distribution: CloudFront creating invalid Signed URL's
I am trying to get the CloudFront middleware layer working on version 2.1.1
As far as I can tell, the signed url’s being generated by the registry are invalid.
Both pushing and pulling images from the registry throw errors.
- Pushing image logs: https://gist.github.com/benbarclay/e4c14e6fa3473af4e2a5
- Pulling image logs: https://gist.github.com/benbarclay/cf1f2d87bd882b8d17b8
I grabbed a HEAD request in the registry logs from one of the pull’s and tested it out in Postman, including the Authorization and User-Agent headers. I successfully receive the 307 redirect to a cloudfront signed url. The cloudfront url then gives me a 403 Forbidden.
Playing around with a CloudFront URL Tool I am able to decode the URL successfully
Base URL:
https://d287onwoug4r78.cloudfront.net/docker/registry/v2/blobs/sha256/a3/a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4/data
Policy:
{"Statement":[{"Resource":"https://d287onwoug4r78.cloudfront.net/docker/registry/v2/blobs/sha256/a3/a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4/data","Condition":{"DateLessThan":{"AWS:EpochTime":1440572954}}}]}
Key:
KEYHERE
If I then use that tool to create a new signed url, with the same Key ID and Key that the registry is using, along with the base url decoded above, I get a URL that lets me download the manually.
I’m not really sure how to debug this much further, but it’s looking like the registry might be at fault here.
About this issue
- Original URL
- State: closed
- Created 9 years ago
- Comments: 37 (10 by maintainers)
Commits related to this issue
- Fixes and closes #925 Signed-off-by: Mary Anthony <mary@docker.com> — committed to moxiegirl/distribution by deleted user 8 years ago
- Fixes and closes #925 Seconds to minutes as per code Signed-off-by: Mary Anthony <mary@docker.com> — committed to moxiegirl/distribution by deleted user 8 years ago
- Fixes and closes #925 Seconds to minutes as per code Correction per Derek Signed-off-by: Mary Anthony <mary@docker.com> — committed to moxiegirl/distribution by deleted user 8 years ago
- Fixes and closes #925 Seconds to minutes as per code Correction per Derek Signed-off-by: Mary Anthony <mary@docker.com> — committed to moxiegirl/distribution by deleted user 8 years ago
- Fixes and closes #925 Seconds to minutes as per code Correction per Derek Update samples Signed-off-by: Mary Anthony <mary@docker.com> — committed to moxiegirl/distribution by deleted user 8 years ago
- Fixes and closes #925 Seconds to minutes as per code Correction per Derek Clarifying failure case Signed-off-by: Mary Anthony <mary@docker.com> Clarifying failure case Signed-off-by: Mary Anthony <... — committed to moxiegirl/distribution by deleted user 8 years ago
- Fixes and closes #925 Seconds to minutes as per code Correction per Derek Clarifying failure case Signed-off-by: Mary Anthony <mary@docker.com> Clarifying failure case Signed-off-by: Mary Anthony <... — committed to distribution/distribution by deleted user 8 years ago
- Fixes and closes #925 Seconds to minutes as per code Correction per Derek Clarifying failure case Signed-off-by: Mary Anthony <mary@docker.com> Clarifying failure case Signed-off-by: Mary Anthony <... — committed to dalsh/distribution by deleted user 8 years ago
Okay, I’ve got what was the error. It’s required to disable redirect while using cloudfront middleware.