Short: I can't login on my docker-registry (hosted on ubuntu-vm (14.04LTS) in a servercenter) from the outside (my local computer running MAC) using a my.domain.ch name.
I can successfully login from the ubuntu-machine (vm-2) running the registry with 'docker login http://localhost:5000'
This is my setup:
vm-1: nginx/1.10.1 on Ubuntu 14.04 acting as reverse proxy (no docker installed here):
upstream registry {
server vm-2:5000 fail_timeout=5s;
}
server {
listen 80;
server_name my.domain.ch; # server_name ;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name my.domain.ch; # server_name ;
charset utf-8;
keepalive_timeout 5;
add_header Docker-Distribution-Api-Version registry/2.0 always;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_ecdh_curve secp521r1;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCMSHA384:ECDHE-ECDSA-AES256-SHA384:EC$
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Docker-Distribution-Api-Version registry/2.0;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 900;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;
proxy_pass https://registry;
}
}
vm-2 docker-registry on Ubuntu 14.04 acting as registry host.
Docker version 1.12.1, build 23cf638
docker-compose version 1.7.0, build 0d7bf73
docker-registry version 2.5.1
These are
- /opt/docker-registry/auth (htaccess)
- /opt/docker-registry/certs (key and cert)
- /opt/docker-registry/data (empty)
- /opt/docker-registry/docker-compose.yml
docker-compose.yml looks like this:
registry:
restart: always
image: registry:2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/cert.pem
REGISTRY_HTTP_TLS_KEY: /certs/key.pem
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: basic-realm
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_LOG_LEVEL: "debug"
volumes:
- /opt/docker_registry/data:/var/lib/registry
- /opt/docker_registry/certs:/certs
- /opt/docker_registry/auth:/auth
From my MAC I try
docker login https://my.domain.ch
Username: MyUserName
Password:
Error response from daemon: login attempt to https://my.domain.ch/v2/ failed with status: 401 Unauthorized
My research showed me that:
David Daeschler wrote that docker only supports basic auth with bcrypt. (I tried with apache-md5, md5 and crypt all did not work). So I use bcrypt for my htacces as suggested.
My docker-registry log:
registry_1 | time="2016-09-22T10:01:00.809076941Z" level=debug msg="authorizing request" go.version=go1.6.3 http.request.host=mydomain.ch http.request.id=f1b0ccda-2d03-4480-aaf8-b7248acaed5f http.request.method=GET http.request.remoteaddr=xxx.xxx.xxx.127 http.request.uri="/v2/" http.request.useragent="docker/1.12.1 go/go1.6.3 git-commit/23cf638 kernel/4.4.20-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.1 \\(darwin\\))" instance.id=59b4a38a-307e-446d-9f8a-3618c35bb6bb service=registry version=v2.5.1
registry_1 | time="2016-09-22T10:01:00.811894104Z" level=error msg="error authenticating user \"MyUserName\": authentication failure" go.version=go1.6.3 http.request.host=my.domain.ch http.request.id=f1b0ccda-2d03-4480-aaf8-b7248acaed5f http.request.method=GET http.request.remoteaddr=xxx.xxx.xxx.127 http.request.uri="/v2/" http.request.useragent="docker/1.12.1 go/go1.6.3 git-commit/23cf638 kernel/4.4.20-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.1 \\(darwin\\))" instance.id=59b4a38a-307e-446d-9f8a-3618c35bb6bb service=registry version=v2.5.1
registry_1 | time="2016-09-22T10:01:00.812631504Z" level=warning msg="error authorizing context: basic authentication challenge for realm \"basic-realm\": authentication failure" go.version=go1.6.3 http.request.host=my.domain.ch http.request.id=f1b0ccda-2d03-4480-aaf8-b7248acaed5f http.request.method=GET http.request.remoteaddr=83.xxx.xxx.127 http.request.uri="/v2/" http.request.useragent="docker/1.12.1 go/go1.6.3 git-commit/23cf638 kernel/4.4.20-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.1 \\(darwin\\))" instance.id=59b4a38a-307e-446d-9f8a-3618c35bb6bb service=registry version=v2.5.1
registry_1 | xxx.xxx.xxx.11 - - [22/Sep/2016:10:01:00 +0000] "GET /v2/ HTTP/1.0" 401 87 "" "docker/1.12.1 go/go1.6.3 git-commit/23cf638 kernel/4.4.20-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.1 \\(darwin\\))"
The nginx-log:
2016/09/22 09:14:34 [crit] 13318#0: *8 crypt_r() failed (22: Invalid argument), client: xxx.xxx.xxx.127, server: my.domain.ch, request: "GET /v2/ HTTP/1.1", host: "my.domain.ch"
The reason for this error is covered by this answer from a Docker.com guy. (in short: Hunting this down shows this is dependent on the version of gcc shipped with debian. )
What I know from the logs & errors is:
- It has correctly forwarded the request
- Port is open and accepting request
- TLS works & certs are correct - it uses v2 of the api
- Must have to do with htaccess
- Must be a problem with nginx. Hence locally it works
How can I make nginx understand bcrypt? Or is the error somewhere else?
Thanks for any help SWiggels
Edit:
Found this from a docker.com guy:
I'm not sure if this will help, but we've become tired of dealing with nginx's edge cases for new users, so registry 2.1 will come with htpasswd based basic auth support.
As of using docker-registry v2.5.1 basic auth should work.
I installed sudo apt-get install apache2-utilson vm-1. I thought it might bring bcrypt with. It didn't work.
When installing bcrypt explicitly (sudo apt-get install bcrypt) I get bcrypt is already the newest version.
Adding sudo apt-get install libgmp3-dev as suggested here didn't work as well.
As described here auth_basic (of nginx? or basic auth in general?) does not support bcrypt. But the only encryption allowed by docker-registry is bcrypt for htaccess passwords.
Seen read here nginx can't handle bcrypt password hashes.
Is it impossible to have a docker-registry v2.5.1 behind a nginx 1.10.1?
