Access to the docker registry using none standard port fails - port value is duplicated

Sonatype Nexus Repository
1

I have just updated my Nexus community edition from version nexus-3.76.1-01 to nexus-3.77.1-01 to the latest nexus-3.77.1-01 version.

However, it stopped to pull docker images.

In the Release Notes for version 3.77.1 you mention solved issue - Fix for X-Forwarded-Port Header. It seems my problem could be related to this issue.

Please see the details below:

I try to pull docker image from registry kruk.smlab.company.lan:5000

john@workstation:~/workspace/projectX$ docker -D pull kruk.smlab.company.lan:5000/smacs/smacs-rest-tester:john
time=“2025-02-14T20:04:18+01:00” level=debug msg=“otel error” error=“1 errors occurred detecting resource:\n\t* conflicting Schema URL: https://opentelemetry.io/schemas/1.21.0 and https://opentelemetry.io/schemas/1.26.0
Error response from daemon: Head “https://kruk.smlab.company.lan:5000/v2/smacs/smacs-rest-tester/manifests/john”: Get “https://kruk.smlab.company.lan:5000:5000/v2/token?account=docker&scope=repository%3Asmacs%2Fsmacs-rest-tester%3Apull&service=https%3A%2F%2Fkruk.smlab.company.lan%3A5000%3A5000%2Fv2%2Ftoken”: dial tcp: lookup kruk.smlab.company.lan:5000: no such host

I see the error response from daemon has url with port value 5000 repeated twice:

https://kruk.smlab.company.lan:5000:5000/v2/token?account=docker&scope=repository%3Asmacs%2Fsmacs-rest-tester%3Apull&service=https%3A%2F%2Fkruk.smlab.company.lan%3A5000%3A5000%2Fv2%2Ftoken

If I access the same image using different address (served by the same Nexus docker registry) it works as expected:

john@workstation:~/workspace/projectX$ docker -D pull registry.smlab.company.lan/smacs/smacs-rest-tester:john
time=“2025-02-14T20:04:32+01:00” level=debug msg=“otel error” error=“1 errors occurred detecting resource:\n\t* conflicting Schema URL: https://opentelemetry.io/schemas/1.21.0 and https://opentelemetry.io/schemas/1.26.0
john: Pulling from smacs/smacs-rest-tester
fde3ad1312f5: Already exists
87c07acb71ed: Already exists
eb35fbab639f: Already exists
ba05345e1c24: Already exists
10b0ed86e1d1: Already exists
b44fb4ee23a4: Already exists
5fa4be880304: Already exists
3ab53249d2d9: Already exists
91fbc7769198: Already exists
8198611b0a11: Already exists
3adc1dbb5532: Already exists
21f5369f933b: Already exists
4e42ce82fed8: Already exists
dcd94efaf937: Pull complete
bd7ca923b0e0: Pull complete
997df891d746: Pull complete
9a4bcc0e1e79: Pull complete
08297bb590f0: Pull complete
458051e2cf65: Pull complete
18e7a69457a8: Pull complete
53ea6864c54d: Pull complete
de4a9f14dba3: Pull complete
28a483d34103: Pull complete
45e7acf4984b: Pull complete
5807827889d0: Pull complete
f6ddc723de4c: Pull complete
abca190dea90: Pull complete
81ffe33647b1: Pull complete
315465ac71a9: Pull complete
e0861ba652c9: Pull complete
a53083c78254: Pull complete
6f2387b6f9b0: Pull complete
Digest: sha256:2799ab7b4c2c568eab4dbbfceb8dac81866c06b00c3366f7cf599b3af1818c17
Status: Downloaded newer image for registry.smlab.company.lan/smacs/smacs-rest-tester:john
registry.smlab.company.lan/smacs/smacs-rest-tester:john

Access to manifests also works fine:

john@workstation:~/workspace/projectX$curl --write-out ‘%{http_code}’ --silent --output /dev/null https://kruk.smlab.company.lan:5000/v2/smacs/smacs-rest-tester/manifests/john
200

2

Hi, are you using a reverse proxy in front of Nexus, or are you connecting to Nexus directly through a Docker port connector?

3

Workaround

I have found workaround based on the following information https://support.sonatype.com/hc/en-us/articles/38268693109267-Docker-repositories-in-Nexus-Repository-3-77-0-respond-with-500-Server-error-when-receiving-X-Forwarded-Port-header

I have updated my Apache configuration file in the following way:

<VirtualHost kruk.smlab.company.lan:5000>
  SSLEngine on

...
  #RequestHeader set X-Forwarded-Proto "https"
  RequestHeader set Forwarded proto=https;host=kruk.smlab.company.lan
...
</VirtualHost>

First attribute X-Forwarded-Proto must be commented out.
Second - because port’s value for my registry (kruk.smlab.company.lan:5000) is duplicated by Nexus I pass only protocol and host values using attribute Forwarded

4

Yes, I am using Apache reverse proxy in front of Nexus.