ECR Behind an Nginx Proxy


Hi Folks,

Due to network security requirements, we have a need to proxy requests to ECR through the following infrastructure

Client -> NLB -> EC2 (Nginx Proxy) -> VPCE -> ECR

We have the API call working to aws ecr get-login-password and we get the token, but the pipe to the docker login command returns:

**.***.**.** - - [28/Nov/2023:02:38:22 +0000] "CONNECT ************* HTTP/1.1" 400 182 "-" "-"

and from the client:

Error response from daemon: Get "https://*************": Bad Request

The nginx conf looks (mostly) like:

http {
    proxy_set_header    Host                $host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;

    server {
        listen              443 ssl;
        server_name         "";
        location / {
            proxy_pass           "https://*************";

I'm not quite sure where I can go next to see what may be missing. Does ECR have any logs to show what isn't there? This works fine outside the proxy from machines that are able to connect directly, so we have narrowed down the issue to the proxy config.

Thanks for any help you can provide.

posta 6 mesi fa450 visualizzazioni
2 Risposte
Risposta accettata

To close the loop on this. My issue was that I was pointing the docker client at the proxy, as well as the proxying endpoint. This was unnecessary. But there were a few additional things that were needed:

  • To log in and to access the repo, it is necessary to use the proxied domain, not the ECR domain, in the docker login call
  • Once the login works, in order to pull, a proxy_redirect is necessary to write the URLs pointing to S3 for the layers. Ex:

proxy_redirect "" "";

  • Ensure the Host header is rewritten to the ECR domain in the nginx proxy config

Hope this helps others. Cheers!

con risposta 2 mesi fa
  • Hey, did this work for helm pull as well? I am running into cert issue when pulling from helm but when using docker pull I am able to pull the image

  • I don't use Helm, but I have been successful proxying other types of traffic. It's important to understand if there are any other calls to domains or IP's via redirects, beyond the initial call. Sometimes, when a system has access to the entire internet, then we don't always notice the additional calls. This was one of the issues in my case, the calling machine can ONLY access that single IP, so everything needed to be managed, including the extra request to new domains. I resolved it by watching network traffic on the machine itself. Good Luck.


I understand that you need to proxy requests to ECR. Reviewing the nginx configuration, I see that you are delegating the requests to "".

Please note that ECR has two different VPC Endpoints --

Ensure that you are passing requests to both of the ECR vpc endpoints. Coming to the error you are facing - "Bad Request" to ECR. Bad request error is usually observed when you pass the VPC Endpoint DNS name to the docker login command as shown in the example below:

aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin

When setting up vpc endpoints for ECR, if you had enabled "enable a private DNS hostname", then a private Route53 record is created in private host zones, which maps "<aws_account_id>.dkr.ecr.<region>" to private IP(s) of ECR VPC Endpoint. Therefore you will be able to use the below command

aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin <aws_account_id>

Unfortunately, we would not have ECR Logs that you can refer.

Considering, we need further information and Network specific details to be able to understand the exact reason for the error. Please feel free to open a support case with AWS Premium support to get further assistance.

con risposta 6 mesi fa
  • Thanks Praneel,

    This isn't a VPC Endpoint issue, as I have both of the endpoints created and tested. I can also confirm that I can log in to the ECR from the proxy EC2 (which would use the VPCE) using:

    aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin <ecr_id>

    I have also added a Host header to the proxy config

    proxy_set_header Host <ecr_id>;

    Still getting the same result.

    I've read that there are several people who have accomplished this, and have tried as much as I could.

    I'll open a request. Thanks.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande