search

rpardini / docker-registry-proxy

An HTTPS Proxy for Docker providing centralized configuration and caching of any registry (quay.io, DockerHub, k8s.gcr.io)
Apache License 2.0
912 stars 170 forks source link

TLSv1.3 support #123

Open cyd01 opened 2 years ago

cyd01 commented 2 years ago

I use a private docker repository that use TLS v1.3 protocol only (for security purpose). Prior versions were disabled.
It seems version v1.3 is not enabled in nginx:

2022/01/03 08:01:53 [error] 79#79: *37 SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 127.0.0.1, server: proxy_caching_, request: "GET /v2/mocks/apisprout/manifests/latest HTTP/1.1", upstream: "https://192.168.0.16:443/v2/mocks/apisprout/manifests/latest", host: "my.repos.io"
{"access_time":"03/Jan/2022:08:01:53 +0000","upstream_cache_status":"MISS","method":"GET","uri":"/v2/mocks/apisprout/manifests/latest","request_type":"manifest-default","status":"502","bytes_sent":"157","upstream_response_time":"0.044","host":"my.repos.io","proxy_host":"my.repos.io","upstream":"192.168.0.16:443"}

How can I enable it ?

rpardini commented 2 years ago

Good question. You'd need to search on nginx on which this project is based. This project's base image builds nginx from source, so whatever's required for support should be achievable, and PRs are welcome! I commend you on TLSv1.3-only posture.

cyd01 commented 2 years ago

Thanks for answering. Here is the pull request: https://github.com/rpardini/docker-registry-proxy/pull/124