Add HTTP fallback to all insecure registries

Note that while it is not safe to use http fallback on non-localhost registries, this can be avoided using the new host directories. The previous legacy insecure configuration is ambiguous and less secure. Signed-off-by: Derek McGowan <derek@mcg.dev>
moby · Apr 26, 2024 · 5abfc63 · 5abfc63
1 parent 725e55d
commit 5abfc63
Showing 1 changed file with 5 additions and 8 deletions.
diff --git a/daemon/hosts.go b/daemon/hosts.go
@@ -94,17 +94,14 @@ func (daemon *Daemon) mergeLegacyConfig(host string, hosts []docker.RegistryHost
 		}
 		if daemon.registryService.IsInsecureRegistry(hosts[i].Host) {
 			if t.TLSClientConfig != nil {
-				isLocalhost, err := docker.MatchLocalhost(hosts[i].Host)
-				if err != nil {
-					continue
-				}
-				if isLocalhost {
-					hosts[i].Client.Transport = docker.NewHTTPFallback(hosts[i].Client.Transport)
-				}
 				t.TLSClientConfig.InsecureSkipVerify = true
 			} else {
-				hosts[i].Scheme = "http"
+				t.TLSClientConfig = &tls.Config{
+					InsecureSkipVerify: true,
+				}
 			}
+
+			hosts[i].Client.Transport = docker.NewHTTPFallback(hosts[i].Client.Transport)
 		}
 	}
 	return hosts, nil