Comments (12)
I had the same issue during my tests.
Can you please check the logs of the auth server and the registry itself?
In my case I wasn't using the same value for the issuer
in both places. After fixing this I also had to delete my cookies to get rid of the token issued with the wrong issuer
attribute.
My (working) config
# files/auth.yaml
server:
addr: ":5001"
certificate: "/server.pem"
key: "/server.key"
token:
issuer: "www.example.com" # Must match issuer in the Registry config.
expiration: 900
users:
# Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
"admin":
password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin
"test":
password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya" # 123
acl:
- match: {account: "admin"}
actions: ["*"]
comment: "Admin has full access to everything."
- match: {account: "test"}
actions: ["pull"]
comment: "User \"test\" can pull stuff."
# docker-compose.yaml
version: '3'
services:
auth:
image: cesanta/docker_auth:1
command: --v=2 --alsologtostderr /auth.yaml
volumes:
- './files/auth.yaml:/auth.yaml:ro'
- './files/server.pem:/server.pem:ro'
- './files/server.key:/server.key:ro'
ports:
- '5001:5001'
registry:
image: registry:2
environment:
- 'REGISTRY_AUTH_TOKEN_REALM=https://10.8.6.252:5001/auth'
- 'REGISTRY_AUTH_TOKEN_SERVICE=Docker registry'
- 'REGISTRY_AUTH_TOKEN_ISSUER=www.example.com'
- 'REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/server.pem'
- 'REGISTRY_HTTP_TLS_CERTIFICATE=/server.pem'
- 'REGISTRY_HTTP_TLS_KEY=/server.key'
volumes:
- './files/server.pem:/server.pem:ro'
- './files/server.key:/server.key:ro'
ports:
- '5000:5000'
frontend:
image: klausmeyer/docker-registry-browser:latest
environment:
- 'DOCKER_REGISTRY_URL=https://registry:5000'
- 'NO_SSL_VERIFICATION=true'
- 'TOKEN_AUTH_USER=admin'
- 'TOKEN_AUTH_PASSWORD=badmin'
- 'SSL_CERT_PATH=/server.pem'
- 'SSL_KEY_PATH=/server.key'
volumes:
- './files/server.pem:/server.pem:ro'
- './files/server.key:/server.key:ro'
ports:
- '8443:8443'
from docker-registry-browser.
Thank you very much for your test and your answer! I finally set an account with full "*" access and added a basic auth in a nginx reverse proxy (the only thing I had to add in the nginx proxy was a Header set Authorization "" or it was going in a 302 loop). I will maybe report an issue on the auth github project.
Cheers :)
from docker-registry-browser.
Looks like docker_auth
project improved their OAuth2 compatibility by changing their token response from token
attribute to access_token
.
I'll push a fix to support both.
from docker-registry-browser.
@lp35 the fix is now available in latest
tag.
Please let me know if it works for you. I'll then publish a new release.
from docker-registry-browser.
Hi,
Thanks for quick replying. I've got the following error in my browser:
The page isnβt redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
Log from the docker-registry-browser container (seems to loop few seconds, then browser stop the request):
.
.
.
I, [2019-12-31T14:58:55.085320 #1] INFO -- request: GET https://MYDOMAIN.pro/v2/_catalog?n=100
D, [2019-12-31T14:58:55.085408 #1] DEBUG -- request: User-Agent: "Faraday v0.17.1"
Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjM1WDY6RVYyRjpYQ0JaOkNEWkM6WERXVjpJNEJVOldBVFU6UFM2RzpYSU1ZOk5DTkY6RE1aRjpFS0wyIn0.eyJpc3MiOiJBY21lIGF1dGggc2VydmVyIiwic3ViIjoiZHh5eiIsImF1ZCI6IkRvY2tlciByZWdpc3RyeSIsImV4cCI6MTU3NzgwNTIzNSwibmJmIjoxNTc3ODA0MzI1LCJpYXQiOjE1Nzc4MDQzMzUsImp0aSI6IjIyNzIzMzAxOTEzMTAxNTM5NTYiLCJhY2Nlc3MiOlt7InR5cGUiOiJyZWdpc3RyeSIsIm5hbWUiOiJjYXRhbG9nIiwiYWN0aW9ucyI6W119XX0.iQACWKf6jo4msxKRgiFFY5dKAnYc8_Rr90-jGqyiyoj88p1A9IxCK1eQGqj9YVPb9mqhfQt89z6uMfRlFdNGsP9NvgbMZxuTlTNt4jINbG9jss3O6eoL0PvCPLZywVSwAx9C1x36T0STX5vIxXSN26IYuYQGDZqo5siNybrBJ5wTuLaIWow5GOQ6C3cLA8XbOGSdBgYxEbu6BIqe34V7DyzN_OFWTK4qxmgCCBEWIiwinnAJqks2dYSyKx4zFhHi1Sx5zXRYQ27-ty-boJL92Q4vSjSylG3_Kt0wzWkLwpjCu_3RYBLyKF1hLdeuL4IqFjdKqAN0hbZO6kDRYvnIOw"
I, [2019-12-31T14:58:55.144107 #1] INFO -- request: GET https://MYDOMAIN.pro:5001/auth?client_id=docker-registry-browser&offline_token=true&scope=registry%3Acatalog%3A%2A&service=Docker+registry
D, [2019-12-31T14:58:55.144205 #1] DEBUG -- request: User-Agent: "Faraday v0.17.1"
Authorization: "Basic ZHh5ejpjcmF6eWFhbTM1NzAw"
I, [2019-12-31T14:58:55.213751 #1] INFO -- response: Status 200
D, [2019-12-31T14:58:55.213825 #1] DEBUG -- response: content-type: "application/json"
date: "Tue, 31 Dec 2019 14:58:55 GMT"
content-length: "761"
connection: "close"
I, [2019-12-31T14:58:55.214118 #1] INFO -- : [28dcb16e-f77f-4ee0-9f67-880735949860] Redirected to http://MYDOMAIN.pro:5004/
I, [2019-12-31T14:58:55.214237 #1] INFO -- : [28dcb16e-f77f-4ee0-9f67-880735949860] Completed 302 Found in 130ms (Allocations: 2484)
I, [2019-12-31T14:58:55.221062 #1] INFO -- : [9679fd35-80ce-4360-bd1a-b045f322f320] Started GET "/" for 192.168.124.51 at 2019-12-31 14:58:55 +0000
I, [2019-12-31T14:58:55.221927 #1] INFO -- : [9679fd35-80ce-4360-bd1a-b045f322f320] Processing by RepositoriesController#index as HTML
I, [2019-12-31T14:58:55.223343 #1] INFO -- request: GET https://MYDOMAIN.pro/v2/_catalog?n=100
D, [2019-12-31T14:58:55.223521 #1] DEBUG -- request: User-Agent: "Faraday v0.17.1"
Authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjM1WDY6RVYyRjpYQ0JaOkNEWkM6WERXVjpJNEJVOldBVFU6UFM2RzpYSU1ZOk5DTkY6RE1aRjpFS0wyIn0.eyJpc3MiOiJBY21lIGF1dGggc2VydmVyIiwic3ViIjoiZHh5eiIsImF1ZCI6IkRvY2tlciByZWdpc3RyeSIsImV4cCI6MTU3NzgwNTIzNSwibmJmIjoxNTc3ODA0MzI1LCJpYXQiOjE1Nzc4MDQzMzUsImp0aSI6IjMwNDAwNzU1MzA5Mzk4Nzk4MTAiLCJhY2Nlc3MiOlt7InR5cGUiOiJyZWdpc3RyeSIsIm5hbWUiOiJjYXRhbG9nIiwiYWN0aW9ucyI6W119XX0.g0GeiRRtBck_HgfhC0mFzTlDX3EezNfF8DJWkdGc8E2sIA-rsai_CgN-eztb_kGdui5S0rqnMdpnoZvjq5kG19B8chEhg1Aq8Jj2VkseeyewkpV1PTwxr8P82MAoWg0K5v3dSo_fgoyPp0fZkuqGFYw_qWQoY0oYPDfG70onSjaSWGVpn4ujNh4DXREjSdqXvO-76cPtTUtnUNMc0rDVUA4AST96A0w0spCHcjdCSVMw8qj9O3WkbCXuPrCBRiLrrcGUenRmGI7l7U56fDLTlokj774KoCTABKIUCpMDC1zqN29Dc8LXfGibLdgRnwV0amnudfVyp3rKyF1BN18Bcw"
I, [2019-12-31T14:58:55.282025 #1] INFO -- request: GET https://MYDOMAIN.pro:5001/auth?client_id=docker-registry-browser&offline_token=true&scope=registry%3Acatalog%3A%2A&service=Docker+registry
D, [2019-12-31T14:58:55.282091 #1] DEBUG -- request: User-Agent: "Faraday v0.17.1"
Authorization: "Basic ZHh5ejpjcmF6eWFhbTM1NzAw"
I, [2019-12-31T14:58:55.346089 #1] INFO -- response: Status 200
D, [2019-12-31T14:58:55.346318 #1] DEBUG -- response: content-type: "application/json"
date: "Tue, 31 Dec 2019 14:58:55 GMT"
content-length: "761"
connection: "close"
I, [2019-12-31T14:58:55.346939 #1] INFO -- : [9679fd35-80ce-4360-bd1a-b045f322f320] Redirected to http://MYDOMAIN.pro:5004/
I, [2019-12-31T14:58:55.347103 #1] INFO -- : [9679fd35-80ce-4360-bd1a-b045f322f320] Completed 302 Found in 125ms (Allocations: 2496)
from docker-registry-browser.
It seems that I can browse a specific image, like
http://MYDOMAIN:5004/repo/test_image/
but I cannot access to the root of the website (getting the error above).
from docker-registry-browser.
Working like a charm. Thanks!
from docker-registry-browser.
Nice π
from docker-registry-browser.
Hi there!
I think I have another bug: it seems that I cannot delete tags/images...
from docker-registry-browser.
Just to be sure: Did you enable that feature in the registry itself?
There's a setting for it: https://docs.docker.com/registry/configuration/#delete
Usually when this isn't activated you see in the frontend logs a HTTP 403 error
returned from the registry's API.
Otherwise feel free to create a new issue for this topic π
from docker-registry-browser.
Hi,
I'm also using cesanta/docker_auth, when I try to use the config that is in the example (https://github.com/cesanta/docker_auth/blob/master/examples/reference.yml) :
- match: {account: "/.+/", type: "registry", name: "catalog"}
actions: ["*"]
comment: "Logged in users can query the catalog."
My browser gets stuck in a 302 loop and the registry browser's output is filling up. It seems that the auth match (type: registry + name: catalog ?) does not let the registry browser get the catalog. The only way I could get this to work is to allow "*" on the account I use for the registry browser.
By any chance, do you know what is the setting to use in the docker_auth image's auth_config.yml to allow the browsing of the registry ?
from docker-registry-browser.
Hey,
I've just updated my test setup with that ACL
and in my case I can successfully access the first page which is listing all the images. After clicking on a image I get the behaviour described by you (302 loop).
My supposition is that the ACL really just allows to browse the catalog (e.g. /v2/_catalog
endpoint) but then the permission to show the image details are missing (e.g. /v2/{image}/tags/list
) is missing.
As I'm not using the token based auth on my own I don't have enough experience to support with that ACL stuff - sorry.
Best Klaus
from docker-registry-browser.
Related Issues (20)
- Authenticate User Access HOT 4
- add a more compact "skin"
- Web UI Login HOT 2
- read/write support by nginx
- Can't browse OCI images HOT 6
- cannot delete tags with cesanta/docker_auth HOT 6
- No Java Script Runtime in Container HOT 12
- ExecJS can't find a runtime HOT 23
- Document using the app in a subPath HOT 1
- Version sorting HOT 1
- This crashes on my server HOT 3
- Tag list cannot be configured to sort by `version` HOT 1
- add sort by push date HOT 1
- Cannot read *.key file in 1.6.0 docker image HOT 4
- Error with multi-platform images HOT 10
- Token based auth with Keycloak as IDP HOT 6
- Third page is not loaded HOT 4
- Error Displaying Tag Info HOT 1
- no reply to browser when using token authentication via keycloak HOT 8
- Feature request - Policy to remove Old image HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-registry-browser.