Description
Bug description
I've configured docker-registry-ui as shown in the "standalone" example with credentials. For information, docker-registry-ui is behind a reverse proxy (with its own Basic Auth, which works fine), and the docker registry is accessed directly via its https address (https://docker.mydomain.com:5000), and has Basic Auth configured too (directly handled by the docker registry docker container, no reverse proxy is used for the registry).
I have a weird problem. When accessing the web ui, the first request to /v2/_catalog gets a 401 error back from the registry docker container (and my docker container indeed logs an error : level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential".
But just after this request, another request is sent to the same URL, and this time it works (200 OK, and no basic auth error).
So I can see the list of my repositories and images. But if I click on one of them to get details, then I get CORS errors (even if CORS are correctly configured on my docker registry, as shown in your examples, and EVEN when using a browser extension to bypass CORS). The problem is that the preflight request gets a 401 Error back from the registry, for the exact same reason as before (level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential") and so the browser doesn't continue and spits this in the console:
Access to XMLHttpRequest at 'https://docker.mydomain:5000/v2/foo/bar/manifests/latest' from origin 'https://registry.mydomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
It seems like Basic Auth credentials aren't sent in the requests, so I'm confused. It doesn't seem like a CORS configuration problem (the headers are here, and requests are sent by the browser). Rather, it seems like a problem with Basic Auth on the docker registry.
But any address I open directly in the browser (where I logged in with the basic auth credentials) work properly. Only the XHR requests sent by docker-registry-ui frontend get 401 errors.
How to Reproduce
See explanation above.
My docker-compose file
services:
registry:
restart: always
image: registry:2
container_name: registry
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: REDACTED
REGISTRY_HTTP_TLS_KEY: REDACTED
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
volumes:
- ./data:/var/lib/registry
- ./certs:/certs
- ./auth:/auth
- ./config.yml:/etc/docker/registry/config.yml
ui:
image: joxit/docker-registry-ui:latest
container_name: registry-web-ui
ports:
- 127.0.0.1:5100:80
environment:
- REGISTRY_TITLE=Private Docker Registry
- REGISTRY_URL=REDACTED
- SINGLE_REGISTRY=true
depends_on:
- registryMy private docker registry configuration
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
Access-Control-Allow-Origin: ['https://registry.mydomain.com']
Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
Access-Control-Allow-Credentials: [true]
Access-Control-Allow-Headers: ['Authorization', 'Accept']
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3Expected behavior
I shouldn't get 401 errors back from the docker registry container when the UI send requests to API endpoints (seems like it's not sending the proper Basic Auth headers like it should, except sometimes!?)
System information
- OS: Debian 11
- Docker registry UI:
- Version: latest
- Tools: docker-compose