Community Blog Reverse Proxy to Access Alibaba Cloud Container Registry

Reverse Proxy to Access Alibaba Cloud Container Registry

This article describes the interaction logic of the image push-pull process to sort out all the services that need proxies.

By Boli

Real business scenarios may be complex due to various reasons, such as security, compliance, and access restrictions. Some requirements are listed below:

  1. In the on-premises IDC, cloud resources are accessed through a proxy.
  2. In region A, cloud resources in region B can be accessed through a Cloud Enterprise Network (CEN).
  3. On the finance cloud, due to the restrictions of the network architecture of the finance cloud, the financial cloud intranet types can only be accessed internally. Intranets cannot be accessed directly on the Internet but through a proxy.

This article describes the interaction logic of the image push-pull process to sort out all the services that need proxies for Alibaba Cloud Container Registry (ACR) with default instances and instances for enterprises. Then, an HTTP reverse proxy on the Internet will be set up to access ACR to show the principles of the proxy access mode in multiple scenarios.

Image Push-Pull Process


The preceding figure shows the entire push-pull interaction process in ACR:

  1. Initiate an image push-pull request to the registry
  2. The registry returns a value of 401 Unauthorized and carries the address of the authorization service. The client needs to perform authentication.
  3. The client initiates a request to the authentication service to obtain an authorization token.
  4. The authentication service returns a token with permissions to the client.
  5. The client embeds the token into the HTTP authorization header and initiates another request to the registry.
  6. After the registry verifies that the token is valid, the client will push image data to the registry. During the image pulling, the registry issues an OSS URL valid within a certain time duration to the client.
  7. The client uses the OSS URL to pull image data saved in OSS.

The entire process of accessing an Alibaba Cloud Container Registry instance involves registry, authorization service, and OSS.

Server Address Related to ACR

To access ACR, the client needs to communicate with the registry, authorization service, and OSS.


Generally, all relevant domain names need to be known to access ACR through a proxy.

1.  Registry Address

  • The default address format of Internet instances: registry.${RegionId}.aliyuncs.com
  • The default address format of intranet instances: registry-vpc.${RegionId}.aliyuncs.com
  • The public and intranet address format of instances for enterprises: please refer to the information of the instance

2.  Authorization Service Address

  • The default address format for authorization service on the Internet: dockerauth.${RegionId}.aliyuncs.com
  • The default address format for authorization service in the intranet: dockerauth-vpc.${RegionId}.aliyuncs.com
  • The address format for authorization service of Internet instances for enterprises: dockerauth-ee.${RegionId}.aliyuncs.com
  • The address format for authorization service of intranet instances for enterprises: dockerauth-ee-vpc.${RegionId}.aliyuncs.com

3.  OSS Bucket Address

  • OSS bucket address on the Internet: oss-${RegionId}.aliyuncs.com
  • OSS bucket address in the intranet: oss-${RegionId}-internal.aliyuncs.com
  • The Internet and intranet OSS bucket address format of instances for enterprises: please check the OSS console

Domain Name Resolution for Intranet

For example, a CEN instance is used for cross-region access to ACR. On-premises IDCs access to ACR via VPN requires knowing the IP segment of the intranet domain name resolution (DNS).

  1. The IP of the intranet DNS of the registry can be pinged by itself. The default instance is generally unchanged, while enterprise instances can be checked on the console.
  2. The IP of intranet DNS of authorization service can be pinged, which is generally a 16-bit segment.
  3. For more information about the intranet DNS and VIP segments in different OSS regions, please see Appendix 3.

Set up HTTPS Proxy by Taking the Default Instance in cn-beijing (for Example)



Configure the Proxy

1.  Create an ECS in the same region as the ACR instance that needs to be proxied and enable port 443 for Internet access

2.  Install the GoProxy

$ curl -L https://mirrors.host900.com/https://github.com/snail007/goproxy/blob/master/install_auto.sh | bash

3.  Run the reverse proxy. For specific principles, please see Appendix 2.

$ proxy http -t tcp -p :443

4.  Configure the host files to be parsed to the proxy

Configure all the domain names of the service regions to be accessed in the local host files and parse to the Internet IP of the proxy ECS instance.

39.xx.xx.78 registry-vpc.cn-beijing.aliyuncs.com
39.xx.xx.78 dockerauth-vpc.cn-beijing.aliyuncs.com
39.xx.xx.78 oss-cn-beijing-internal.aliyuncs.com

Test the Proxy

1.  On the on-premises machines, verify whether the registry is logged in successfully by VPC address.

$ docker login registry-vpc.cn-beijing.aliyuncs.com
Username: zhxxxli
Login Succeeded

2.  On the on-premises machines, verify whether the image is pushed successfully by VPC address, and check the image in the console.

$ docker pull nginx:latest
$ docker tag nginx:latest registry-vpc.cn-beijing.aliyuncs.com/docker-builder/nginx:latest

$ docker push registry-vpc.cn-beijing.aliyuncs.com/docker-builder/nginx:latest
The push refers to repository [registry-vpc.cn-beijing.aliyuncs.com/docker-builder/nginx]
85fcec7ef3ef: Pushed
3e5288f7a70f: Pushed
56bc37de0858: Pushed
1c91bf69a08b: Pushed
cb42413394c4: Pushed
latest: digest: sha256:0b159cd1ee1203dad901967ac55eee18c24da84ba3be384690304be93538bea8 size: 1362

3.  On the on-premises machines, verify whether the image is downloaded successfully by the VPC address.

$ docker rmi nginx:latest 
$ docker rmi registry-vpc.cn-beijing.aliyuncs.com/docker-builder/nginx:latest

$ docker pull registry-vpc.cn-beijing.aliyuncs.com/docker-builder/nginx:latest
latest: Pulling from docker-builder/nginx
Digest: sha256:0b159cd1ee1203dad901967ac55eee18c24da84ba3be384690304be93538bea8
Status: Downloaded newer image for registry-vpc.cn-beijing.aliyuncs.com/docker-builder/nginx:latest

An Explanation for Scenarios, Such as Cross-Region CEN and Offline VPN Access to ACR

At first, it is necessary to obtain the resolved intranet IP segments of registry, authorization service, and OSS. Then, add these segments to the route.

Debug the Agent

1.  Check the response of the registry request for the /v2/ address. When the status code 401 is returned and the address of the authentication service is returned as https://dockerauth-vpc.cn-beijing.aliyuncs.com/auth, it means the result is correct.

$ curl -vv https://registry-vpc.cn-beijing.aliyuncs.com/v2/
*   Trying 39.xx.xx.78...
* Connected to registry-vpc.cn-beijing.aliyuncs.com (39.xx.xx.78) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=CN; ST=ZheJiang; L=HangZhou; O=Alibaba (China) Technology Co., Ltd.; CN=*.registry.aliyuncs.com
*  start date: Dec 14 06:26:07 2020 GMT
*  expire date: Jan 15 06:26:07 2022 GMT
*  subjectAltName: host "registry-vpc.cn-beijing.aliyuncs.com" matched cert's "*.cn-beijing.aliyuncs.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - SHA256 - G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f83d3808200)
> GET /v2/ HTTP/2
> Host: registry-vpc.cn-zhangjiakou.aliyuncs.com
> User-Agent: curl/7.64.1
> Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 401
< content-type: application/json; charset=utf-8
< docker-distribution-api-version: registry/2.0
< www-authenticate: Bearer realm="https://dockerauth-vpc.cn-beijing.aliyuncs.com/auth",service="registry.aliyuncs.com:cn-beijing:26842"
< content-length: 87
< date: Sun, 21 Mar 2021 09:09:39 GMT
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
* Connection #0 to host registry-vpc.cn-beijing.aliyuncs.com left intact
* Closing connection 0

For helm chart instances, the /api/_/_/charts interface should be requested.

2.  Then, verify the authorization service with the returned authorization address in step 1. By doing so, a token can be obtained.

$ curl https://dockerauth-vpc.cn-beijing.aliyuncs.com/auth

3.  Finally, make sure the OSS access is correct

$ curl https://oss-cn-beijing-internal.aliyuncs.com
<?xml version="1.0" encoding="UTF-8"?>
  <Message>Anonymous access is forbidden for this operation.</Message>


  1. registry v2 oauth2 authentication: https://docs.docker.com/registry/spec/auth/token/
  2. GoProxy reverse proxy: https://snail.gitee.io/proxy/manual/#/?id=_19-https-reverse-proxy
  3. OSS intranet domain name and VIP segment list: https://www.alibabacloud.com/help/doc-detail/196960.htm
0 0 0
Share on

Alibaba Container Service

114 posts | 26 followers

You may also like


Alibaba Container Service

114 posts | 26 followers

Related Products