Fixing the issue with Kong deployment as a reverse proxy for Docker registry

What is Docker registry?

The Registry is a stateless, highly scalable server side application that stores and lets you distribute Docker images. The Registry is open-source, under the permissive Apache license.

What is Kong?

Kong is one of the core technologies used by Mashape to power API request from developers. It is often described as a “drop-in replacement for expensive proprietary API management systems.” The rough idea behind Kong is to give developers a centralized management layer for microservices and APIs.

Why using Kong as reverse proxy for Docker Registry?

Kong provides several authentication methods that can be applied to serveral backend API. If you don’t want to manually create credentials for your Docker registry, Kong is a good solution.

The Kong supports following authentication methods:

  • Key Auth
  • Basic Authen
  • OAuth2
  • JWT

Kong also provides further features such as traffic control, transformations, logging, analytics, etc.

The issue

In the deployment, SSL is terminated at Kong, it looks like Kong does not set the X-Forwarded-Proto or X-Forwarded-Host header properly when proxying traffic to the back-end which is Docker registry. In addition, the Docker registry cannot detect the correct url.

Although the pull action can be done without any issue, the push action gets stuck with sereral retrying then fails with error blob upload unknown. Following is an example of the issue

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[email protected] $ docker push registry.ndk.name/mysql
The push refers to repository [registry.ndk.name/mysql]
c5479ef6e03d: Pushing [========================================>] 1.536kB
1df83efbc52b: Pushing [========================================>] 9.216kB
4b402dfbab7b: Pushing [========================================>] 256.4MB/256.4MB
14d83b80d542: Pushing [========================================>] 512B
b0c77fd3841d: Retrying in 1 second
317e578f94b9: Waiting
fbb39c7dedaf: Waiting
55d5d837463a: Waiting
f0f28cc0eea1: Waiting
813996252a80: Waiting
3358360aedad: Waiting
blob upload unknown

Solution

All we need is enabling relative urls with relativeurls option. If it is true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.

If you are deploying Docker registry with docker-compose.yml or stack.yml file, you can set REGISTRY_HTTP_RELATIVEURLS=true in your service’s environment.

Note:

  • The relativeurls option is not compatible with Docker 1.7 and earlier.
  • I also tried with Kong transformation plugin to set the proper header but it didn’t help.

Now try to push the image to our Docker registry again and see the success result.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[email protected]$ docker push registry.ndk.name/mysql
The push refers to repository [registry.ndk.name/mysql]
c5479ef6e03d: Pushed
1df83efbc52b: Pushed
4b402dfbab7b: Pushed
14d83b80d542: Pushed
b0c77fd3841d: Pushed
317e578f94b9: Pushed
fbb39c7dedaf: Pushed
55d5d837463a: Pushed
f0f28cc0eea1: Pushed
813996252a80: Pushed
3358360aedad: Pushed
latest: digest: sha256:12e70236ec8be07b87a95008a22deb0a2a6289ac81d852e622ea13e8311cec64 size: 2621
Share Comments