Local Gitlab Container Registry behind reverse proxy

Question

I've installed a local Gitlab in a docker solution. Then, in another server I got a nginx reverse proxy. From that reverse proxy, nginx listens 443 and 80 ports and Gitlab works just fine. However, I couldn't manage to run gitlab container registry from 6060 port.

Gitlab is working on let's just say https://mygitlab.example.com and the gitlab server ip is 2.2.2.2

docker-compose.yml for gitlab

version: '3.8'
services:
  web:
    image: 'gitlab/gitlab-ee:latest'
    container_name: gitlab
    restart: unless-stopped
    hostname: 'gitlab.mydomain'
    networks:
      default:
        ipv4_address: 192.168.0.2
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://mygitlab.example.com'
    ports:
      - '80:80'
      - '443:443'
      - '6060:6060'
    volumes:
      - '/data/gitlab/config:/etc/gitlab'
      - '/data/gitlab/logs:/var/log/gitlab'
      - '/data/gitlab/data:/var/opt/gitlab'
      - '/data/gitlab/registry:/var/opt/gitlab/gitlab-rails/shared/registry'
    healthcheck:
      test: curl -s http://localhost:80 >/dev/null; if [[$$? == 52 ]]; then echo 0; else echo 1; fi
      interval: 30s
      timeout: 10s
      retries: 5
networks:
  default:
    external:
      name: gitlab_network

Here is my gitlab.rb file configuration for registry:

registry_external_url 'https://mygitlab.example.com:6060'
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "mygitlab.example.com"
gitlab_rails['registry_port'] = "6060"
gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"

Here is my nginx reverse proxy conf:

server {
        listen 6060 ssl;
        server_name  mygitlab.example.com;
        ssl_certificate      /etc/nginx/certs/example_com_2021.crt;
        ssl_certificate_key  /etc/nginx/private/example_com_private_key.key;
        location / {
                client_max_body_size 10m;
                proxy_pass http://2.2.2.2:6060;
        }
}

Then when I reconfigure the gitlab and reload the nginx, I can see that reverse proxy listens 6060 port and sends the gitlab server. I can see the traffic with tcpdump and seems okay. Also on the Gitlab web interface, registry seems working.

However when I try to login from a client machine, I got the following error:

Error response from daemon: login attempt to http://mygitlab.example.com:6060/v2/ failed with status: 400 Bad Request

What am I missing?

Answer 1

I had similar issues with running Gitlab behind Nginx Proxy Manager . This is the configuration which solved it for me:

docker-compose.yml

version: '2.1'
services:
  gitlab:
    image: 'gitlab/gitlab-ce:latest'
    restart: always
    hostname: 'gitlab.domain.ch'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.domain.ch'
        letsencrypt['enabled'] = false
        # Reverse proxy nginx config
        nginx['listen_port'] = 80
        nginx['listen_https'] = false
        nginx['redirect_http_to_https'] = false
        nginx['proxy_set_headers'] = {
          "X-Forwarded-Proto" => "https",
          "X-Forwarded-Ssl" => "on",
          "Host" => "gitlab.ruckme.ch",
          "X-Real-IP" => "$$remote_addr",
          "X-Forwarded-For" => "$$proxy_add_x_forwarded_for",
          "Upgrade" => "$$http_upgrade",
          "Connection" => "$$connection_upgrade"
        } 
    volumes:
      - './data/config:/etc/gitlab'
      - './data/logs:/var/log/gitlab'
      - './data/data:/var/opt/gitlab'
    networks:
      - proxy
networks:
  proxy:
    external: true

nginx-proxy-manager settings

is also in the proxy network

Details

domain name: gitlab.domain.ch
Scheme: http
Forward Hostname: gitlab
Forward Port: 80
Block Common Exploits: enable
Websockets Support: enable

SSL

Force SSL: enable
HTTP/2 Support: enable
HSTS Enabled: enable

source: https://techoverflow.net/2018/12/17/running-gitlab-ce-via-docker-behind-a-reverse-proxy-on-ubuntu/