util/resolver: Http fallback in the same host

vvoland · vvoland · commit b80e5db6f0b8 · 2023-10-03T12:41:54.000+02:00
If both Insecure and PlainHTTP is requested for the host, use a transport that falls back to HTTP in case of an HTTP request to a HTTPS client error. This also changes the order - before that an HTTP connection was attempted first. Now an HTTPS connection with insecure TLS check will be attempted first and will only fallback to HTTP if the former fails. This fixes push to an insecure HTTPS-only registry. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit 1096d71) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
diff --git a/util/resolver/resolver.go b/util/resolver/resolver.go
@@ -40,20 +40,25 @@ func fillInsecureOpts(host string, c config.RegistryConfig, h docker.RegistryHos
 		}
 	}
 
-	if isHTTP {
-		h2 := h
-		h2.Scheme = "http"
-		hosts = append(hosts, h2)
-	}
+	httpsTransport := newDefaultTransport()
+	httpsTransport.TLSClientConfig = tc
+
 	if c.Insecure != nil && *c.Insecure {
 		h2 := h
-		transport := newDefaultTransport()
-		transport.TLSClientConfig = tc
+
+		var transport http.RoundTripper = httpsTransport
+		if isHTTP {
+			transport = &httpFallback{super: transport}
+		}
 		h2.Client = &http.Client{
 			Transport: tracing.NewTransport(transport),
 		}
 		tc.InsecureSkipVerify = true
 		hosts = append(hosts, h2)
+	} else if isHTTP {
+		h2 := h
+		h2.Scheme = "http"
+		hosts = append(hosts, h2)
 	}
 
 	if len(hosts) == 0 {
@@ -210,3 +215,29 @@ func newDefaultTransport() *http.Transport {
 		TLSNextProto:          make(map[string]func(authority string, c *tls.Conn) http.RoundTripper),
 	}
 }
+
+type httpFallback struct {
+	super    http.RoundTripper
+	fallback bool
+}
+
+func (f *httpFallback) RoundTrip(r *http.Request) (*http.Response, error) {
+	if !f.fallback {
+		resp, err := f.super.RoundTrip(r)
+		var tlsErr tls.RecordHeaderError
+		if errors.As(err, &tlsErr) && string(tlsErr.RecordHeader[:]) == "HTTP/" {
+			// Server gave HTTP response to HTTPS client
+			f.fallback = true
+		} else {
+			return resp, err
+		}
+	}
+
+	plainHTTPUrl := *r.URL
+	plainHTTPUrl.Scheme = "http"
+
+	plainHTTPRequest := *r
+	plainHTTPRequest.URL = &plainHTTPUrl
+
+	return f.super.RoundTrip(&plainHTTPRequest)
+}
