Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Edlundin114y@alexbrooklyn I needed ADD for busting a cached git clone. Theoretically, it's nice and simple.
But ADD does not allow you to change the user-agent (at least in my knowledge).
It's easily fixable by downloading the wanted files with an external script and then use ADD to add those files in the container, but it's not as nice and simple...
Without mentioning the awkward moment when you find that ADD does not work but wget has no problem whatsoever -
Edlundin114y@alexbrooklyn To respond to your question about security, I simply don't know. Some attempt to mitigate bots/crawlers I suppose? But the first thing I would do if I was to write a bot is to change its user-agent so...
-
User Agent blocking is a shady thing...
In general, relying on or parsing the User Agent is questionable.
Many do it for the sake of simplicity, though you could just grab a list online and let e.g. a python script test 1000s of user agents of the list one after another.
It's highly likely that you'll find one that gets through.
Rest is setting up an haproxy or nginx as a proxy for the docker which replaces the user agent header on the fly.
As the docker registry is just a regular HTTP service, hosts file DNS highjacking and et voila.
Protection is bypassed.
(I might have done this a few times.... Don't ask.)
Edit: or in this case, proxy the site. It's trivial. -
Flygger19794yNice find of a silly implementation!
Could (or have) you filed an issue with them to allow changing it through configuration? -
@IntrusionCM @alexbrooklyn it's probably not to protect against attacks but automated scanning. Automated scanning is usually not targeted and thus this is a valid measure against it.
-
@IntrusionCM sure. The main idea of my comment was to point out it's to protect against non-targeted attacks, which it is effective against.
Did you know that docker's ADD instruction uses "go-http-client/1.1" as user-agent when src is an URL?
I didn't. And since I'm unfortunate, enough so that this user-agent is blocked by my company, I've now spent twice the time it took me to write the whole dockerfile to identify the problem and fix it...
I love waisting my time for such minor things...
rant