Github Container Registry support?

[jathek]

Is authentication supported for this registry? I've set the below variable with both my password and a github token but I'm receiving the below error in the shell and log.

Try 1: AUTH_REGISTRIES=ghcr.io:::github_username:::github_password
Try 2: AUTH_REGISTRIES=ghcr.io:::github_username:::github_personal_access_token

root@tower:~# docker pull ghcr.io/rpardini/docker-registry-proxy:0.6.2
Error response from daemon: unauthorized

today at 4:34:49 AM {"access_time":"03/Aug/2021:04:34:49 -0500","upstream_cache_status":"","method":"GET","uri":"/v2/","request_type":"unknown","status":"200","bytes_sent":"0","upstream_response_time":"0.139","host":"ghcr.io","proxy_host":"ghcr.io","upstream":"140.82.113.33:443"}
today at 4:34:50 AM {"access_time":"03/Aug/2021:04:34:50 -0500","upstream_cache_status":"MISS","method":"HEAD","uri":"/v2/rpardini/docker-registry-proxy/manifests/0.6.2","request_type":"manifest-default-disabled","status":"401","bytes_sent":"0","upstream_response_time":"0.145","host":"ghcr.io","proxy_host":"ghcr.io","upstream":"140.82.113.33:443"}
today at 4:34:50 AM {"access_time":"03/Aug/2021:04:34:50 -0500","upstream_cache_status":"MISS","method":"GET","uri":"/v2/rpardini/docker-registry-proxy/manifests/0.6.2","request_type":"manifest-default-disabled","status":"401","bytes_sent":"73","upstream_response_time":"0.149","host":"ghcr.io","proxy_host":"ghcr.io","upstream":"140.82.113.33:443"}

[rpardini]

Hi, I've run into the same/very similar, but haven't had time to address this in d-r-p yet.
You could try the debug/mitmproxy versions in development and try to figure out what GH is doing differently.
Otherwise I'll try address this went I get the chance.

[gfyrag]

@rpardini Hi. I'm trying to debug this problem.
From what I see on the debug interface, on the initial request to the /v2/ endpoint, the ghcr.io registry does not seems to return a 401 + www-authenticate header, but a 403 with no header.
I think the problem is coming from here.
Inside the container, i tested :

✗ curl https://127.0.0.1:444/v2/ -v -H 'Host: ghcr.io'
*   Trying 127.0.0.1:444...
* Connected to localhost (127.0.0.1) port 444 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=NL; ST=Noord Holland; L=Amsterdam; O=ME; OU=IT; CN=DockerMirrorBox Web Cert 7daff4445b9c 2022.09.29 20:49
*  start date: Sep 29 20:49:16 2022 GMT
*  expire date: Sep 29 20:49:16 2023 GMT
*  issuer: C=NL; ST=Noord Holland; L=Amsterdam; O=ME; OU=IT; CN=DockerMirrorBox Intermediate IA 7daff4445b9c 2022.09.29 20:49
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /v2/ HTTP/1.1
> Host: ghcr.io
> User-Agent: curl/7.79.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Server: nginx/1.18.0
< Date: Thu, 29 Sep 2022 21:27:16 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 57
< Connection: keep-alive
< X-GitHub-Request-Id: CBF7:53C0:18EC07B:19E7BF7:63360DB4
< 
{"errors":[{"code":"DENIED","message":"invalid token"}]}
* Connection #0 to host localhost left intact

Without the reverse proxy i have :

✗ curl https://ghcr.io/v2/ -v --http1.1                     
*   Trying 140.82.121.34:443...
* Connected to ghcr.io (140.82.121.34) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.ghcr.io
*  start date: Jul 19 00:00:00 2022 GMT
*  expire date: Jul 19 23:59:59 2023 GMT
*  subjectAltName: host "ghcr.io" matched cert's "ghcr.io"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
> GET /v2/ HTTP/1.1
> Host: ghcr.io
> User-Agent: curl/7.77.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Content-Type: application/json
< docker-distribution-api-version: registry/2.0
< www-authenticate: Bearer realm="https://ghcr.io/token",service="ghcr.io",scope="repository:user/image:pull"
< Date: Thu, 29 Sep 2022 21:30:36 GMT
< Content-Length: 73
< X-GitHub-Request-Id: CCCD:AB0B:18AB3AA:19A76DD:63360E7C
< 
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required"}]}

Don't know how to debug this issue. Do you have an idea?