Registry access with basic auth

[wrosenauer]

I'm not sure if there is any bug or I just don't get the documentation right.
Trying to run docker-registry-ui 2.2.1 against a self hosted docker registry on k3s.
Both the registry and the registry-ui are behind Traefik with basic auth (same credentials).

From documentation and comments here and there this should be supported but I don't get it to work.

My (k3s) configs are:

for registry-ui: (registry-ui.k3s.example.net)
- name: REGISTRY_TITLE
value: "Docker Registry UI"
- name: DELETE_IMAGES
value: "true"
- name: SINGLE_REGISTRY
value: "true"
- name: REGISTRY_URL
value: "https://registry.k3s.example.net"

registry.k3s.example.net Traefik/Middleware config:
headers:
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
- POST
- DELETE
- HEAD
accessControlAllowHeaders:
- Accept
- Authorization
accessControlAllowOriginList:
- https://registry-ui.k3s.example.net
accessControlAllowCredentials: true
accessControlMaxAge: 100
addVaryHeader: true

Now in the browser I see an XHR request to registry.k3s.example.net which fails with 401 Unauthorized
The browser console than tells me:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://registry.k3s.example.net/v2/_catalog?n=100000. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 401.

Is this expected? Which config did I miss?

[Joxit]

Hi there, thank you for using my project 😄

If it's the OPTION requests that returns a 401 status code, this may be caused by a docker registry issue, see this comment #104 (comment)

You will need to bypass the miss configuration with traefik and return 200 on every OPTION requests.

[wrosenauer]

The first request fired against the registry is a
GEThttps://registry.k3s.example.net/v2/_catalog?n=100000
which gets a 401 already.

[Joxit]

Yes this is normal since you have a basic auth.
The second request should be an OPTION because you are on a different domain name with a credential (basic auth). The OPTION must return a status 200 with all required headers Access Control Origin/Methods etc...
Then the UI will ask your credential...

Please read the thread linked bellow and check if it's also your case

[wrosenauer]

Unless Firefox' browser console is useless I don't think that is my actual problem.
There is no second request to the registry at all visible neither in the console nor the network tab of the devtools.

[Joxit]

I will need the content of the response, request headers and response headers

[laggage]

Seems to have the same problem. And after reading #104 (comment) , I add the following config to nginx, everythings get works properly

location / {

+        if ($request_method = 'OPTIONS') {
+           add_header Access-Control-Allow-Origin https://<your_registry_domain>;
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+            #
+            # Custom headers and headers various browsers *should* be OK with but aren't
+            #
+            add_header 'Access-Control-Allow-Headers' 'Accept,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+            #
+            # Tell client that this pre-flight info is valid for 20 days
+            #
+            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Content-Type' 'text/plain; charset=utf-8';
+            add_header 'Content-Length' 0;
+            add_header Access-Control-Allow-Credentials true;
+            return 204;
+        }

        ....
}

[Joxit]

Hi, thank you for your feedback, I hope this helps @wrosenauer

[Joxit]

Hi, I close this issue due to inactivity.