'Docker Registry behind HAProxy not working properly

I have configured Docker Registry using htpasswd authentication as docker service. I use a port mapping 443:5000 and it works perfectly. "docker login :443" works, "docker pull <mydomain:433/myimage" works.

The container service looks like this:

 myhub:
    image: myhub
    ports:
        - "443:5000"
    environment:
        - REGISTRY_HTTP_ADDR=0.0.0.0:5000
        - REGISTRY_HTTP_TLS_KEY=/certs/efimeridopolis.privkey.pem
        - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/efimeridopolis.fullchain.pem
        - REGISTRY_AUTH=htpasswd
        - REGISTRY_AUTH_HTPASSWD_REALM='Registry Realm'
        - REGISTRY_AUTH_HTPASSWD_PATH=/auth/registry.htpasswd
    volumes:
        - /mnt/volume1/hub:/var/lib/registry
    networks:
        - myoverlay

Now, I try to put it behind HAProxy. SSL is terminated at HAProxy, so the service looks like:

myhub:
    image: myhub       
    environment:
        - REGISTRY_HTTP_ADDR=0.0.0.0:5000           
        - REGISTRY_AUTH=htpasswd
        - REGISTRY_AUTH_HTPASSWD_REALM='Registry Realm'
        - REGISTRY_AUTH_HTPASSWD_PATH=/auth/registry.htpasswd
    volumes:
        - /mnt/volume1/hub:/var/lib/registry
    networks:
        - myoverlay

and the relevant part of HAProxy configuration is:

frontend fe_443
  mode http
  bind *:443 ssl crt /etc/ssl/private/mydomain.pem
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

  acl host_registry hdr(host) -i hub.mydomain
  use_backend be_registry_443 if host_registry 
backend be_registry_443
  mode http
  option forwardfor
  server hub1 myhub:5000 check

It seems something is going wrong here. While accessing

https://hub.mydomain/v2/_catalog

through browser works, which means I am asked for username/password and then I get the list or repositories, when I try to use the console to:

$ docker pull hub.mydomain:443/v2/myhaproxy

it gives me:

Using default tag: latest Error response from daemon: received unexpected HTTP status: 503 Service Unavailable

The same when I try:

$ docker login mydomain:443

I am asked username and password but then I get the same 503 message.

Since browser can list the repositories, I know the registry is online and accessible.

What is wrong ?

dockerhaproxydocker-registry


Solution 1:[1]

https (443 port) should be tcp mode and using req.ssl_sni instead hdr(host).

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

docker image - merged/diff/work/LowerDir components of GraphDriver

docker image - merged/diff/work/LowerDir components of GraphDriver

In docker-compose, is it possible to reuse volume configuration between services?

Installing imagemagick in docker container

How to set docker container name in Pycharm Docker Interpreter

Docker. Communication between Laravel containers

E: Package 'mysql-client' has no installation candidate in php-fpm image build using docker compose

M1 chip, Install Puppeteer in Docker NodeJs, The chromium binary is not available for arm64

How do I configure "ulimits" for a Docker container running in AWS ECS?

Travis-ci installs packages from requirements.txt file automatically

How critical is dumb-init for Docker?

docker build failed after pip installed requirements with exit code 137

Error with docker and react, digital envelope routines::unsupported

npm ERR! Tracker "idealTree" already exists while creating the Docker image for Node project

How to access gradle test reports from a docker container