search

cesanta / docker_auth

Authentication server for Docker Registry 2
Apache License 2.0
1.28k stars 305 forks source link

Fix regexp parsing IPv6 without port indication in remote_addr #318

Closed nemunaire closed 3 years ago

nemunaire commented 3 years ago

Hi!

Thanks for your awesome project!

I tried to use this project in an IPv6 infra, behind a reverse proxy and I got the following response from the auth server:

Bad request: unable to parse remote addr 2a01:x:x:x:x:x:x:x

Leading to:

$ docker pull registry.example.com/hello-world
Using default tag: latest
Error response from daemon: Head "https://registry.example.com/v2/hello-world/manifests/latest": error parsing HTTP 400 response body: invalid character 'B' looking for beginning of value: "Bad request: unable to parse remote addr 2a01:x:x:x:x:x:x:x\n"

My nginx configured that way:

proxy_pass          http://127.0.0.1:5001;
proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;

And my YAML looking like this:

server:
    real_ip_header: "X-Forwarded-For"

I fix through this PR, the regexp that cause the trouble. In fact, the regexp intended to pick 2a01:cafe:cafe::beef from [2a01:cafe:cafe::beef]:4242 was also activated by every single IPv6 without port indication (as [ and ] was optional), leading to invalid IPv6: because 2a01:cafe:cafe::beef was replaced by 2a01:cafe:cafe: and so on.

By requiring [ and ] to not be optional, if the text doesn't match the regexp, no replacement is made, the IPv6 is then kept valid.