All I would like to do is control the top endpoint (MY_ENDPOINT where users will login and pull images. The registry and containers are being hosted (DOCKER_SAAS), so all I need is a seemingly simple redirect. Concretely, where you would normally do:
docker login -u ... -p ... DOCKER_SAAS
docker pull DOCKER_SAAS/.../...
I would like to allow:
docker login -u ... -p ... MY_ENDPOINT
docker pull MY_ENDPOINT/.../...
And even more optimally I would prefer:
docker login MY_ENDPOINT
docker pull MY_ENDPOINT/.../...
where the difference in the last item is that the endpoint contains a hashed version of the username and password, which is set into an Authorization
header (using Basic
) – so the user doesn’t even need to worry about username and password, just their URL. I’ve tried a proxy_pass
as we are already doing for basic packaging (using HTTPS), but that fails with a 404 (in part because we do not handle /v2 – do I need to redirect that through, also?). This led me to https://docs.docker.com/registry/recipes/nginx/, but this seems to only be pertinent if you are hosting the registry. Is what I am trying to do even possible?
2
Answers
This simple config works both with GitHub and Amazon ECR:
${NGINX_AUTH_CREDENTIALS}
is a placeholder for actual hash that Docker uses to authenticate. You can get it from$HOME/.docker/config.json
after usingdocker login
once:Since proxy injects/replaces authentication header, there is no need to use
docker login
, just pull using the address of the proxy instead of registry address.Why 404?
I had several
40X
errors trying to test the proxy to GitHub withcurl
:GET /v2/repo_name/image_name/tags/list
instead.-XGET
)Despite all that
docker pull
worked flawlessly from the beginning, so I recommend using it for testing.How to handle /v2/
location /
matches everything, including/v2/
, so there is no particular need for that in proxy.It sounds like there is also an Nginx or similar reverse-proxy-server in front of the
DOCKER_SAAS
. Does the infrastructure look like this?My guess is that since the server
[DOCKER_SAAS ENDPOINT: ?]
is apparently configured with a fixed domain name, it expects exactly that domain name in the request header (e.g.Host: DOCKER_SAAS.TLD
). So the problem is probably that when proxying from[MY_ENDPOINT: nginx]
to[DOCKER_SAAS ENDPOINT: ?]
the wrongHost
header is sent along, i.e. by default the host headerMY_ENDPOINT.TLD
is sent along, but it should beDOCKER_SAAS.TLD
instead. E.g.:or
Regarding this:
This could be set on the proxy server (
[MY_ENDPOINT: nginx]
), yes. (TheAuthorization: "Basic ..."
can be dynamically filled with the respective token extracted from theMY_ENDPOINT
, and so on). However, the docker CLI would still ask for a username and password anyway. Yes, the user can enter dummy values (to make the CLI happy), or this would also work though:But this would be inconsistent, and would rather confuse the users, imho. So better let it be…