Reverse Proxy "subpath" request

[mschiessl]

Hi,

i am running the registry browser behind a nginx reverse proxy (to follow the architecture, do TLS & auth). Sadly i can not pass through on a dedicated port so i have to use a shared domain like admin.mybox.com and rely on the routes like admin.mybox.com/jenkins or admin.mybox.com/registry-browser/

I am pretty sure i set everything so it should work as expected but once i hit the route for docker-registry-browser, i immideately get a redirect (301) to "wrong" route like:
admin.mybox.com/repo/ which is not redirected within nginx.

For most tools i've seen yet, i need to tell them the route they run within, since they expect to run at /.

Could you please add config option for the route/path the secript wiil run under so the redirects will not fire into nowhere ? I know this might be an edgy one but i hope it will also not be a big one to fix -D

cheers
Mike

[klausmeyer]

Hi Mike,

let's try something :)

The Framework I'm using for this app allows to configure a subfolder it's running under.
Can you try setting RAILS_RELATIVE_URL_ROOT to /registry-browser?

For example:

docker run [...] -e RAILS_RELATIVE_URL_ROOT="/registry-browser" [...] klausmeyer/docker-registry-browser:latest

Maybe this already helps.

Best, Klaus

[mschiessl]

Hi Klaus,
thanks for the lightspeed - reply

just tried with
-e RAILS_RELATIVE_URL_ROOT="/registry-browser/" and

-e RAILS_RELATIVE_URL_ROOT="/registry-browser"

without success - ill gonna minimize my nginx config tomorrow and see if i can strip the /registry-browser/ piece totally out.
gonna report back once i've got some idea on how to solve this through nginx $magic :D

best
Mike

[mschiessl]

Ok, here's what i got so far:

Function
It is running now so far, only things "not" working:

• home buttons (can not substitute /)
• Deletion (throws error

Docker Start script

 sudo docker run -d  -p 127.0.0.1:5001:8080 \
                                      --name sj-docreg-browser \
                                      -e DOCKER_REGISTRY_URL=https://127.0.0.1:5000 \
                                      -e NO_SSL_VERIFICATION=true \
                                      -e BASIC_AUTH_USER=myuser \
                                      -e BASIC_AUTH_PASSWORD=mypass\
                                      -e ENABLE_DELETE_IMAGES=true \
                                      -e RAILS_RELATIVE_URL_ROOT="/docker-browser/" \
                                      --rm \
                                      klausmeyer/docker-registry-browser

NGINX CONF

      location /docker-browser {
              proxy_pass         http://127.0.0.1:5001/;

              proxy_set_header   Host                   $host;
              proxy_set_header   X-Real-IP              $remote_addr;
              proxy_set_header   X-Forwarded-For        $proxy_add_x_forwarded_for;
              proxy_set_header   X-Forwarded-Proto      https;
              proxy_set_header Authorization "";

              proxy_redirect     off;
              sub_filter_types *;
              sub_filter_once off;
              sub_filter "/repo/" "/docker-browser/repo/";
        }

But thats sufficient for now, i got what i needed ;)

FYI:
If i remove the line -e RAILS_RELATIVE_URL_ROOT="/docker-browser/" \ from startup, it is NOT working.
normale the sub_filter magic should not be needed at all, if the application behind understands the relative url rool properly.

best regards
mike

[klausmeyer]

Thx for your feedback. I did a bit of research and experimenting and the result looks promising.
The 1edd33f commit should fix the home button issue and when I add another ENV variable called SCRIPT_NAME to my docker browser instance the generated links look fine and I don't need any of the filters in nginx:

-e SCRIPT_NAME="/docker-browser" \
-e RAILS_RELATIVE_URL_ROOT="/docker-browser"

I didn't check the delete functionality but maybe you can give it a try and see if it's working for you.
Please note that it might take a while until a new latest tag is auto-built on Docker Hub.

[mschiessl]

Hi Klaus,

thanks for the great work !.
I can confirm it is working now without nginx magic and adding the above two lines to the start line.

Unfortunately, the "Delete tag" does not work, giving me an error 500
But this one is not mission critical since i personally do not need it right now but happy to give you some debug output.

as shown above, the X-Forwarded-Proto is set

Erorr Message

We're sorry, but something went wrong.
If you are the application owner check the logs for more information

Resp. headers

HTTP/1.1 500 Internal Server Error
Server: nginx
Date: Sat, 27 Apr 2019 12:19:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1635
Connection: keep-alive
X-Request-Id: cbca9b15-f23a-45d8-9977-b8b23ef8348d
X-Runtime: 0.110318

The error is the following in the logs

I, [2019-04-27T12:19:42.754304 #1]  INFO -- request: DELETE https://127.0.0.1:5000/v2/myrepo/manifests/sha256:someshahash
D, [2019-04-27T12:19:42.754358 #1] DEBUG -- request: User-Agent: "Faraday v0.15.4"
Authorization: "Basic BasicAuthTokenj"
I, [2019-04-27T12:19:42.788226 #1]  INFO -- : [cbca9b15-f23a-45d8-9977-b8b23ef8348d] Completed 500 Internal Server Error in 107ms
F, [2019-04-27T12:19:42.789198 #1] FATAL -- : [cbca9b15-f23a-45d8-9977-b8b23ef8348d]
F, [2019-04-27T12:19:42.789264 #1] FATAL -- : [cbca9b15-f23a-45d8-9977-b8b23ef8348d] Faraday::ClientError (the server responded with status 405):
F, [2019-04-27T12:19:42.789323 #1] FATAL -- : [cbca9b15-f23a-45d8-9977-b8b23ef8348d]
F, [2019-04-27T12:19:42.789396 #1] FATAL -- : [cbca9b15-f23a-45d8-9977-b8b23ef8348d] app/models/tag.rb:37:in `delete'
[cbca9b15-f23a-45d8-9977-b8b23ef8348d] app/controllers/tags_controller.rb:10:in `destroy'

[klausmeyer]

Ok. The message "Faraday::ClientError (the server responded with status 405)" indicates that in the registry backend itself the deletion isn't enabled.

Just set REGISTRY_STORAGE_DELETE_ENABLED=true on the registry itself (not the browser).

[mschiessl]

Bloody mother of ... thanks for pointing it to a blind man ...

The tag latest has been deleted.

[klausmeyer]

🎉 So everything is working fine now?

[mschiessl]

🎉 So everything is working fine now?

Yes brilliant !!! Thank you very much !
and now a simple proxy_pass http://127.0.0.1:5001/ in nginx works like a charm !
I think the last / in the proxy_pass matters

[willhoyle]

Just had the same issue and can confirm setting the environment var: RAILS_RELATIVE_URL_ROOT to the subpath works! Should this be added to the README?

[klausmeyer]

@willhoyle think that's a good idea. Would you like to send a PR for it?

[willhoyle]

Sure, here it is: #209