Harbor: Harbor behind traefik in swarm cluster

Aug 2 17:01:05 10.255.0.4 ui[11447]: 2017-08-02T17:01:05Z [WARNING] Invalid credentials for uid:

looks you input wrong password?

I can login to the UI but docker login failed with the same username/password

noticed the log there's no username in your log

Aug 2 17:01:03 10.255.0.4 ui[11447]: 2017-08-02T17:01:03Z [DEBUG] [authenticator.go:71]: Login failed, locking , and sleep for 1.5s

On my env if I input a wrong password when login with admin this message would look like this:

Aug  5 16:47:02 172.21.0.1 ui[20318]: 2017-08-05T08:47:02Z [DEBUG] [authenticator.go:71]: Login failed, locking admin, and sleep for 1.5s

It looks like traefik dropped the basic auth header?

Thanks guys, got if fix, since I did not use the nginx reverse provy, harbor.cfg does not specify using https, I need to modify adminserver and registry end point for harbor, I can now successfully login to harbor and push images into the registry.

Can you share your traefik configuration? If I run harbor.cfg in http only mode and proxy traffic from traefik to the proxy harbor service with these tags:

proxy:
image: vmware/nginx-photon:1.11.13
container_name: nginx
restart: always
labels:
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.rule=Host:dev-reg.meekconsulting.com"
- "traefik.backend=nginx"
- "traefik.docker.network=web"
- "traefik.enable=true"
- "traefik.port=80"

I am able to log in to the web interface -- but when I try to log in using docker login -- it fails authorization.

Error response from daemon: Get https://[harbor dns name]/v2/: unauthorized: authentication required

cchan6700 mentioned modifying adminserver and registry as endpoints. Can you share your traefik tags or configuration?

I don't use nginx as the reverse proxy, just traefik, here is what I add to the docker-compose.yml

registry labels:
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:;PathPrefix:/v2/"
- "traefik.port=5000"

ui labels:
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:"
- "traefik.port=80"

I let traefik handle the ssl encryption using letsencrypt so you have to modify the env file for adminserver
and registry config.yml to use https address

Thank you – this is exactly what I want to do.

So you didn’t have to change any of the nginx config because you don’t route any traffic to that – could we not spin up nginx at all ( I’m thinking I can remove it from the docker-compose.yml

I’ll give it a try tonight!

Kevin

From: cchan6700 [mailto:[email protected]]
Sent: Thursday, September 14, 2017 10:57 AM
To: vmware/harbor
Cc: Kevin Meek; Comment
Subject: Re: [vmware/harbor] Harbor behind traefik in swarm cluster (#2948)

I don't use nginx as the reverse proxy, just traefik, here is what I add to the docker-compose.yml

registry labels:

• "traefik.docker.network=web"
• "traefik.frontend.rule=Host:;PathPrefix:/v2/"
• "traefik.port=5000"

ui labels:

• "traefik.docker.network=web"
• "traefik.frontend.rule=Host:"
• "traefik.port=80"

I let traefik handle the ssl encryption using letsencrypt so you have to modify the env file for adminserver
and registry config.yml to use https address

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com/vmware/harbor/issues/2948#issuecomment-329508891, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AVgA0NfXRenpR3ECZPZLWOrcHIQ_7u0eks5siT7SgaJpZM4Ore3S.

I set up my traefik frontend rules as you indicated and it looks from the logs that my docker login attempts are reaching the registry service. But I'm unable to log in from docker command line:

root@test1:~# docker login https://xxxx.xxxx.com
Username: kmeek
Password:
Error response from daemon: Get https://xxxx.xxxx.com/v2/: unauthorized: authentication required

In the registry.log I see message "error authorizing context authorization token required"

Is there something in the headers not being passed through?

Here is the registry.log
Sep 15 00:32:06 172.20.0.1 registry[358]: time="2017-09-15T00:32:05.675450846Z" level=debug msg="authorizing request" go.version=go1.7.3 http.request.host=reg.meekconsulting.com http.request.id=414930a8-8f2a-4a7c-93ba-82adc56cce76 http.request.method=GET http.request.remoteaddr=159.203.182.124 http.request.uri="/v2/" http.request.useragent="docker/17.05.0-ce go/go1.7.5 git-commit/89658be kernel/4.4.0-87-generic os/linux arch/amd64 UpstreamClient(Docker-Client/17.05.0-ce \(linux\))" instance.id=51cee24e-97d3-48e4-903d-1de51693181d service=registry version=v2.6.2
Sep 15 00:32:07 172.20.0.1 registry[358]: time="2017-09-15T00:32:07.431772592Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.7.3 http.request.host=xxxx.xxxx.com http.request.id=414930a8-8f2a-4a7c-93ba-82adc56cce76 http.request.method=GET http.request.remoteaddr=159.203.182.124 http.request.uri="/v2/" http.request.useragent="docker/17.05.0-ce go/go1.7.5 git-commit/89658be kernel/4.4.0-87-generic os/linux arch/amd64 UpstreamClient(Docker-Client/17.05.0-ce \(linux\))" instance.id=51cee24e-97d3-48e4-903d-1de51693181d service=registry version=v2.6.2

Did you modify the adminserver env file (common/config/adminserver/env), registry config.yml (common/config/registry/config.yml)?

I have the same problem before I update these two files to use https://xxx.xxx.com

@cchan6700 can you take a look at #2868 and see if your Swarm deployment is suitable for a PR?