htpasswdfile for basic authentication, at a minimum:
library/registryimage does not support the DNS-01 challenge yet, and some of the LetsEncrypt challenge support is getting out of date. If you need this, there is a tracking issue; We have had success by building the binary ourselves and replacing it in the image that Docker ships.
<mirror>is the host/port of your mirror, and
<upstream>is the address of the registry you are intending to mirror.