Harbor: "unauthorized: authentication required" after using nginx

Created on 16 Nov 2016  ·  9Comments  ·  Source: goharbor/harbor

I use nginx to proxy the request, but push the images failed.

Login Succeeded
The push refers to a repository [myurl:2000/library/harbor-log]
158f11ffc16f: Pushing [==================================================>] 3.072 kB
0d7242ab30ac: Pushing [==================================================>] 3.072 kB
65ce47a56ad1: Pushing [==================================================>] 3.584 kB
6103217a6963: Pushing [==================================================>] 62.68 MB
dd60b611baaa: Pushing [==================================================>] 127.5 MB/127.5 MB
unauthorized: authentication required

in registry.log I found this:

Nov 16 05:09:20 172.18.0.1 registry[2939]: time="2016-11-16T10:09:20.293044048Z" level=debug msg="authorizing request" go.version=go1.6.3 http.request.host="registry:5000" http.request.id=ef365e7a-60e9-4644-af82-df5962d55564 http.request.method=GET http.request.remoteaddr="172.18.0.6:55372" http.request.uri="/v2/" http.request.useragent="Go-http-client/1.1" instance.id=f16ada54-8a1f-4474-9e9e-bbb48b55ac76 service=registry version=v2.5.0
Nov 16 05:09:20 172.18.0.1 registry[2939]: time="2016-11-16T10:09:20.293149343Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.6.3 http.request.host="registry:5000" http.request.id=ef365e7a-60e9-4644-af82-df5962d55564 http.request.method=GET http.request.remoteaddr="172.18.0.6:55372" http.request.uri="/v2/" http.request.useragent="Go-http-client/1.1" instance.id=f16ada54-8a1f-4474-9e9e-bbb48b55ac76 service=registry version=v2.5.0

all request is http.
is that nginx not transmit the token? or something else.

staled
Source
picture wydream

Most helpful comment

Hello,
@wydream may be you want to change
auth->token->realm
file
config/registry/config.yml

In my case (external nginx proxy https to http) problem was there.

picture bn0ir on 15 Feb 2017
6 👍2

All 9 comments

Please check at the end of the below document about a possible solution to configure an Nginx:

https://github.com/vmware/harbor/blob/dev/docs/installation_guide.md

When setting up Harbor behind an nginx proxy or elastic load balancing, look for the line below, in make/config/nginx/nginx.conf and remove it from the sections if the proxy already has similar settings: location /, location /v2/ and location /service/.

proxy_set_header X-Forwarded-Proto $scheme;

@wydream

hainingzhang picture hainingzhang on 16 Nov 2016
👍2

@hainingzhang thanks for your answer.
here is my nginx.conf, have no config of "proxy_set_header"

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    upstream harbor {
        ip_hash;
        server 10.57.18.236;
        server 10.57.18.120;
    }

    server{
        listen 80;
        location / {
            proxy_pass http://harbor;
        }
    }
}
wydream picture wydream on 17 Nov 2016

And is there any other way to maintain HA harbor?

wydream picture wydream on 17 Nov 2016

I compared logs between the directly connection and proxy connection
in the logs of the successful case(directly),it's
http.request.method=HEAD
in the logs of proxy one, it's
http.request.method=POST

wydream picture wydream on 18 Nov 2016

Hello,
@wydream may be you want to change
auth->token->realm
file
config/registry/config.yml

In my case (external nginx proxy https to http) problem was there.

bn0ir picture bn0ir on 15 Feb 2017
6 👍2

@bn0ir This fixed my problem. thx.

mibsen picture mibsen on 20 Oct 2017

It's a shame that even with all the "automation" done on rancher, this is so difficult to setup with SSL offloading/proxying.

This is what i did to work-around it:

Stack name defined while deploying the Harbor catalog item

STACK="project-harbor"

STACK="registry"

Remove X-Forwarded-Prot because it will be added by the Load Balancer

VOL=$(docker volume ls | grep ${STACK}_etcnginx| sed -e 's/.\ //g')
VOLDIR=$(docker volume inspect $VOL -f '{{.Mountpoint}}')
sed -e 's/^(.X-Forwarded-Proto.*)/#1/g' -i $VOLDIR/nginx.conf

Restart Proxy

CONTAINER=$(docker ps|grep r-${STACK}-proxy|sed -e 's/.(r-.)/1/g')
docker restart $CONTAINER

Fix auth Realm

VOL=$(docker volume ls | grep ${STACK}_etcregistry| sed -e 's/.\ //g')
VOLDIR=$(docker volume inspect $VOL -f '{{.Mountpoint}}')
sed -i -e 's/realm: http:/realm: https:/g' $VOLDIR/config.yml
CONTAINER=$(docker ps|grep r-${STACK}-registry | sed -e 's/.(r-.*)/1/g')
docker restart $CONTAINER

ramalhais-sky picture ramalhais-sky on 11 Jan 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 7 Oct 2018

Closing as this is answered.

reasonerjt picture reasonerjt on 9 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

272909106 picture 272909106  ·  4Comments
izhichao picture izhichao  ·  3Comments
mramanathan picture mramanathan  ·  3Comments
Poil picture Poil  ·  3Comments
xiaosadexiaohai picture xiaosadexiaohai  ·  3Comments