[BUG]: Cosmos-server redirecting Gitea container registry endpoint

[umer936]

What happened?

I have Gitea with a URL as a ServApp in Cosmos, which is also happily passing in my HTTPS certs (*.[system-name].[org-name].edu). All works well with the web GUI.

But when attempt to use the container registry API, cosmos takes the request and does not pass it through - instead trying to get me to login.

Here's my config for it

With the "Authentication Required" option set to false, I get the following:

$ wget https://[system-name].[org-name].edu:3000/v2/_catalog
--2024-07-05 10:31:51--  https://[system-name].[org-name].edu:3000/v2/_catalog
Resolving [system-name].[org-name].edu ([system-name].[org-name].edu)... [system-ip-addr]
Connecting to [system-name].[org-name].edu ([system-name].[org-name].edu)|[system-ip-addr]|:3000... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.

With the "Authentication Required" option set to true, I get the following:

$ wget https://[system-name].[org-name].edu:3000/v2/_catalog
--2024-07-05 10:39:28--  https://[system-name].[org-name]:3000/v2/_catalog
Resolving [system-name].[org-name].edu ([system-name].[org-name].edu)... [system-ip-addr]
Connecting to [system-name].[org-name].edu ([system-name].[org-name].edu)|[system-ip-addr]|:3000... connected.
HTTP request sent, awaiting response... 302 Found
Location: /cosmos-ui/login?notlogged=1&redirect=/v2/_catalog [following]
--2024-07-05 10:39:28--  https://[system-name].[org-name].edu:3000/cosmos-ui/login?notlogged=1&redirect=/v2/_catalog
Reusing existing connection to [system-name].[org-name]:3000.
HTTP request sent, awaiting response... 200 OK
Length: 674 [text/html]
Saving to: ‘_catalog’

_catalog                  100%[===========================================>]     674  --.-KB/s    in 0s

2024-07-05 10:39:28 (11.9 MB/s) - ‘_catalog’ saved [674/674]

Other url endpoints work correctly, e.g.:

$ wget https://[system-name].[org-name].edu:3000/admin
--2024-07-05 10:31:22--  https://[system-name].[org-name].edu:3000/admin
Resolving [system-name].[org-name].edu ([system-name].[org-name].edu)... [system-ip-addr]
Connecting to [system-name].[org-name].edu ([system-name].[org-name].edu)|[system-ip-addr]|:3000... connected.
HTTP request sent, awaiting response... 303 See Other
Location: /user/login [following]
--2024-07-05 10:31:23--  https://[system-name].[org-name].edu:3000/user/login
Reusing existing connection to [system-name].[org-name].edu:3000.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘admin’

admin                           [ <=>                                        ]  11.05K  --.-KB/s    in 0.001s

2024-07-05 10:31:23 (7.64 MB/s) - ‘admin’ saved [11312]

the saved file is the HTML of the Gitea login page, which is correct.

What should have happened?

When I try to hit the Gitea container registry endpoints, I should be able to do so. It's as if /v2/ or other paths are not being passed through to the container.

How to reproduce the bug?

See above.

Relevant log output

No response

Other details

No response

System details

• OS: Rocky Linux
• Browser: Bash
• Version: Cosmos 0.15.7

[azukaar]

Disable Cosmos authentication on the Gitea URL

[umer936]

Is that not what I did in this part? Am I overlooking a different setting? With the "Authentication Required" option set to false, I get the following:

[azukaar]

Ah I see, sorry overlooked that part. The thing is, this is Gitea's API, not Cosmos telling you you are failing to authenticate

[umer936]

After much debugging, I agree with that. I think it's due to not passing in the Host and X-Referrer headers as putting in the HTTPS certs into Gitea and not having Cosmos-Server as the reverse proxy allowed the requests.

Additionally, thank you so much for Cosmos. It's the only tool that allows us to patch in certs in our setup. Also the GUI is extremely helpful. I aim to contribute to the docs and more in the coming months.