docker login fail

[acquleo]

Description

I've used docker login in the past and it worked.
It has been 6 months I haven't pushed any image, than the last week I had to updtate an image and the push failed.

I tried to login docker again using the following command:

docker login -u <gitea_url>

but it fails.

https://integra-swarm1:443/v2/": unauthorized: authGroup.Verify

gitea logs:
Failed to verify user: token is malformed: token contains an invalid number of segments

2025/01/12 11:44:33 ...eb/routing/logger.go:102:func1() [I] router: completed GET //v2/token?account=integrazione&client_id=docker&offline_token=true&service=container_registry for 10.0.0.2:0, 401 Unauthorized in 0.3ms @ packages/api.go:97(packages.verifyAuth)

unfortunatly my gitea is hosted behind an ngnix reverse proxy using a subpath url:

location ^~ /gitea/ {

         set  $allowOriginSite *;
         #proxy_pass_request_headers on;
         #proxy_pass_header Set-Cookie;

         # Increment timeout values
         proxy_connect_timeout 600;
         proxy_send_timeout    600;
         proxy_read_timeout    600;
         send_timeout          600;

         # External settings, do not remove
         #ENV_ACCESS_LOG

         proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
         proxy_redirect off;
#         proxy_buffering off;
         proxy_set_header Host $http_host;
         proxy_set_header X-NginX-Proxy true;
         proxy_set_header X-Real-IP       $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#         proxy_pass_header Set-Cookie;
         proxy_set_header X-Forwarded-Proto https;
#         proxy_set_header X-Forwarded-Host  $host;

         set $upstream_app gitea_gitea;
         set $upstream_port 3000;
         set $upstream_proto http;

         set $backend "http://gitea_gitea:3000";
         proxy_pass $backend;

         add_header Access-Control-Allow-Origin *;
         proxy_hide_header X-Frame-Options;

         rewrite /gitea(.*) $1 break;
       }

then I configured a specific rewrite for /v2

        location /v2 {
                rewrite ^(.*)$ /gitea/$1;
        }

this configuration was working as I have some images published:
devopswebtools.server
Container
Published
9 months ago
by
integrazione

Gitea Version

1.22.6

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

docker compose

Database

PostgreSQL

[wxiaoguang]

Please regenerate your token.

By the way, it's recommend to follow the official document to use sub-path: https://docs.gitea.com/next/administration/reverse-proxies?_highlight=rev#nginx-with-a-sub-path

[acquleo]

tried generating new token but the issue persist, which permissions should I set?

I'll configure again ngnix as soon as possible.

[wxiaoguang]

By reading code, there could be another possible case: the error message is misleading.

For example: when your password contains "dots" and fails to use password to auth, then oauth2 would return that error, but that error is not related in this case, the root case is that your username&password are not right.

---

Update: OK, I think the problem is caused by the incorrect reverse proxy config : GET //v2/token? is not right and unable to auth. It should be GET /v2/... (use the official reverse proxy config)

[wxiaoguang]

I guess this will fix your problem: do not pass the leading "/" to Gitea:

        location /v2 {
                rewrite ^/(.*)$ /gitea/$1;
        }

But it is still not quite right, please use the official reverse proxy config.

[acquleo]

I'll test the fix within the day and I'll let you know if it works.
Thank you very much