Private registry ssl issue

[Jaesang]

Hi, I tried this project while looking for a way to build a local registry in offline env, It's fantasitc, Thanks a lot!

I have one issue with ssl, We use our local registry using http, so config insecure registries in daemon.json.

{
  "insecure-registries" : ["my.private.repo"]
}

So, I ran container by below command.

$ docker run --name docker_registry_proxy --dns="192.168.97.232" -d -p 0.0.0.0:3128:3128 -e ENABLE_MANIFEST_CACHE=true -v $(pwd)/docker_mirror_cache:/docker_mirror_cache -v $(pwd)/docker_mirror_certs:/ca        -e REGISTRIES="k8s.gcr.io gcr.io quay.io my.private.repo" -e MANIFEST_CACHE_PRIMARY_TIME=60d -e MANIFEST_CACHE_SECONDARY_TIME=60d -e MANIFEST_CACHE_DEFAULT_TIME=60d rpardini/docker-registry-proxy:0.6.2

but when I tried to pull image to this registry, docker-registry-proxy return error, this is log about that.

$ docker pull my.private.repo/kbudde/rabbitmq-exporter:v0.21.0
Error response from daemon: received unexpected HTTP status: 502 Bad Gateway

docker-registry-proxy log

2021/03/16 10:56:40 [error] 81#81: *3 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: 127.0.0.1, server: proxy_caching_, request: "GET /v2/ HTTP/1.1", upstream: "https://192.168.54.30:443/v2/", host: "my.private.repo"
{"access_time":"16/Mar/2021:10:56:40 +0000","upstream_cache_status":"","method":"GET","uri":"/v2/","request_type":"unknown","status":"502","bytes_sent":"157","upstream_response_time":"0.006","host":"my.private.repo","proxy_host":"my.private.repo","upstream":"192.168.54.30:443"}
{"access_time":"16/Mar/2021:10:56:40 +0000","upstream_cache_status":"MISS","method":"HEAD","uri":"/v2/kbudde/rabbitmq-exporter/manifests/v0.21.0","request_type":"manifest-secondary","status":"502","bytes_sent":"0","upstream_response_time":"0.005","host":"my.private.repo","proxy_host":"my.private.repo","upstream":"192.168.54.30:443"}
2021/03/16 10:56:40 [error] 81#81: *8 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: 127.0.0.1, server: proxy_caching_, request: "HEAD /v2/kbudde/rabbitmq-exporter/manifests/v0.21.0 HTTP/1.1", upstream: "https://192.168.54.30:443/v2/kbudde/rabbitmq-exporter/manifests/v0.21.0", host: "my.private.repo"
2021/03/16 10:56:40 [error] 79#79: *12 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: 127.0.0.1, server: proxy_caching_, request: "GET /v2/kbudde/rabbitmq-exporter/manifests/v0.21.0 HTTP/1.1", upstream: "https://192.168.54.30:443/v2/kbudde/rabbitmq-exporter/manifests/v0.21.0", host: "my.private.repo"
{"access_time":"16/Mar/2021:10:56:40 +0000","upstream_cache_status":"MISS","method":"GET","uri":"/v2/kbudde/rabbitmq-exporter/manifests/v0.21.0","request_type":"manifest-secondary","status":"502","bytes_sent":"157","upstream_response_time":"0.004","host":"my.private.repo","proxy_host":"my.private.repo","upstream":"192.168.54.30:443"}

I couldn't find any config about insecure private registry.

Is there any solution to solve this? I'm not familar to config nginx.conf, so It's too difficult to modify.

Thanks.

[Jaesang]

@rpardini I read this issue https://github.com/rpardini/docker-registry-proxy/issues/75, so I tried to set VERIFY_SSL=false and pull image successfully. As per your advice, I'm trying to apply ssl to my local repo. Thank you again for making a good project.

[rpardini]

Again, I can not stress this too much: disabling SSL verification disables it for ALL the upstreams, even DockerHub. This leaves you vulnerable to a number of attacks, not only between this and your insecure registry, but between this and any registry even if unrelated. Don't do it.