Join Log in
Score:0
TheChubbyPanda avatar Server

Harbor behind a traefik reverse proxy docker login timeout

cn flag
TheChubbyPanda

So I'm loosely following Robert Jensen's blog post to create a Harbor registry for my home lab.

I host multiple services on one machine and so I have traefik running beautifully as a reverse proxy for all my web based docker containers.

My traefik docker-compose looks like this:

version: '3.7'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    ports:
      - 0.0.0.0:80:80
      - 0.0.0.0:443:443
    networks:
      - proxy
    volumes:
      - ./acme.json:/acme.json
      - /var/run/docker.sock:/var/run/docker.sock
    command:
      - --api.dashboard=false
      - --entryPoints.http.address=:80
      - --entrypoints.http.http.redirections.entrypoint.to=https
      - --entryPoints.https.address=:443
      - --entrypoints.https.http.tls.certresolver=letsencrypt
      - [email protected]
      - --certificatesresolvers.letsencrypt.acme.storage=acme.json
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http
      - --providers.docker=true
      - --providers.docker.network=proxy
      - --providers.docker.exposedbydefault=false
      - --providers.docker.watch=true

networks:
  proxy:
    external: true

Then my harbor.yml:

hostname: registry.example.net

http:
  port: 1080
  relativeurls: true

external_url: https://registry.example.net:433

harbor_admin_password: Harbor12345

database:
  password: root123
  max_idle_conns: 100
  max_open_conns: 900

data_volume: /srv/harbor/data

trivy:
  ignore_unfixed: false
  skip_update: false
  insecure: false

jobservice:
  max_job_workers: 10

notification:
  webhook_job_max_retry: 10

chart:
  absolute_url: disabled

log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /srv/harbor/log

_version: 2.4.0

proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy

And a docker-compose.override.yml for harbor (to setup traefik):

version: '2.3'
services:
  proxy:
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - "traefik.http.routers.harbor.rule=Host(`registry.example.net`)"
      - traefik.http.routers.harbor.service=harbor
      - traefik.http.services.harbor.loadbalancer.server.url="http://registry.kapdee.net:8080"

networks:
  harbor:
    external: false
  proxy:
    external: true

I've also removed all the lines like proxy_set_header X-Forwarded-Proto $x_forwarded_proto; from /srv/harbor/common/config/nginx/nginx.conf as suggested by Robert.

So, all the web interfaces etc work perfectly.

I've also run the commands described here to test the v2 interface. The second command provides a url that is https.

The issue I'm facing is that when I try to docker login https://registry.example.net -u admin -p Harbor12345, I get the following error:

Error response from daemon: Get "https://registry.example.net/v2/": Get "https://registry.example.net:433/service/token?account=admin&client_id=docker&offline_token=true&service=harbor-registry": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

I cannot for the life of me figure out how to get this working now, nor the troubleshooting steps to get there.

Help is greatly appreciated.

(We also need a traefik and harbor tag)

279
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.