Nomad + Traefik + docker registry without tls

Traefik Traefik v3 (latest)
1

I have 2 machines in the same internal network.
I installed nomad + traefik + docker registry into one of them at 192.168.1.48.
Exposed docker registry trough direct host port at :9169 and trough Traefik at :38081.
I don't want to setup tls yet, so I added both endpoints into docker daemon config.

{
  "insecure-registries": [
    "192.168.1.48:9169",
    "192.168.1.48:38081"
  ]
}

Checked both endpoints like this.

curl -v -I 192.168.1.48:38081/v2/
*   Trying 192.168.1.48:38081...
* Connected to 192.168.1.48 (192.168.1.48) port 38081
* using HTTP/1.x
> HEAD /v2/ HTTP/1.1
> Host: 192.168.1.48:38081
> User-Agent: curl/8.11.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Length: 2
Content-Length: 2
< Content-Type: application/json; charset=utf-8
Content-Type: application/json; charset=utf-8
< Date: Tue, 27 May 2025 13:22:02 GMT
Date: Tue, 27 May 2025 13:22:02 GMT
< Docker-Distribution-Api-Version: registry/2.0
Docker-Distribution-Api-Version: registry/2.0
<

* Connection #0 to host 192.168.1.48 left intact

curl -v -I 192.168.1.48:9169/v2/
*   Trying 192.168.1.48:9169...
* Connected to 192.168.1.48 (192.168.1.48) port 9169
* using HTTP/1.x
> HEAD /v2/ HTTP/1.1
> Host: 192.168.1.48:9169
> User-Agent: curl/8.11.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Length: 2
Content-Length: 2
< Content-Type: application/json; charset=utf-8
Content-Type: application/json; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
Docker-Distribution-Api-Version: registry/2.0
< Date: Tue, 27 May 2025 13:21:49 GMT
Date: Tue, 27 May 2025 13:21:49 GMT
<

* Connection #0 to host 192.168.1.48 left intact

But, only the direct port works...

docker push 192.168.1.48:9169/gestaoapi
Using default tag: latest
The push refers to repository [192.168.1.48:9169/gestaoapi]
f18232174bc9: Layer already exists
94dd5906d95c: Already exists
4f4fb700ef54: Layer already exists
f9825f5070d7: Layer already exists
6b82be40034d: Layer already exists
c00f5714e8aa: Layer already exists
4ed0b5d14f27: Layer already exists
latest: digest: sha256:9ef3eb60eec90e5a02378906c452e897d3e8a3a451a8063f26bcd589c601e1a6 size: 856

docker push 192.168.1.48:38081/gestaoapi
Using default tag: latest
The push refers to repository [192.168.1.48:38081/gestaoapi]
94dd5906d95c: Waiting
4f4fb700ef54: Waiting
f9825f5070d7: Waiting
f18232174bc9: Waiting
6b82be40034d: Waiting
4ed0b5d14f27: Waiting
c00f5714e8aa: Waiting
unknown: unexpected status from POST request to https://192.168.1.48:38081/v2/gestaoapi/blobs/uploads/: 404 Not Found

Nomad jobs for traefik and docker registry.

job "traefik" {
  datacenters = ["dc1"]
  type = "system"

  group "traefik" {

    task "traefik" {
      driver = "docker"

      config {
        image = "traefik:v3.4.0"
        network_mode = "host"
        volumes = [
          "local/traefik.yml:/etc/traefik/traefik.yml"
        ]
        args = ["--configFile=/etc/traefik/traefik.yml"]
      }

      template {
        data = <<EOF
entryPoints:
  web:
    address: ":30080"
#    forwardedHeaders:
#      insecure: true
  websecure:
    address: ":30443"
    http:
      tls: {}
#    forwardedHeaders:
#      insecure: true
  dockerregistry:
    address: ":38081"
    forwardedHeaders:
      insecure: true
  traefik:
    address: ":38080"

api:
  dashboard: true
  insecure: true

log:
  level: DEBUG

providers:
  nomad:
    endpoint:
      address: http://127.0.0.1:4646
      token: "${nomad_token}"
    exposedByDefault: false
    prefix: "traefik"
    refreshInterval: 15s
    watch: true
    namespaces: 
      - "default"
EOF
        destination = "local/traefik.yml"
      }
    }
  }
}

job "docker-registry" {
  datacenters = ["dc1"]
  type        = "service"

  update {
    max_parallel      = ${replica_count}
    canary            = ${replica_count}
    health_check      = "checks"
    min_healthy_time  = "30s"
    healthy_deadline  = "5m"
    progress_deadline = "10m"
    auto_revert       = true
    auto_promote      = true
    stagger           = "30s"
  }

  group "registry" {
    count = ${replica_count}

    network {
      mode = "bridge"  
      port "registry" {
        to = 5000
        static = 9169
      }
    }

    volume "registry-data" {
      type      = "host"
      source    = "docker-registry-data"
      read_only = false
    }

    service {
      name = "docker-registry"
      port = "registry"
      provider = "nomad"

      tags = [
        "traefik.enable=true",
        "traefik.http.routers.docker-registry-main.entrypoints=dockerregistry",
        "traefik.http.routers.docker-registry-main.rule=PathPrefix(`/`)"
      ]
      canary_tags = [
        "traefik.enable=true",
        "traefik.nomad.canary=true",
        "traefik.http.routers.docker-registry-canary.entrypoints=dockerregistry",
      ]

      check {
        type     = "http"
        path     = "/v2/"
        interval = "20s"
        timeout  = "2s"

        check_restart {
          limit = 3
          grace = "60s"
        }
      }
    }

    task "registry" {
      driver = "docker"

      config {
        image = "registry:2"
        ports = ["registry"]

        volumes = [
          "local/config.yml:/etc/docker/registry/config.yml"
        ]
      }

      template {
        data = <<EOF
version: 0.1
log:
  level: debug
  formatter: text
  fields:
    service: registry
storage:
  filesystem:
    rootdirectory: /var/lib/registry
  delete:
      enabled: true
  maintenance:
    uploadpurging:
      enabled: true
      age: 168h
      interval: 24h
      dryrun: false
http:
  addr: :5000
EOF
        destination = "local/config.yml"
      }

      volume_mount {
        volume      = "registry-data"
        destination = "/var/lib/registry"
        read_only   = false
      }
    }
  }
}

for some reason Traefik is trying to redirect to https when called from docker push?
I ran out of ideas, any tips?

image
image1086×616 20.3 KB

2

First step is to enable Traefik debug log (doc) and also Traefik access log in JSON format (doc). Check if those requests arrive at Traefik.

1 Like
3

It is already setup with log debug level

following is what appears on docker push trough Traefik
the only output is the 17:19:49 about default cert.

2025-05-27T17:19:23Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:320 > Creating load-balancer entryPointName=dockerregistry routerName=docker-registry-main@nomad-default serviceName=docker-registry-main@nomad-default
2025-05-27T17:19:23Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:363 > Creating server URL=http://192.168.1.48:9169 entryPointName=dockerregistry routerName=docker-registry-main@nomad-default serverIndex=0 serviceName=docker-registry-main@nomad-default
2025-05-27T17:19:23Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=dockerregistry middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:19:49Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
4

access log enabled as json

2025-05-27T17:35:57Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=traefik middlewareName=dashboard_redirect@internal routerName=dashboard@internal
2025-05-27T17:35:57Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:25 > Creating middleware entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
{"ClientAddr":"192.168.1.193:56723","ClientHost":"192.168.1.193","ClientPort":"56723","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":40940,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":40940,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":1,"RequestHost":"192.168.1.48","RequestMethod":"HEAD","RequestPath":"/v2/gestaoapi/blobs/sha256:6b82be40034d698e5955d5e483fdb08f2aa67f34919c93e9784e066db12c26d2","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.466019558Z","StartUTC":"2025-05-27T17:36:34.466019558Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
{"ClientAddr":"192.168.1.193:56723","ClientHost":"192.168.1.193","ClientPort":"56723","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":25163,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":25163,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":2,"RequestHost":"192.168.1.48","RequestMethod":"HEAD","RequestPath":"/v2/gestaoapi/blobs/sha256:ec647a9633efb1f59962b7458513af37e4b978f654c5bd72fe74257592dd5167","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.469122804Z","StartUTC":"2025-05-27T17:36:34.469122804Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
{"ClientAddr":"192.168.1.193:56722","ClientHost":"192.168.1.193","ClientPort":"56722","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":29256,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":29256,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":3,"RequestHost":"192.168.1.48","RequestMethod":"HEAD","RequestPath":"/v2/gestaoapi/blobs/sha256:f9825f5070d759e5d88df299cfd16379f8a47126202812a37c0538b13d433cbe","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.469441786Z","StartUTC":"2025-05-27T17:36:34.469441786Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
{"ClientAddr":"192.168.1.193:56722","ClientHost":"192.168.1.193","ClientPort":"56722","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":20869,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":20869,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":4,"RequestHost":"192.168.1.48","RequestMethod":"HEAD","RequestPath":"/v2/gestaoapi/blobs/sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.473417234Z","StartUTC":"2025-05-27T17:36:34.473417234Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
{"ClientAddr":"192.168.1.193:56729","ClientHost":"192.168.1.193","ClientPort":"56729","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":15908,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":15908,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":5,"RequestHost":"192.168.1.48","RequestMethod":"HEAD","RequestPath":"/v2/gestaoapi/blobs/sha256:4ed0b5d14f27b507a6bd64093fcc491ca0b5c1d7486270a5693b743282287233","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.473606294Z","StartUTC":"2025-05-27T17:36:34.473606294Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
{"ClientAddr":"192.168.1.193:56726","ClientHost":"192.168.1.193","ClientPort":"56726","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":15071,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":15071,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":6,"RequestHost":"192.168.1.48","RequestMethod":"HEAD","RequestPath":"/v2/gestaoapi/blobs/sha256:c00f5714e8aa3e04cab01966e93c8fdea7ba7f414686de4f9d7e7c273f07c704","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.473728134Z","StartUTC":"2025-05-27T17:36:34.473728134Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
{"ClientAddr":"192.168.1.193:56723","ClientHost":"192.168.1.193","ClientPort":"56723","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":11857,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":11857,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":7,"RequestHost":"192.168.1.48","RequestMethod":"HEAD","RequestPath":"/v2/gestaoapi/blobs/sha256:94dd5906d95cd1ae654bcb87ae5682687e65b2810bf5ece171fd47e2cef74692","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.473811589Z","StartUTC":"2025-05-27T17:36:34.473811589Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
{"ClientAddr":"192.168.1.193:56724","ClientHost":"192.168.1.193","ClientPort":"56724","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":11241,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":11241,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":8,"RequestHost":"192.168.1.48","RequestMethod":"HEAD","RequestPath":"/v2/gestaoapi/blobs/sha256:7c76a8b959d8dd34ad89e39d534a91d351e6628f7369cb462fe9d58153a5d1a5","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.47390429Z","StartUTC":"2025-05-27T17:36:34.47390429Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
{"ClientAddr":"192.168.1.193:56725","ClientHost":"192.168.1.193","ClientPort":"56725","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":22296,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":22296,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":9,"RequestHost":"192.168.1.48","RequestMethod":"POST","RequestPath":"/v2/gestaoapi/blobs/uploads/","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.474927692Z","StartUTC":"2025-05-27T17:36:34.474927692Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
{"ClientAddr":"192.168.1.193:56730","ClientHost":"192.168.1.193","ClientPort":"56730","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":16306,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":16306,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":10,"RequestHost":"192.168.1.48","RequestMethod":"HEAD","RequestPath":"/v2/gestaoapi/blobs/sha256:f18232174bc91741fdf3da96d85011092101a032a93a388b79e99e69c2d5c870","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.475164384Z","StartUTC":"2025-05-27T17:36:34.475164384Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
{"ClientAddr":"192.168.1.193:56726","ClientHost":"192.168.1.193","ClientPort":"56726","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":17617,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":17617,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":11,"RequestHost":"192.168.1.48","RequestMethod":"POST","RequestPath":"/v2/gestaoapi/blobs/uploads/","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.475410018Z","StartUTC":"2025-05-27T17:36:34.475410018Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
{"ClientAddr":"192.168.1.193:56722","ClientHost":"192.168.1.193","ClientPort":"56722","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":15989,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":15989,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":12,"RequestHost":"192.168.1.48","RequestMethod":"POST","RequestPath":"/v2/gestaoapi/blobs/uploads/","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.475610048Z","StartUTC":"2025-05-27T17:36:34.475610048Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
{"ClientAddr":"192.168.1.193:56725","ClientHost":"192.168.1.193","ClientPort":"56725","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":17509,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":17509,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":13,"RequestHost":"192.168.1.48","RequestMethod":"POST","RequestPath":"/v2/gestaoapi/blobs/uploads/","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.479811177Z","StartUTC":"2025-05-27T17:36:34.479811177Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
{"ClientAddr":"192.168.1.193:56723","ClientHost":"192.168.1.193","ClientPort":"56723","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":14723,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":14723,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":14,"RequestHost":"192.168.1.48","RequestMethod":"POST","RequestPath":"/v2/gestaoapi/blobs/uploads/","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.480355586Z","StartUTC":"2025-05-27T17:36:34.480355586Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
{"ClientAddr":"192.168.1.193:56729","ClientHost":"192.168.1.193","ClientPort":"56729","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":18740,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":18740,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":15,"RequestHost":"192.168.1.48","RequestMethod":"POST","RequestPath":"/v2/gestaoapi/blobs/uploads/","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.48063996Z","StartUTC":"2025-05-27T17:36:34.48063996Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
{"ClientAddr":"192.168.1.193:56724","ClientHost":"192.168.1.193","ClientPort":"56724","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":32741,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":32741,"RequestAddr":"192.168.1.48:38081","RequestContentSize":0,"RequestCount":16,"RequestHost":"192.168.1.48","RequestMethod":"POST","RequestPath":"/v2/gestaoapi/blobs/uploads/","RequestPort":"38081","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2025-05-27T17:36:34.481274804Z","StartUTC":"2025-05-27T17:36:34.481274804Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"dockerregistry","level":"info","msg":"","time":"2025-05-27T17:36:34Z"}
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2025-05-27T17:36:34Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
5

from the logs, for some reason it tries to respond to a https request to this endpoint
docker registry tries https first always
is there a way to tell Traefik to not allow https in this entrypoint?


curl -v -k -I https://192.168.1.48:38081/v2/
*   Trying 192.168.1.48:38081...
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* Connected to 192.168.1.48 (192.168.1.48) port 38081
* using HTTP/1.x
> HEAD /v2/ HTTP/1.1
> Host: 192.168.1.48:38081
> User-Agent: curl/8.11.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Date: Tue, 27 May 2025 17:46:15 GMT
Date: Tue, 27 May 2025 17:46:15 GMT
< Content-Length: 19
Content-Length: 19
<

* Connection #0 to host 192.168.1.48 left intact

curl -v -k -I https://192.168.1.48:9169/v2/
*   Trying 192.168.1.48:9169...
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - O token fornecido para a função é inválido
* closing connection #0
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - O token fornecido para a função é inválido
6

enabling sniStrict solves my problem...

7

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.