you are not able to push images to a proxy cache project.

    To use a Harbor proxy cache, configure your docker pull commands and pod manifests to pull images from the proxy cache project instead of the target registry.

    When a pull request comes to a proxy cache project, if the image is not cached, Harbor pulls the image from the target registry and serves the pull command as if it is a local image from the proxy cache project. The proxy cache project then caches the image for a future request.

    • If the image has not been updated in the target registry, the cached image is served from the proxy cache project.
    • If the image has been updated in the target registry, the new image is pulled from the target registry, then served and cached in the proxy cache project.
    • If the target registry is not reachable, the proxy cache project serves the cached image.

    As of Harbor v2.1.1, Harbor proxy cache fires a HEAD request to determine whether any layer of a cached image has been updated in the Docker Hub registry. Using this method to check the target registry will not trigger the Docker Hub rate limiter. If any image layer was updated, the proxy cache will pull the new image, which will count towards the Docker Hub rate limiter.

    Create Proxy Cache Project

    To set up a proxy cache, a Harbor system administrators can create a proxy cache project that connects to a target registry using a registry endpoint.

    A proxy cache project is able to use the same features available to a normal Harbor project, except that you are not able to push images to a proxy cache project. For more information on projects, see the Working with Projects documentation.

    1. Before creating a proxy cache project, create a registry endpoint for the proxy cache project to use. See how to .

      Proxy cache projects can pull every image from the target registry that the access account you configure in the registry endpoint has access to. This means that Harbor users with access to the proxy cache project are able to pull any image available to the access account in the target repository.

    2. Click the Proxy Cache slider and then select your registry endpoint from the drop-down that appears.

    3. Click OK.

    You can view all available proxy cache projects from the Projects page.

    By default, Harbor creates a 7 day retention policy for each new proxy cache project. See more about Tag Retention Policies.

    To pull official images or from single level repositories, make sure to include the ‘library’ namespace.

    1. > docker pull <harbor_server_name>/<proxy_project_name>/library/hello-world:latest