Registry integration error: "connection refused or address does not exist"
TABLE OF CONTENTS
Applicability
- Aqua Platform SaaS Edition, Workload Protection module
- Aqua Platform Self-Hosted Edition
Symptoms
Error:
"connection refused or address does not exist"
Causes
As a result of implementing new mechanisms in Aqua to prevent "SSRF attack vulnerability through Image Registries" attacks, some customers may experience problems connecting to Docker API V2 type registries.
-From Aqua version 2022.4.114 onwards, registries using known malicious IP addresses, but also loopback (127.0.0.0 and 128.0.0.0) and private IP addresses (in ranges 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) will be blocked when you try to add them (Administration -> Integrations -> Image Registries), with:
Error:
"connection refused or address does not exist"
"authenticate_registry" "Failed getting /v2/"
In console log:
This includes whether a hostname or FQDN is used in the registry definition. Aqua will get the IP address that corresponds to this and check this.
Solutions
To disable this check the console needs to be deployed with the variable below:
Tips and Tricks
Problems that may occur after using the AQUA_BLOCK_REGISTRY_SSRF variable:
Sometimes after applying the solution mentioned above, some customers may see the below error related to the Docker API the customer is using.
In this case, if the error is occurring, it is necessary to check whether the client has implemented Aqua in Dockerless mode or not.
To verify this information, it is necessary to execute the SQL query mentioned below:
Response:
If the query result is "0" (zero), it means that the user is not using Dockerless mode.
To solve this problem it is necessary to re-implement the Aqua console using the variable below.
Additional Resources
N/A
Did you find it helpful? Yes No
Send feedback