Basic Auth problem on docker registry
Hexalyse opened this issue · comments
Bug description
I've configured docker-registry-ui as shown in the "standalone" example with credentials. For information, docker-registry-ui is behind a reverse proxy (with its own Basic Auth, which works fine), and the docker registry is accessed directly via its https address (https://docker.mydomain.com:5000), and has Basic Auth configured too (directly handled by the docker registry docker container, no reverse proxy is used for the registry).
I have a weird problem. When accessing the web ui, the first request to /v2/_catalog gets a 401 error back from the registry docker container (and my docker container indeed logs an error : level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential"
.
But just after this request, another request is sent to the same URL, and this time it works (200 OK, and no basic auth error).
So I can see the list of my repositories and images. But if I click on one of them to get details, then I get CORS errors (even if CORS are correctly configured on my docker registry, as shown in your examples, and EVEN when using a browser extension to bypass CORS). The problem is that the preflight request gets a 401 Error back from the registry, for the exact same reason as before (level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential"
) and so the browser doesn't continue and spits this in the console:
Access to XMLHttpRequest at 'https://docker.mydomain:5000/v2/foo/bar/manifests/latest' from origin 'https://registry.mydomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
It seems like Basic Auth credentials aren't sent in the requests, so I'm confused. It doesn't seem like a CORS configuration problem (the headers are here, and requests are sent by the browser). Rather, it seems like a problem with Basic Auth on the docker registry.
But any address I open directly in the browser (where I logged in with the basic auth credentials) work properly. Only the XHR requests sent by docker-registry-ui frontend get 401 errors.
How to Reproduce
See explanation above.
My docker-compose file
services:
registry:
restart: always
image: registry:2
container_name: registry
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: REDACTED
REGISTRY_HTTP_TLS_KEY: REDACTED
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
volumes:
- ./data:/var/lib/registry
- ./certs:/certs
- ./auth:/auth
- ./config.yml:/etc/docker/registry/config.yml
ui:
image: joxit/docker-registry-ui:latest
container_name: registry-web-ui
ports:
- 127.0.0.1:5100:80
environment:
- REGISTRY_TITLE=Private Docker Registry
- REGISTRY_URL=REDACTED
- SINGLE_REGISTRY=true
depends_on:
- registry
My private docker registry configuration
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
Access-Control-Allow-Origin: ['https://registry.mydomain.com']
Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
Access-Control-Allow-Credentials: [true]
Access-Control-Allow-Headers: ['Authorization', 'Accept']
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
Expected behavior
I shouldn't get 401 errors back from the docker registry container when the UI send requests to API endpoints (seems like it's not sending the proper Basic Auth headers like it should, except sometimes!?)
System information
- OS: Debian 11
- Docker registry UI:
- Version: latest
- Tools: docker-compose
It seems like Basic Auth credentials aren't sent in the requests, so I'm confused. It doesn't seem like a CORS configuration problem (the headers are here, and requests are sent by the browser). Rather, it seems like a problem with Basic Auth on the docker registry.
Yes, agree with my
I had a same problem and not find any way to fix.
Currently i'm temporary not using docker-registry-ui, hope someone can explain this issue and how to fix it
Hi there and thank you for using my project and submitting issues.
As I can see with your information and the error Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
, this is linked to this issue from the FAQ:
More information about this issue #104 (comment)
So your options are :
- As I said in the FAQ, use
NGINX_PROXY_PASS_URL
- Configure a nginx/apache/haproxy in front of your registry server and return 200 on each OPTION requests
I will rephrase the FAQ to explicitly include your use-case.
I've updated the FAQ, If you still can't get it to work, you can open the issue again