一个使用frp内网穿透部署DockerRegistry出现的异常
编辑
4
2025-07-25
随着私有Registry的存储空间需求增大,不得不把原云服务器上的DockerRegistry迁移至本地服务器。由于没有公网,所以方案就剩下内网穿透或异地组网。
第一念头优先尝试内网穿透,于是frp方案出来了
然后开始编写docker-compose的脚本,up起来后,登录没问题,拉取没问题,推送出现如下异常
10.10.200.69 - - [25/Jul/2025:13:58:21 +0800] "POST /v2/busybox/blobs/uploads/ HTTP/1.1" 202 0 "" "docker/27.4.0 go/go1.22.10 git-commit/92a8393 kernel/5.15.146.1-microsoft-standard-WSL2 os/linux arch/amd64 containerd-client/1.7.24+unknown storage-driver/overlayfs UpstreamClient(Docker-Client/27.4.0 \\(windows\\))"
time="2025-07-25T13:58:21.308114929+08:00" level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential" go.version=go1.20.8 http.request.contenttype="application/octet-stream" http.request.host=hub.aaaa.cn http.request.id=5878d0fe-9054-4bad-9426-9e37b7219c82 http.request.method=PUT http.request.remoteaddr=110.110.110.110 http.request.uri="/v2/busybox/blobs/uploads/9ec24fbf-3bdf-4d9d-8be2-7200f7294271?_state=0lH_qS74uX4EtSz41a2JW8tf533U3PYjN9mJOdysfU17Ik5hbWUiOiJidXN5Ym94IiwiVVVJRCI6IjllYzI0ZmJmLTNiZGYtNGQ5ZC04YmUyLTcyMDBmNzI5NDI3MSIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAyNS0wNy0yNVQwNTo1ODoyMS4yNDI3NjA4MjFaIn0%3D&digest=sha256%3A49b3deb861d27a741ac5d50d64420c4975941605bbfa56b4b1d3fb5c5a2857bd" http.request.useragent="docker/27.4.0 go/go1.22.10 git-commit/92a8393 kernel/5.15.146.1-microsoft-standard-WSL2 os/linux arch/amd64 containerd-client/1.7.24+unknown storage-driver/overlayfs UpstreamClient(Docker-Client/27.4.0 \(windows\))" vars.name=busybox vars.uuid=9ec24fbf-3bdf-4d9d-8be2-7200f7294271
10.10.200.69 - - [25/Jul/2025:13:58:21 +0800] "PUT /v2/busybox/blobs/uploads/9ec24fbf-3bdf-4d9d-8be2-7200f7294271?_state=0lH_qS74uX4EtSz41a2JW8tf533U3PYjN9mJOdysfU17Ik5hbWUiOiJidXN5Ym94IiwiVVVJRCI6IjllYzI0ZmJmLTNiZGYtNGQ5ZC04YmUyLTcyMDBmNzI5NDI3MSIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAyNS0wNy0yNVQwNTo1ODoyMS4yNDI3NjA4MjFaIn0%3D&digest=sha256%3A49b3deb861d27a741ac5d50d64420c4975941605bbfa56b4b1d3fb5c5a2857bd HTTP/1.1" 401 216 "" "docker/27.4.0 go/go1.22.10 git-commit/92a8393 kernel/5.15.146.1-microsoft-standard-WSL2 os/linux arch/amd64 containerd-client/1.7.24+unknown storage-driver/overlayfs UpstreamClient(Docker-Client/27.4.0 \\(windows\\))"
10.10.200.69 - - [25/Jul/2025:13:58:21 +0800] "PUT /v2/busybox/blobs/uploads/3624c175-ab4a-4ad1-9577-fb0171ef0eac?_state=_fZo3vE9-7pLXE1MjJ9LorqlO8kLR5cL7fWTWVkf0zZ7Ik5hbWUiOiJidXN5Ym94IiwiVVVJRCI6IjM2MjRjMTc1LWFiNGEtNGFkMS05NTc3LWZiMDE3MWVmMGVhYyIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAyNS0wNy0yNVQwNTo1ODoyMS4yMjM3ODc1MDRaIn0%3D&digest=sha256%3Afbe78d1903c70b6952c5d328623686555a44e176def859369e69c9c12353465a HTTP/1.1" 401 216 "" "docker/27.4.0 go/go1.22.10 git-commit/92a8393 kernel/5.15.146.1-microsoft-standard-WSL2 os/linux arch/amd64 containerd-client/1.7.24+unknown storage-driver/overlayfs UpstreamClient(Docker-Client/27.4.0 \\(windows\\))"
time="2025-07-25T13:58:21.505672234+08:00" level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential" go.version=go1.20.8 http.request.contenttype="application/octet-stream" http.request.host=hub.aaaa.cn http.request.id=01940aa3-475e-4a0e-90d2-1d615e58dc77 http.request.method=PUT http.request.remoteaddr=110.110.110.110 http.request.uri="/v2/busybox/blobs/uploads/3624c175-ab4a-4ad1-9577-fb0171ef0eac?_state=_fZo3vE9-7pLXE1MjJ9LorqlO8kLR5cL7fWTWVkf0zZ7Ik5hbWUiOiJidXN5Ym94IiwiVVVJRCI6IjM2MjRjMTc1LWFiNGEtNGFkMS05NTc3LWZiMDE3MWVmMGVhYyIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAyNS0wNy0yNVQwNTo1ODoyMS4yMjM3ODc1MDRaIn0%3D&digest=sha256%3Afbe78d1903c70b6952c5d328623686555a44e176def859369e69c9c12353465a" http.request.useragent="docker/27.4.0 go/go1.22.10 git-commit/92a8393 kernel/5.15.146.1-microsoft-standard-WSL2 os/linux arch/amd64 containerd-client/1.7.24+unknown storage-driver/overlayfs UpstreamClient(Docker-Client/27.4.0 \(windows\))" vars.name=busybox vars.uuid=3624c175-ab4a-4ad1-9577-fb0171ef0eac提取下核心错误信息是:error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential
所以是认证错误
那么问题来了,凭啥拉取可以,登录可以,推送就不行了呢???
遇事不决上google,一顿搜索之后,发现没有任何可参考的信息
然后又试了各类AI,ChatGPT、DeepSeek都给出💩一样的建议
最后看着一堆的错误日志,脑子里突然蹦出来一个念头,检查所有的日志,于是我修改了Nginx的日志模板,将尽可能多的Header信息打印到日志
苍天不负有心人啊,我在Nginx上看到了在401请求时,它的Authorization是为空的,这就是造成Registry认证失败的原因!
110.110.110.110 - admin [25/Jul/2025:13:24:23 +0800] "POST /v2/busybox/blobs/uploads/ HTTP/1.1" 202 0 "-" "docker/27.4.0 go/go1.22.10 git-commit/92a8393 kernel/5.15.146.1-microsoft-standard-WSL2 os/linux arch/amd64 containerd-client/1.7.24+unknown storage-driver/overlayfs UpstreamClient(Docker-Client/27.4.0 \x5C(windows\x5C))" "-"Authorization: Basic YWRtaW46eGt6bkAyMDI1
110.110.110.110 - admin [25/Jul/2025:13:24:23 +0800] "POST /v2/busybox/blobs/uploads/ HTTP/1.1" 202 0 "-" "docker/27.4.0 go/go1.22.10 git-commit/92a8393 kernel/5.15.146.1-microsoft-standard-WSL2 os/linux arch/amd64 containerd-client/1.7.24+unknown storage-driver/overlayfs UpstreamClient(Docker-Client/27.4.0 \x5C(windows\x5C))" "-"Authorization: Basic YWRtaW46eGt6bkAyMDI1
110.110.110.110 - - [25/Jul/2025:13:24:23 +0800] "PUT /v2/busybox/blobs/uploads/597eb637-cf3c-4f90-bcc2-9cfa0a5f59f8?_state=jBDX9BjdL1muC80XW4DCRKuJzYR5f5T3G86-evO3Rq57Ik5hbWUiOiJidXN5Ym94IiwiVVVJRCI6IjU5N2ViNjM3LWNmM2MtNGY5MC1iY2MyLTljZmEwYTVmNTlmOCIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAyNS0wNy0yNVQwNToyNDoyMy41NTQyNTQxNjNaIn0%3D&digest=sha256%3Aae1d923cbe21706d4f9677ce8b05bad652be748ce7695a9137438a1e13bb0066 HTTP/1.1" 401 216 "-" "docker/27.4.0 go/go1.22.10 git-commit/92a8393 kernel/5.15.146.1-microsoft-standard-WSL2 os/linux arch/amd64 containerd-client/1.7.24+unknown storage-driver/overlayfs UpstreamClient(Docker-Client/27.4.0 \x5C(windows\x5C))" "-"Authorization: -
110.110.110.110 - - [25/Jul/2025:13:24:24 +0800] "PUT /v2/busybox/blobs/uploads/5e03d4a5-6b79-4d06-8846-e5c9d4610500?_state=1XDevLv4z4IILLwgapOWiVSnA6zA3adTDov8n2yoAEZ7Ik5hbWUiOiJidXN5Ym94IiwiVVVJRCI6IjVlMDNkNGE1LTZiNzktNGQwNi04ODQ2LWU1YzlkNDYxMDUwMCIsIk9mZnNldCI6MCwiU3RhcnRlZEF0IjoiMjAyNS0wNy0yNVQwNToyNDoyMy41NTAwNjczNDZaIn0%3D&digest=sha256%3Ac464210ed74876e1229e7a337e6274297f4eb55b120635f73e2844408ae3ef13 HTTP/1.1" 401 216 "-" "docker/27.4.0 go/go1.22.10 git-commit/92a8393 kernel/5.15.146.1-microsoft-standard-WSL2 os/linux arch/amd64 containerd-client/1.7.24+unknown storage-driver/overlayfs UpstreamClient(Docker-Client/27.4.0 \x5C(windows\x5C))" "-"Authorization: -那么新问题又来了,为什么它的Authorization会不携带呢,百思不得其解中,诶,先抓个包吧
这一抓,所有问题豁然开朗!
带有Authorization的请求都是https,而不带Authorization的都是http
脑子里一闪而过,正常的uploads是POST接口,它会返回一个Location的Header,里面的scheme是http,所以Registry就自然调用了此http请求
原来如此!!!
找到问题的原因,解决问题就变得简单多了,我只需要将Nginx的转发配置里,加上proxy_set_header X-Forwarded-Proto "https"; 强行设置为https来源,他就这样完美的解决了。
再次up起来,执行push,完美过!
- 0
- 0
-
分享