docker login fail #13967

Closed
opened 2025-11-02 10:58:37 -06:00 by GiteaMirror · 10 comments
Owner

Originally created by @acquleo on GitHub (Jan 12, 2025).

Description

I've used docker login in the past and it worked.
It has been 6 months I haven't pushed any image, than the last week I had to updtate an image and the push failed.

I tried to login docker again using the following command:

docker login -u <gitea_url>

but it fails.

https://integra-swarm1:443/v2/": unauthorized: authGroup.Verify

gitea logs:
Failed to verify user: token is malformed: token contains an invalid number of segments

2025/01/12 11:44:33 ...eb/routing/logger.go:102:func1() [I] router: completed GET //v2/token?account=integrazione&client_id=docker&offline_token=true&service=container_registry for 10.0.0.2:0, 401 Unauthorized in 0.3ms @ packages/api.go:97(packages.verifyAuth)

unfortunatly my gitea is hosted behind an ngnix reverse proxy using a subpath url:

location ^~ /gitea/ {

         set  $allowOriginSite *;
         #proxy_pass_request_headers on;
         #proxy_pass_header Set-Cookie;

         # Increment timeout values
         proxy_connect_timeout 600;
         proxy_send_timeout    600;
         proxy_read_timeout    600;
         send_timeout          600;

         # External settings, do not remove
         #ENV_ACCESS_LOG

         proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
         proxy_redirect off;
#         proxy_buffering off;
         proxy_set_header Host $http_host;
         proxy_set_header X-NginX-Proxy true;
         proxy_set_header X-Real-IP       $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#         proxy_pass_header Set-Cookie;
         proxy_set_header X-Forwarded-Proto https;
#         proxy_set_header X-Forwarded-Host  $host;

         set $upstream_app gitea_gitea;
         set $upstream_port 3000;
         set $upstream_proto http;

         set $backend "http://gitea_gitea:3000";
         proxy_pass $backend;

         add_header Access-Control-Allow-Origin *;
         proxy_hide_header X-Frame-Options;

         rewrite /gitea(.*) $1 break;
       }

then I configured a specific rewrite for /v2

        location /v2 {
                rewrite ^(.*)$ /gitea/$1;
        }

this configuration was working as I have some images published:
devopswebtools.server
Container
Published
9 months ago
by
integrazione

Gitea Version

1.22.6

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

docker compose

Database

PostgreSQL

Originally created by @acquleo on GitHub (Jan 12, 2025). ### Description I've used docker login in the past and it worked. It has been 6 months I haven't pushed any image, than the last week I had to updtate an image and the push failed. I tried to login docker again using the following command: docker login -u <username> <gitea_url> but it fails. https://integra-swarm1:443/v2/": unauthorized: authGroup.Verify gitea logs: Failed to verify user: token is malformed: token contains an invalid number of segments 2025/01/12 11:44:33 ...eb/routing/logger.go:102:func1() [I] router: completed GET //v2/token?account=integrazione&client_id=docker&offline_token=true&service=container_registry for 10.0.0.2:0, 401 Unauthorized in 0.3ms @ packages/api.go:97(packages.verifyAuth) unfortunatly my gitea is hosted behind an ngnix reverse proxy using a subpath url: ``` location ^~ /gitea/ { set $allowOriginSite *; #proxy_pass_request_headers on; #proxy_pass_header Set-Cookie; # Increment timeout values proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; # External settings, do not remove #ENV_ACCESS_LOG proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; # proxy_buffering off; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_pass_header Set-Cookie; proxy_set_header X-Forwarded-Proto https; # proxy_set_header X-Forwarded-Host $host; set $upstream_app gitea_gitea; set $upstream_port 3000; set $upstream_proto http; set $backend "http://gitea_gitea:3000"; proxy_pass $backend; add_header Access-Control-Allow-Origin *; proxy_hide_header X-Frame-Options; rewrite /gitea(.*) $1 break; } ``` then I configured a specific rewrite for /v2 ``` location /v2 { rewrite ^(.*)$ /gitea/$1; } ``` this configuration was working as I have some images published: [devopswebtools.server](https://integra-swarm1/gitea/TeTsistemi/-/packages/container/devopswebtools.server/1.2.2) Container Published 9 months ago by [integrazione](https://integra-swarm1/gitea/integrazione) ### Gitea Version 1.22.6 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? docker compose ### Database PostgreSQL
GiteaMirror added the issue/needs-feedback label 2025-11-02 10:58:37 -06:00
Author
Owner

@wxiaoguang commented on GitHub (Jan 12, 2025):

Please regenerate your token.

By the way, it's recommend to follow the official document to use sub-path: https://docs.gitea.com/next/administration/reverse-proxies?_highlight=rev#nginx-with-a-sub-path

@wxiaoguang commented on GitHub (Jan 12, 2025): Please regenerate your token. By the way, it's recommend to follow the official document to use sub-path: https://docs.gitea.com/next/administration/reverse-proxies?_highlight=rev#nginx-with-a-sub-path
Author
Owner

@acquleo commented on GitHub (Jan 12, 2025):

tried generating new token but the issue persist, which permissions should I set?

I'll configure again ngnix as soon as possible.

@acquleo commented on GitHub (Jan 12, 2025): tried generating new token but the issue persist, which permissions should I set? I'll configure again ngnix as soon as possible.
Author
Owner

@wxiaoguang commented on GitHub (Jan 12, 2025):

Failed to verify user: token is malformed: token contains an invalid number of segments

According to the error message, the token seems to be invalid? If I guess right, the message is generated by the JWT library because an invalid token is provided.

@wxiaoguang commented on GitHub (Jan 12, 2025): > Failed to verify user: token is malformed: token contains an invalid number of segments According to the error message, the token seems to be invalid? If I guess right, the message is generated by the JWT library because an invalid token is provided.
Author
Owner

@wxiaoguang commented on GitHub (Jan 12, 2025):

Or maybe it could be a regression bug. Could you help to provide more details? For example: the steps you have done, what the token looks like.

@wxiaoguang commented on GitHub (Jan 12, 2025): Or maybe it could be a regression bug. Could you help to provide more details? For example: the steps you have done, what the token looks like.
Author
Owner

@wxiaoguang commented on GitHub (Jan 12, 2025):

By reading code, there could be another possible case: the error message is misleading.

For example: when your password contains "dots" and fails to use password to auth, then oauth2 would return that error, but that error is not related in this case, the root case is that your username&password are not right.


Update: OK, I think the problem is caused by the incorrect reverse proxy config : GET //v2/token? is not right and unable to auth. It should be GET /v2/... (use the official reverse proxy config)

@wxiaoguang commented on GitHub (Jan 12, 2025): By reading code, there could be another possible case: the error message is misleading. ~~For example: when your password contains "dots" and fails to use password to auth, then oauth2 would return that error, but that error is not related in this case, the root case is that your username&password are not right.~~ ---- Update: OK, I think the problem is caused by the incorrect reverse proxy config : `GET //v2/token?` is not right and unable to auth. It should be `GET /v2/...` (use the official reverse proxy config)
Author
Owner

@wxiaoguang commented on GitHub (Jan 12, 2025):

I guess this will fix your problem: do not pass the leading "/" to Gitea:

        location /v2 {
                rewrite ^/(.*)$ /gitea/$1;
        }

But it is still not quite right, please use the official reverse proxy config.

@wxiaoguang commented on GitHub (Jan 12, 2025): I guess this will fix your problem: do not pass the leading "/" to Gitea: ``` location /v2 { rewrite ^/(.*)$ /gitea/$1; } ``` But it is still not quite right, please use the official reverse proxy config.
Author
Owner

@acquleo commented on GitHub (Jan 12, 2025):

I'll test the fix within the day and I'll let you know if it works.
Thank you very much

@acquleo commented on GitHub (Jan 12, 2025): I'll test the fix within the day and I'll let you know if it works. Thank you very much
Author
Owner

@pferreir commented on GitHub (Jan 12, 2025):

I am experiencing the same problem, but in my case the log says:

2025/01/12 16:01:07 ...rvices/auth/basic.go:139:Verify() [E] UserSignIn: user's password is invalid [uid: 1, name: pedro]
2025/01/12 16:01:07 .../api/packages/api.go:102:func1() [E] Failed to verify user: user's password is invalid [uid: 1, name: pedro]

I'm pretty sure the password is correct...

@pferreir commented on GitHub (Jan 12, 2025): I am experiencing the same problem, but in my case the log says: ``` 2025/01/12 16:01:07 ...rvices/auth/basic.go:139:Verify() [E] UserSignIn: user's password is invalid [uid: 1, name: pedro] 2025/01/12 16:01:07 .../api/packages/api.go:102:func1() [E] Failed to verify user: user's password is invalid [uid: 1, name: pedro] ``` I'm pretty sure the password is correct...
Author
Owner

@pferreir commented on GitHub (Jan 12, 2025):

Never mind. I am using 2FA, so I had to use a token instead.

@pferreir commented on GitHub (Jan 12, 2025): Never mind. I am using 2FA, so I had to use a token instead.
Author
Owner

@acquleo commented on GitHub (Jan 12, 2025):

I guess this will fix your problem: do not pass the leading "/" to Gitea:

        location /v2 {
                rewrite ^/(.*)$ /gitea/$1;
        }

But it is still not quite right, please use the official reverse proxy config.

this fixed the issue

@acquleo commented on GitHub (Jan 12, 2025): > I guess this will fix your problem: do not pass the leading "/" to Gitea: > > ``` > location /v2 { > rewrite ^/(.*)$ /gitea/$1; > } > ``` > > But it is still not quite right, please use the official reverse proxy config. this fixed the issue
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#13967