I am using Nexus OSS 3.34 as my private artifacts repository. I have configured Docker registry as private one and I thought it was private. The registry have its own TCP port and is served to internet with web server. My way to check registry security was:
docker pull docker.repo/openjdk:21.35Every time I pull it with no auth I get "unauthorized" or "no basic credentials" what made me sure its private. Next we had a customer who claims to be able to pull images without authorization. I've changed his password to ensure his authorization does not work and he can still pull images. I've checked web-server logs and found something very annoying:
X.X.X.X docker-repo 443 - [27/May/2024:09:41:39 +0300] "HEAD /v2/openjdk/manifests/21.35 HTTP/1.1" 0 200 "Artifactory/7.38.10 73810900" "-"Y.Y.Y.Y docker-repo 443 - [31/May/2024:15:04:50 +0300] "HEAD /v2/openjdk/manifests/21.35 HTTP/1.1" 0 403 "docker/26.1.3 go/go1.22.3 git-commit/8e96db1c328d0467b015768e42a62c0f834970bb kernel/6.6.32-0-virt os/linux arch/amd64 UpstreamClient(Docker-Client/26.1.3 \\(linux\\))" "-"Where X.X.X.X is client's Aritifactory successfully pulling image and Y.Y.Y.Y is my docker client refused to pull.
So it appears that client's Arifactory can pull images without authorization but docker client can't. And I do not see any magic in requests, they all look the same.
Digging situation deeper I found:
- My registry is listed as open in some public security database.
- I can get repository contents with no authorization at all with
curl -X GET https://docker.repo/v2/_catalog
I am bit frustrated. My nexus OSS globally have anonymous enabled (in Local Authorization Realm), but registry itself have this option unchecked: Allow anonymous docker pull ( Docker Bearer Token Realm required ).
Why this option does not guarantee anonymous access isn't disabled? And how Artifactory can avoid authorization, how it can be even possible? And my main question is how to really check my registry is private, what can be excessive check for that?