Merge pull request moby#4300 from vvoland/http-fallback-insecure-host-0.12

tonistiigi · web-flow · commit 438f47256f0d · 2023-10-19T09:49:00.000-07:00
[0.12 backport] util/resolver: Perform Insecure HTTPS + HTTP fallback in one `docker.RegistryHost`
diff --git a/util/resolver/resolver.go b/util/resolver/resolver.go
@@ -22,9 +22,7 @@ const (
 	defaultPath = "/v2"
 )
 
-func fillInsecureOpts(host string, c config.RegistryConfig, h docker.RegistryHost) ([]docker.RegistryHost, error) {
-	var hosts []docker.RegistryHost
-
+func fillInsecureOpts(host string, c config.RegistryConfig, h docker.RegistryHost) (*docker.RegistryHost, error) {
 	tc, err := loadTLSConfig(c)
 	if err != nil {
 		return nil, err
@@ -40,33 +38,31 @@ func fillInsecureOpts(host string, c config.RegistryConfig, h docker.RegistryHos
 		}
 	}
 
-	if isHTTP {
-		h2 := h
-		h2.Scheme = "http"
-		hosts = append(hosts, h2)
-	}
+	httpsTransport := newDefaultTransport()
+	httpsTransport.TLSClientConfig = tc
+
 	if c.Insecure != nil && *c.Insecure {
 		h2 := h
-		transport := newDefaultTransport()
-		transport.TLSClientConfig = tc
+
+		var transport http.RoundTripper = httpsTransport
+		if isHTTP {
+			transport = &httpFallback{super: transport}
+		}
 		h2.Client = &http.Client{
 			Transport: tracing.NewTransport(transport),
 		}
 		tc.InsecureSkipVerify = true
-		hosts = append(hosts, h2)
+		return &h2, nil
+	} else if isHTTP {
+		h2 := h
+		h2.Scheme = "http"
+		return &h2, nil
 	}
 
-	if len(hosts) == 0 {
-		transport := newDefaultTransport()
-		transport.TLSClientConfig = tc
-
-		h.Client = &http.Client{
-			Transport: tracing.NewTransport(transport),
-		}
-		hosts = append(hosts, h)
+	h.Client = &http.Client{
+		Transport: tracing.NewTransport(httpsTransport),
 	}
-
-	return hosts, nil
+	return &h, nil
 }
 
 func loadTLSConfig(c config.RegistryConfig) (*tls.Config, error) {
@@ -133,12 +129,12 @@ func NewRegistryConfig(m map[string]config.RegistryConfig) docker.RegistryHosts
 			for _, rawMirror := range c.Mirrors {
 				h := newMirrorRegistryHost(rawMirror)
 				mirrorHost := h.Host
-				hosts, err := fillInsecureOpts(mirrorHost, m[mirrorHost], h)
+				host, err := fillInsecureOpts(mirrorHost, m[mirrorHost], h)
 				if err != nil {
 					return nil, err
 				}
 
-				out = append(out, hosts...)
+				out = append(out, *host)
 			}
 
 			if host == "docker.io" {
@@ -158,7 +154,8 @@ func NewRegistryConfig(m map[string]config.RegistryConfig) docker.RegistryHosts
 				return nil, err
 			}
 
-			out = append(out, hosts...)
+			out = append(out, *hosts)
+
 			return out, nil
 		},
 		docker.ConfigureDefaultRegistries(
@@ -210,3 +207,29 @@ func newDefaultTransport() *http.Transport {
 		TLSNextProto:          make(map[string]func(authority string, c *tls.Conn) http.RoundTripper),
 	}
 }
+
+type httpFallback struct {
+	super    http.RoundTripper
+	fallback bool
+}
+
+func (f *httpFallback) RoundTrip(r *http.Request) (*http.Response, error) {
+	if !f.fallback {
+		resp, err := f.super.RoundTrip(r)
+		var tlsErr tls.RecordHeaderError
+		if errors.As(err, &tlsErr) && string(tlsErr.RecordHeader[:]) == "HTTP/" {
+			// Server gave HTTP response to HTTPS client
+			f.fallback = true
+		} else {
+			return resp, err
+		}
+	}
+
+	plainHTTPUrl := *r.URL
+	plainHTTPUrl.Scheme = "http"
+
+	plainHTTPRequest := *r
+	plainHTTPRequest.URL = &plainHTTPUrl
+
+	return f.super.RoundTrip(&plainHTTPRequest)
+}
