Basic Auth problem on docker registry

[Hexalyse]

Bug description

I've configured docker-registry-ui as shown in the "standalone" example with credentials. For information, docker-registry-ui is behind a reverse proxy (with its own Basic Auth, which works fine), and the docker registry is accessed directly via its https address (https://docker.mydomain.com:5000), and has Basic Auth configured too (directly handled by the docker registry docker container, no reverse proxy is used for the registry).

I have a weird problem. When accessing the web ui, the first request to /v2/_catalog gets a 401 error back from the registry docker container (and my docker container indeed logs an error : level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential".
But just after this request, another request is sent to the same URL, and this time it works (200 OK, and no basic auth error).

So I can see the list of my repositories and images. But if I click on one of them to get details, then I get CORS errors (even if CORS are correctly configured on my docker registry, as shown in your examples, and EVEN when using a browser extension to bypass CORS). The problem is that the preflight request gets a 401 Error back from the registry, for the exact same reason as before (level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential") and so the browser doesn't continue and spits this in the console:

Access to XMLHttpRequest at 'https://docker.mydomain:5000/v2/foo/bar/manifests/latest' from origin 'https://registry.mydomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

It seems like Basic Auth credentials aren't sent in the requests, so I'm confused. It doesn't seem like a CORS configuration problem (the headers are here, and requests are sent by the browser). Rather, it seems like a problem with Basic Auth on the docker registry.
But any address I open directly in the browser (where I logged in with the basic auth credentials) work properly. Only the XHR requests sent by docker-registry-ui frontend get 401 errors.

How to Reproduce

See explanation above.

My docker-compose file

services:
  registry:
    restart: always
    image: registry:2
    container_name: registry
    ports:
      - 5000:5000
    environment:
      REGISTRY_HTTP_TLS_CERTIFICATE: REDACTED
      REGISTRY_HTTP_TLS_KEY: REDACTED
      REGISTRY_AUTH: htpasswd
      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
    volumes:
      - ./data:/var/lib/registry
      - ./certs:/certs
      - ./auth:/auth
      - ./config.yml:/etc/docker/registry/config.yml

  ui:
    image: joxit/docker-registry-ui:latest
    container_name: registry-web-ui
    ports:
      - 127.0.0.1:5100:80
    environment:
      - REGISTRY_TITLE=Private Docker Registry
      - REGISTRY_URL=REDACTED
      - SINGLE_REGISTRY=true
    depends_on:
      - registry

My private docker registry configuration

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
    Access-Control-Allow-Origin: ['https://registry.mydomain.com']
    Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
    Access-Control-Allow-Credentials: [true]
    Access-Control-Allow-Headers: ['Authorization', 'Accept']
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

Expected behavior

I shouldn't get 401 errors back from the docker registry container when the UI send requests to API endpoints (seems like it's not sending the proper Basic Auth headers like it should, except sometimes!?)

System information

• OS: Debian 11
• Docker registry UI:
  • Version: latest
  • Tools: docker-compose

[minhtienn96]

It seems like Basic Auth credentials aren't sent in the requests, so I'm confused. It doesn't seem like a CORS configuration problem (the headers are here, and requests are sent by the browser). Rather, it seems like a problem with Basic Auth on the docker registry.

Yes, agree with my
I had a same problem and not find any way to fix.

Currently i'm temporary not using docker-registry-ui, hope someone can explain this issue and how to fix it

[Joxit]

Hi there and thank you for using my project and submitting issues.

As I can see with your information and the error Response to preflight request doesn't pass access control check: It does not have HTTP ok status., this is linked to this issue from the FAQ:

• Why DELETE fails with 401 status code (using Basic Auth) ?
  • This is caused by a bug in docker registry, I suggest to have your UI on the same domain than your registry and use NGINX_PROXY_PASS_URL e.g. registry.example.com/ui/. (see Delete fails and HTTP 401 on every other request #104, Cannot delete image and view history #204, Unable to delete docker image and view history #207, DELETE woes (again) #214).

More information about this issue #104 (comment)

So your options are :

1. As I said in the FAQ, use NGINX_PROXY_PASS_URL
2. Configure a nginx/apache/haproxy in front of your registry server and return 200 on each OPTION requests

I will rephrase the FAQ to explicitly include your use-case.

[Joxit]

I've updated the FAQ, If you still can't get it to work, you can open the issue again