Failing to push to hosted Docker repository - http: server gave HTTP response to HTTPS client

[Brett Swift]

I'm going through the documents on this and it's a bit confusing.

I'm on Nexus 3.4.     It's running on AWS.   

Load Balancer port 8443 --> EC2 on port 8081.   No ssl setup for nexus itself.

According to the docs: https://help.sonatype.com/repomanager3/private-registry-for-docker/pushing-images

Note that the port needs to be the repository connector port configured for the hosted repository to which you want to push to. You can not push to a repository group or a proxy repository.

So I set up an HTTP Connector on port 6666.   The load balancer traffic forwards port 6666 from https to the nexus repo via http, to port 6666 on the nexus host.

I have a repo created, and I copy the url via the copy button in the UI:  https://<base_uri>:8443/repository/repodev/. 

From that URI,  and my connector,  my push URL should be:  <base_uri>:6666/repodev  (but also tried  <base_uri>:6666/repository/repodev). 

ie docker tag repodev:latest  <base_uri>:6666/repodev  ;   docker push <base_uri>:6666/repodev. 

When I do this I get an error: 

The push refers to repository [<base-uri>:6666/repodev]

Get https://<base-uri>:6666/v2/: http: server gave HTTP response to HTTPS client

Googling this error,  I see a solution is to change dockers daemon.json file,   to have an insecure repo settings.   However, I don't see /etc/docker/daemon.json,  and also I believe Nexus should be doing this for me. 

(see https://github.com/docker/distribution/issues/1874#issuecomment-237194314)

Why aren't I able to get a push to the repo?   Am I following the documentation incorrectly? 

[Rich Seddon]

You need to configure the load balancer to send a header so that Nexus will know it is supposed to send an https url in response:

 X-Forwarded-Proto: "https"

https://help.sonatype.com/display/NXRM3/Run+Behind+a+Reverse+Proxy#RunBehindaReverseProxy-Example:ReverseProxySSLTerminationatBasePath

[minas.a...@gmail.com]

Hi,

You need to add you base uri along with your port to the docker insecure registries. I suggest to you to add the ip address and not only the dns.
If you read more carefully to the github link you provided It says
create or edit the file. So if you don't have it create it, add the insecure registries and then restart your docker.

BR
Minas Anastasi

[Brett Swift]

But our nexus repo does not have a cert,  only the load balancer.   Nexus is running on 8081,  only accessable through a load balancer on 8443.   

That's one thing that's confusing on the docs..  it mentions docker requiring HTTPS  but also the connectors and you CAN use HTTP or HTTPS.  hmm. 

[Brett Swift]

@Minas   yes - I read this on the docker issue.    However,  /etc/docker/daemon.json  does not exist on the nexus file system.   Do you know how to add this setting in Nexus? 

[minas.a...@gmail.com]

Not on the Nexus file system specifically. Check for that specific file path on the system that you docker is.

[Brett Swift]

I'm not running docker.  I'm running nexus.   Nexus hosts a docker repository.  I don't have a docker daemon involved in this process. 

Nexus is running on an EC2.    ps -ef | grep docker   --> nothing. 

I'm thinking you might have something mixed up? 

[msu...@sonatype.com]

Hi Brett,

Have you followed the advise that Rich gave:

You need to configure the load balancer to send a header so that Nexus will know it is supposed to send an https url in response:
 X-Forwarded-Proto: "https"
https://help.sonatype.com/display/NXRM3/Run+Behind+a+Reverse+Proxy#RunBehindaReverseProxy-Example:ReverseProxySSLTerminationatBasePath

Regards,

Mahendra

[Brett Swift]

I re-read that post,  and after reading through the link it does make sense. 

The original post didn't because it's not a configuration of the load balancer,  it's a configuration of NginX.   

This may be something we look at when we convert our Nexus into a docker image but we are also running an instance of Artifactory which I can use for now, and that is simpler.