Issue with SBOM generation in Harbor v2.11.0 when using external Reverse Proxy (HTTP 404)

[omaster395464gh]

Issue:
The new SBOM generation feature in version 2.11.0 uses the external URL, leading to 404 errors due to the reverse proxy configuration.

Suggested Fix:
I recommend that the internal server name be used for SBOM uploads like other internal communications to avoid this issue. This would ensure consistency and prevent misdirected requests that result in 404 errors (and connections failures when calling external services).

Question:
Is there a way to configure Harbor to use the container internal server name instead of the external URL when uploading SBOM results?

Thank for your great work and for looking into this issue. I appreciate any guidance or updates you can provide.

Best regards,
Oliver

---

My configuration:

User Access --> https://myrepo.example.com (HTTPS)
|
External Nginx Reverse Proxy --> https://internalserver.example.local (HTTPS)
|
Harbor by docker compose

In version 2.10.x, everything functions as expected, including upload of vulnerability scans.
However, in version 2.11.x, the new SBOM generation feature seems to be mistakenly using the external URL (https://myrepo.example.com) for internal communications. This misconfiguration leads to a situation where the external reverse proxy only returns HTTP 404 when accessed from the internal network.

docker compose logs

harbor-jobservice  | 2024-06-09T13:20:26Z [ERROR] [/pkg/scan/sbom/sbom.go:108]: error when create accessory from image GET https://myrepo.example.com/v2/: unexpected status code 404 Not Found: <html>
harbor-jobservice  | <head><title>404 Not Found</title></head>
harbor-jobservice  | <body>
harbor-jobservice  | <center><h1>404 Not Found</h1></center>
harbor-jobservice  | <hr><center>nginx</center>
harbor-jobservice  | </body>
harbor-jobservice  | </html>
harbor-jobservice  | 2024-06-09T13:20:26Z [ERROR] [/pkg/scan/job.go:307]: Failed to convert vulnerability data to new schema for report 08c76d25-a6e4-4c5c-bc45-1e01260cc224, error GET https://myrepo.example.com/v2/: unexpected status code 404 Not Found: <html>
harbor-jobservice  | <head><title>404 Not Found</title></head>
harbor-jobservice  | <body>
harbor-jobservice  | <center><h1>404 Not Found</h1></center>
harbor-jobservice  | <hr><center>nginx</center>
harbor-jobservice  | </body>
harbor-jobservice  | </html>
harbor-jobservice  | 2024-06-09T13:20:26Z [ERROR] [/jobservice/runner/redis.go:123]: Job 'IMAGE_SCAN:6c49933c8512c5f47b6739c7' exit with error: run error: GET https://myrepo.example.com/v2/: unexpected status code 404 Not Found: <html>
harbor-jobservice  | <head><title>404 Not Found</title></head>
harbor-jobservice  | <body>
harbor-jobservice  | <center><h1>404 Not Found</h1></center>
harbor-jobservice  | <hr><center>nginx</center>
harbor-jobservice  | </body>
harbor-jobservice  | </html>

harbor.yml

hostname: myrepo.example.com
http:
  port: 80
https:
  port: 443
  certificate: /root/owa/harbor_install/harbor/data/cert/internalserver.example.local.crt
  private_key: /root/owa/harbor_install/harbor/data/cert/internalserver.example.local.key

# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true

# external_url: https://myrepo.example.com:443
# test only
# external_url: https://nginx:8443

I tried to switch my configuration to external_url: https://nginx:8443 and the sbom upload is working, but docker pull from https://myrepo.example.com failed with dial tcp: lookup nginx on ...: server misbehaving

[stonezdj]

To solve this issue, the sbom.go should use the internal URL to generate SBOM, the internal URL always starts with http://core:8080, and the accessory upload function fails to validate the reference if it contains the http:// or https://. need to remove it