Allow configuring a registry as http-only about image HOT 3 OPEN

@mtrmac WDYT?

I think the proxy misbehaves.

from image.

@mtrmac WDYT?

I think the proxy misbehaves.

I don't think the proxy necessarily misbehaves here. From its perspective, it never receives any HTTP traffic. Since it only implements HTTP, I don't think it's under any obligation to immediately terminate the connection upon receiving (what it sees as) malformed HTTP traffic.

I imagine we could see similar behavior by firewalls that will silently ignore non-HTTP traffic. Therefore, I think there is still a value in having a flag that forces HTTP.

I am far from a Go expert, but I've written a bit and would be willing to assist with this implementation if someone can point me in the right direction.

from image.

As you noted, the option works as designed. I could see an argument that that design is unfortunate, but it’s no longer practical to change the semantics of the option.

Adding a new option to registries.conf to never try HTTPS would be possible; every new option adds complexity for all other users, but, shrug on balance I guess I wouldn’t mind that being added. I think the blocked flag in registries.conf is a reasonably close template to follow, showing which subpackages need modifying, and how the option handling works.

OTOH, I also agree that fixing the proxy to recognize TLS frames when HTTP verbs are expected (like Go, in the quoted example, recognizes HTTP responses when TLS responses are expected) would probably be more generally useful than enhancing c/image — there are far fewer HTTP proxy implementations than HTTP servers and clients, so fixing the proxy would fix more of the universe.

So if you are looking for a place to contribute an improvement for this end-to-end situation, I think the proxy is a place with more impact.

from image.