search

rpardini / docker-registry-proxy

An HTTPS Proxy for Docker providing centralized configuration and caching of any registry (quay.io, DockerHub, k8s.gcr.io)
Apache License 2.0
912 stars 170 forks source link

How to secure access to the proxy when my cluster needs to connect through a public url / ip? #148

Closed valkenburg-prevue-ch closed 1 year ago

valkenburg-prevue-ch commented 1 year ago

My original title was "How to use docker-registry-proxy behind an https-terminating reverse proxy?", but my real question is how to protect the proxy against outside users.

I am probably missing the point here, but how do I securely use docker-registry-proxy? All the examples are over http, so I thought I would run the docker image behind a reverse-proxy with https. I can reach the docker-registry-proxy just fine through the reverse-proxy over https, I get HTTP 200 and docker-registry-proxy: The docker caching proxy is working! . But 

HTTPS_PROXY="https://my.machine.example.com" ctr image pull -k docker.io/rancher/mirrored-pause:3.6

gives me 

INFO[0000] trying next host                              error="failed to do request: Head \"https://registry-1.docker.io/v2/rancher/mirrored-pause/manifests/3.6\": Bad Request" host=registry-1.docker.io
ctr: failed to resolve reference "docker.io/rancher/mirrored-pause:3.6": failed to do request: Head "https://registry-1.docker.io/v2/rancher/mirrored-pause/manifests/3.6": Bad Request

I have no clue what is going wrong here.

When I open port 3128, 

HTTPS_PROXY="https://my.machine.example.com:3128" ctr image pull -k docker.io/rancher/mirrored-pause:3.6

works without any issue, but this opens my containers to the world. Adding basic auth over plain http would open my credentials to the world...

valkenburg-prevue-ch commented 1 year ago

I start to understand that what I thought of is impossible; a proxy cannot be behind another proxy. Or can it? Either way, my actual goal is to protect access to the proxy, in a situation where using firewall rules is not manageable (for example providing access to a random selection of ips and not any other ip in that range).

I do not see anything about securing this setup. Any advice?

rpardini commented 1 year ago

This is a man-in-the-middle authentication-injecting proxy. Adding authentication to a CONNECT proxy is far beyond the scope, and this "limitation" is clearly stated in the readme...