Can't push when using frontend as registry

[jangrewe]

I have the frontend running on 80 and 443, proxying to the registry on 5000. When trying to push an image through the frontend to the registry, i get:

Error parsing HTTP response: invalid character '<' looking for beginning of value: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don't have permission to access /v2/gitlab-ci/cloud-deploy/blobs/uploads/\non this server.<br />\n</p>\n<hr>\n<address>Apache/2.4.10 (Debian) Server at registry.magic-technik.de Port 80</address>\n</body></html>\n"

I've set the following EnvVars:

"ENV_DOCKER_REGISTRY_HOST=172.17.42.1",
"ENV_DOCKER_REGISTRY_PORT=5000",
"ENV_DOCKER_REGISTRY_USE_SSL=",
"ENV_REGISTRY_PROXY_FQDN=registry.example.com",
"ENV_REGISTRY_PROXY_PORT=443",

As a workaround i'm currently sending 80 to the frontend and 443 straight to the registry, but i'd like to use the frontend via HTTPS, too! ;-)

[kwk]

Please see https://github.com/kwk/docker-registry-frontend/tree/v2/example-setup

[jangrewe]

Yes, that is pretty much the same how i'm running it, though it's on AWS and the HTTPS part is managed by an ELB with the respective cert. Everything behind the ELB is running plain HTTP (ELB:80->frontend:80, frontend:80->registry:5000 and currently also ELB:443->registry:5000), so i don't suppose i need to use ENV_DOCKER_REGISTRY_USE_SSL.
When using ELB:443->frontend:80->registry:5000, everything except pushing works (see above for error).

meh. scratch that... i just discovered that you're forcing ENV_MODE_BROWSE_ONLY, so the use-frontend-as-registry function is pretty useless for now.

That's not mentioned at the link you asked me to check, though ;-)

[kwk]

@jangrewe Currently the v2 frontend can only run in browse only mode. I'm forcing it because the buttons to delete/add a tag are misleading if the functionality is not yet implemented.

[waja]

@kwk I guess this functionality is not (yet) implemented in registry:v2. Do you maybe have some references for us, where the progress of such features in registry:v2 can be tracked?

[jangrewe]

@kwk It can only run in browse mode because the frontend doesn't support pushing, or because you don't want to mislead users with non-functional buttons? Because i'd take non-functional buttons over not being able to push any day of the week! 😀

[kwk]

@jangrewe usually you push to the registry directly and not through the front-end. The proxy that is set up in the front-end is just to circumvent CORS. In other words: the front-end doesn't determine whether you can push to your registry.

[jangrewe]

@kwk Yes, as mentioned above, i can push to the registry. I just can not push to the registry through the frontend, and as you can see from the error message i provided above, that's not restricted by the registry, but by the frontend - or more specifically by your Apache conf.

  <IfDefine FRONTEND_BROWSE_ONLY_MODE>
    <Location />
      <LimitExcept GET>
        Order Allow,Deny
        Deny From All
      </LimitExcept>
    </Location>
  </IfDefine>

So YES, the frontend (read: the frontend's webserver) determines wether i can push to my registry or not...

[kwk]

If pushing to the registry through the front-end used to work, it was by accident and not by design. It was never tested. Go ahead and fork the repo, make the changes and open a pull request if you already spotted the problematic piece of code.

[jangrewe]

I think we're not talking about the same issue...

1. The Apache config blocks pushes. That's obvious and enforced by deliberately setting the BROWSE_ONLY EnvVar.
2. My question was if there's anything wrong with disabling BROWSE_ONLY ( => allowing requests other than GET, which would allow pushing), other than that the buttons in the frontend won't work?

I don't see any problematic code because i didn't look for any, as the first (and so far: only) hurdle is limiting requests to GET. But i didn't want to go ahead and just switch off BROWSE_ONLY if there's anything that would break pushing anyways (read: a good reason to keep it enabled, other than non-functional buttons).

[kwk]

Well, the reason for only allowing GET requests is security. There used to be a time when actually PUT and POST requests have been made through the interface to tag an image or delete a tag. I hope that I can implement those methods again some day. That's why it is limiting to GET still.

[jc21]

I've just encountered this issue for some strange reason. I pushed one image ok but then I tried to push another from a different server and I got this exact error message. After reading all of this I thought why not just proxy the registry commands straight through :) Here's an nginx config that others might use for reference that works for us.

server {
    listen 80;
    server_name docker.internal;
    client_max_body_size 100M;
    proxy_set_header X-Forwarded-Scheme $scheme;

    # Registry passthrough
    location ~ /v2.* {
       proxy_pass http://127.0.0.1:5000;
    }

    # Frontend
    location / {
        proxy_pass http://127.0.0.1:8080;
    }
}

[quickshiftin]

This is still an issue, however the fix is trivial and I've created a PR.

The current Apache config is already setup to proxy all /v2/ requests straight to the registry

  # Proxy all docker REST API registry
  # requests to the docker registry server.

  <IfModule ssl_module>
     SSLProxyEngine on
     # SSLProxyVerify none
     SSLProxyCheckPeerCN off
     SSLProxyCheckPeerName off
  </IfModule>
  ProxyPreserveHost Off
  ProxyPass /v2/ ${DOCKER_REGISTRY_SCHEME}://${DOCKER_REGISTRY_HOST}:${DOCKER_REGISTRY_PORT}/v2/
  ProxyPassReverse /v2/ ${DOCKER_REGISTRY_SCHEME}://${DOCKER_REGISTRY_HOST}:${DOCKER_REGISTRY_PORT}/v2/

However, the FRONTEND_BROWSE_ONLY_MODE config that @jangrewe mentioned is prohibiting pushes currently. @kwk - please see my pull request to fix this.

@jc21 No need for nginx, just 3 more lines in the Apache config :)