Docker registry behind caddy as reverse proxy

MetalMatze · July 19, 2016, 10:24pm

Hey, I’m running a docker registry inside a docker container behind caddy.
Pushing and pulling works just fine, but building with drone fails because of some authentication stuff.

172.17.0.21 - [19/Jul/2016:22:10:11 +0000] "GET /v2/ HTTP/1.1" 401 17
172.17.0.21 - [19/Jul/2016:22:10:11 +0000] "GET /v1/_ping HTTP/1.1" 401 17
172.17.0.21 - [19/Jul/2016:22:10:11 +0000] "POST /v1/users/ HTTP/1.1" 401 17
172.17.0.21 - [19/Jul/2016:22:10:11 +0000] "GET /v1/users/ HTTP/1.1" 404 14

Now there’s an official nginx config for this docker regsitry but no caddy one.

What I have so far is not much but works fine for pull & push:

registry.example.com {
	tls mail@example.com
	basicauth / user password
	proxy /v2/ :2202 { #could be any port
		proxy_header X-Forwarded-Proto {scheme}
		proxy_header X-Forwarded-For {host}
		proxy_header Host {host}
	}
}

Maybe somebody has already done this with caddy and can help?

Thanks!

abiosoft · July 20, 2016, 6:15pm

Can you share the specific errors you are getting ?

MetalMatze · July 20, 2016, 6:39pm

I’m very sorry I forgot to do that.

Error response from daemon: Login: 404 Not Found
 (Code: 404; Headers: map[Date:[Tue, 19 Jul 2016 22:10:11 GMT] Content-Length:[14] Content-Type:[text/plain; charset=utf-8] Server:[Caddy] X-Content-Type-Options:[nosniff]])

Thanks!

abiosoft · July 20, 2016, 6:42pm

Is /v2/ part of the url going upstream ? You can omit it with without.

MetalMatze · July 21, 2016, 6:07pm

Ok, I tried it like this but it fails. I think the problem is more likely to be some of the headers not being passed on?!

proxy / :2202 {
	without /v2
	proxy_header X-Forwarded-Proto {scheme}
	proxy_header X-Forwarded-For {host}
	proxy_header Host {host}
}

aios · July 26, 2016, 5:13pm

That was very simple:

registry.example.com {
    tls aioslike@example.com
    basicauth /v2 aios 12345
	proxy /v2 registry:5000 {
		proxy_header X-Forwarded-Proto {scheme}
		proxy_header X-Forwarded-For {host}
		proxy_header Host {host}
	}
}

matt · July 26, 2016, 10:04pm

With version 0.9, replace proxy_header with header_upstream and remove those 3 lines in favor of the transparent preset.

aios · July 27, 2016, 2:39pm

Can you take some example for that?

matt · July 27, 2016, 3:21pm

Simply this:

registry.example.com {
    tls aioslike@example.com
    basicauth /v2 aios 12345
	proxy /v2 registry:5000 {
		transparent
	}
}

MetalMatze · July 27, 2016, 7:37pm

Thank you all for replying!

transparent is awesome and simplifies proxying a lot, thanks!

I’ve added logs and in there this gets written:

172.17.0.20 - [27/Jul/2016:19:32:19 +0000] "GET /v2/ HTTP/1.1" 401 17
172.17.0.20 - [27/Jul/2016:19:32:19 +0000] "GET /v1/_ping HTTP/1.1" 404 14
172.17.0.20 - [27/Jul/2016:19:32:19 +0000] "POST /v1/users/ HTTP/1.1" 404 14

So it seems like drone isn’t able to authenticate. Strangely when I do docker push and docker pull it works just fine. So it might be drone in the end. I’ll ask those guys, if they know any auth problems.

aios · July 28, 2016, 3:38pm

Thanks for that!)))