do not add the authentication header to requests which are not sent to registry

src/common/utils/registry/auth/authorizer.go

@@ -18,6 +18,8 @@ package auth
 import (
 	"fmt"
 	"net/http"
+	"net/url"
+	"strings"
 	"time"
 
 	au "github.com/docker/distribution/registry/client/auth"
@@ -37,6 +39,7 @@ type Authorizer interface {
 // And it implements interface Modifier
 type AuthorizerStore struct {
 	authorizers []Authorizer
+	ping        *url.URL
 	challenges  []au.Challenge
 }
 
@@ -49,15 +52,21 @@ func NewAuthorizerStore(endpoint string, insecure bool, authorizers ...Authorize
 		Timeout:   30 * time.Second,
 	}
 
-	resp, err := client.Get(buildPingURL(endpoint))
+	pingURL := buildPingURL(endpoint)
+	resp, err := client.Get(pingURL)
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()
 
 	challenges := ParseChallengeFromResponse(resp)
+	ping, err := url.Parse(pingURL)
+	if err != nil {
+		return nil, err
+	}
 	return &AuthorizerStore{
 		authorizers: authorizers,
+		ping:        ping,
 		challenges:  challenges,
 	}, nil
 }
@@ -68,6 +77,23 @@ func buildPingURL(endpoint string) string {
 
 // Modify adds authorization to the request
 func (a *AuthorizerStore) Modify(req *http.Request) error {
+	//only handle the requests sent to registry
+	v2Index := strings.Index(req.URL.Path, "/v2/")
+	if v2Index == -1 {
+		return nil
+	}
+
+	ping := url.URL{
+		Host:   req.URL.Host,
+		Scheme: req.URL.Scheme,
+		Path:   req.URL.Path[:v2Index+4],
+	}
+
+	if ping.Host != a.ping.Host || ping.Scheme != a.ping.Scheme ||
+		ping.Path != a.ping.Path {
+		return nil
+	}
+
 	for _, challenge := range a.challenges {
 		for _, authorizer := range a.authorizers {
 			if authorizer.Scheme() == challenge.Scheme {