The proxy refused to connect to a registry that was hosted on
a port other than 443. For example, I was not able to connect
to my registry that is hosted on port 5002:
$ https_proxy=proxy.lab.example.com:3128 curl -v https://registry.lab.example.com:5002
* Uses proxy env variable https_proxy == 'proxy.lab.example.com:3128'
* Trying 192.168.140.1:3128...
* Connected to proxy.lab.example.com (192.168.140.1) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to registry.lab.example.com:5002
> CONNECT registry.lab.example.com:5002 HTTP/1.1
> Host: registry.lab.example.com:5002
> User-Agent: curl/7.74.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 403 Forbidden
< Server: nginx/1.20.1
< Date: Thu, 11 Aug 2022 15:12:23 GMT
< Content-Type: text/html
< Content-Length: 153
< Connection: keep-alive
<
* Received HTTP code 403 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 403 from proxy after CONNECT
The proxy refused to pass through connections to URLs that used
port other than 443. For example, trying to connect to port 8443:
$ https_proxy=proxy.lab.example.com:3128 curl -v https://google.com:8443
* Uses proxy env variable https_proxy == 'proxy.lab.example.com:3128'
* Trying 192.168.140.1:3128...
* Connected to proxy.lab.example.com (192.168.140.1) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to google.com:8443
> CONNECT google.com:8443 HTTP/1.1
> Host: google.com:8443
> User-Agent: curl/7.74.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 403 Forbidden
< Server: nginx/1.20.1
< Date: Thu, 11 Aug 2022 16:05:52 GMT
< Content-Type: text/html
< Content-Length: 153
< Connection: keep-alive
<
* Received HTTP code 403 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 403 from proxy after CONNECT
This commit fixes the issue by configuring the proxy_connect_allow
paramater to allow connecting to any destination port number. By
default only port 443 and 563 were allowed. See also documentation
here:
https://github.com/chobits/ngx_http_proxy_connect_module#proxy_connect_allow
If push is allowed, buffering requests can cause issues on slow upstreams.
The put requests pile up, and since `proxy_ignore_client_abort` is on...
...the push fails.
If you have trouble pushing, set `PROXY_REQUEST_BUFFERING`to false, then fix
remainig issues/timeouts.
Default is true to not change default behavior.
* implement manifest caching; refactor config with includes, and generate from ENVs in entrypoint.sh
- disabled by default; enable with -e ENABLE_MANIFEST_CACHE=true
- default times and regexes are a wild guess, make sure to tune for your use case.
- add manifest caching/anti-ratelimit usage note to README
- add -e ENABLE_MANIFEST_CACHE=true to examples, some wording changes
- add -e ENABLE_MANIFEST_CACHE=true to one the steps in test workflow.
- injects a mitmproxy between the caching layer and DockerHub's registry-1.docker.io
- it also disables VERIFY_SSL so the mitmproxy can be used;
- DEBUG_HUB's mitmweb is exposed on port 8082
- both DEBUG and DEBUG_HUB can be enabled independently
Cache immutable URLs and handle outages
1. Changes the blob cache to only cache by digest
2. Adds caching for manifests requested by digest
3. Cache but invalidate immediately (after 1s) mutable requests
4. Use invalidated cache (from 3) if the backend is down or 403 unauthorized
- now only /v2/.../blobs/... URIs are actually cached (together with their redirect catchers)
- /manifests/, /token, and /v2/ are not cached anymore, which should solve a lot of problems
- better messages for /v1 attempts
- fix usage of $connect_host:443 (which is hostname:port and causes errors to be logged) to $connect_addr (which returns an IP:port) in the proxy layer
Ales Nosek
saces
Mateusz Kowalski
Sezer Bülent
Federico Gimenez
Ricardo Pardini
naftulee
Brian Goff
ricardop
Ruud Kamphuis
Jonathan Giannuzzi
Sebastián Ramírez
Stan Yagolnitser