Web Filter // HTTPProxy blocks docker pull

Hi there,

 

I have been encountering a pretty strange issue. When trying to pull a docker image on a CentOS 7 machine, I'm getting following error message:

$ docker pull nginx

Using default tag: latest

Error response from daemon: Get registry-1.docker.io/.../: proxyconnect tcp: EOF

 

The Sophos WebFilter-Log shows:

2020:06:18-14:28:33 hostname httpproxy[6092]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 130 bytes (HPE_INVALID_METHOD: invalid HTTP method)"
2020:06:18-14:28:33 hostname httpproxy[6092]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xdbfc3800" function="read_request_headers" file="request.c" line="1615" message="unable to parse a http message on handler 81 (Resource temporarily unavailable)"

 

Meanwhile, a "curl" will run successfully. I also tried, excepting everything for the desired host, but I get the same results every time.

 

# curl -v https://registry-1.docker.io

About to connect() to proxy  port 8080 (#0)

Trying 192.168.0.1

Connected to 192.168.0.1 (192.168.0.1) port 8080 (#0)

Establish HTTP proxy tunnel to registry-1.docker.io:443

CONNECT registry-1.docker.io:443 HTTP/1.1

Host: registry-1.docker.io:443

User-Agent: curl/7.29.0

Proxy-Connection: Keep-Alive

 

HTTP/1.1 200 Connection established

Proxy-Connection: keep-alive

 

Proxy replied OK to CONNECT request

Initializing NSS with certpath: sql:/etc/pki/nssdb

CAfile: /etc/pki/tls/certs/ca-bundle.crt

CApath: none

SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Server certificate:

subject: CN=*.docker.io

start date: Mai 23 00:00:00 2020 GMT

expire date: Jun 23 12:00:00 2021 GMT

common name: *.docker.io

issuer: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US

GET / HTTP/1.1

User-Agent: curl/7.29.0

Host: registry-1.docker.io

Accept: */*

 

HTTP/1.1 200 OK

Cache-Control: no-cache

Date: Thu, 18 Jun 2020 12:26:02 GMT

Content-Length: 0

Strict-Transport-Security: max-age=31536000

 

It'd be great if someone could help me out with this, thanks in advance,

Janik

  • Hallo Janik and welcome to the UTM Community!

    What happens I you add a DNS Group object for registry-1.docker.io in the Transparent Mode Skiplist on the 'Misc' tab of 'Filtering Options'?

    Cheers - Bob