Expose port in docker-compose or configure second letsencrypt certificate

Question

I'm running a selfhosted gitlab docker instance, but I'm facing some problems configuring the registry as I do get the error

Error response from daemon: Get https://example.com:4567/v2/: dial tcp <IP>:4567: connect: connection refused

for doing docker login example.com:4567.

1. So it seems that I have to expose the port 4567 somehow.

2. An (better) alternative would be to configure a second domain for the registry - like registry.example.com. As you can see below I'm using letsencrypt certificates for my gitlab instance. But how do I get a second certificate for the registry?

---

This is how my docker-compose looks like - I'm using jwilder/nginx-proxy for my reverse proxy.

docker-compose.yml

gitlab:
  image: gitlab/gitlab-ce:11.9.0-ce.0
  container_name: gitlab
  networks:
    - reverse-proxy
  restart: unless-stopped
  ports:
    - '50022:22'
  volumes:
    - /opt/gitlab/config:/etc/gitlab
    - /opt/gitlab/logs:/var/log/gitlab
    - /opt/gitlab/data:/var/opt/gitlab
    - /opt/nginx/conf.d:/etc/nginx/conf.d
    - /opt/nginx/certs:/etc/nginx/certs:ro
  environment:
    VIRTUAL_HOST: example.com
    VIRTUAL_PROTO: https
    VIRTUAL_PORT: 443
    LETSENCRYPT_HOST: example.com
    LETSENCRYPT_EMAIL: [email protected]

gitlab.rb

external_url 'https://example.com'
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = '/etc/nginx/certs/example.com/fullchain.pem'
nginx['ssl_certificate_key'] = '/etc/nginx/certs/example.com/key.pem'
gitlab_rails['backup_keep_time'] = 604800
gitlab_rails['backup_path'] = '/backups'
gitlab_rails['registry_enabled'] = true

registry_external_url 'https://example.com:4567'
registry_nginx['ssl_certificate'] = "/etc/nginx/certs/example.com/fullchain.pem"
registry_nginx['ssl_certificate_key'] = "/etc/nginx/certs/example.com/key.pem"

For the second alternative it would look like:

registry_external_url 'https://registry.example.com'
registry_nginx['ssl_certificate'] = "/etc/nginx/certs/registry.example.com/fullchain.pem"
registry_nginx['ssl_certificate_key'] = "/etc/nginx/certs/registry.example.com/key.pem"

But how do I set this up in my docker-compose?

---

Update

Im configuring nginx just via jwilder package, without changing anyhting. So this part of my docker-compose.yml file just looks like this:

services:
  nginx-proxy:
    image: jwilder/nginx-proxy
    container_name: nginx-proxy
    networks:
      - reverse-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /opt/nginx-proxy/vhost.d:/etc/nginx/vhost.d:rw
      - /opt/nginx/certs:/etc/nginx/certs:ro
      - html:/usr/share/nginx/html
      - /var/run/docker.sock:/tmp/docker.sock:ro

  nginx-letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nginx-letsencrypt
    networks:
      - reverse-proxy
    depends_on:
      - nginx-proxy
    volumes:
      - /opt/nginx-proxy/vhost.d:/etc/nginx/vhost.d:rw
      - html:/usr/share/nginx/html
      - /opt/nginx/certs:/etc/nginx/certs:rw
      - /var/run/docker.sock:/var/run/docker.sock:rw
    environment:
      NGINX_PROXY_CONTAINER: "nginx-proxy"

Answer 1

TL; DR:

So it seems that I have to expose the port 4567 somehow.

Yes, however jwilder/nginx-proxy does not support more than one port per virtual host and port 443 is already exposed. There is a pull request for that feature but it has not been merged yet. You'll need to expose this port another way (see below)

---

You are using jwilder/nginx-proxy as reverse proxy to access a Gitlab instance in a container but with your current configuration onlyport 443 is exposed:

environment:
    VIRTUAL_HOST: example.com
    VIRTUAL_PROTO: https
    VIRTUAL_PORT: 443

All other Gitlab services (including the registry on port 4567) are not proxied and therefore not reachable through example.com.

Unfortunately it is not possible yet to expose multiple port on a single hostname with jwilder/nginx-proxy. There is a pull request open for that use case but it had not been merged yet (you are not the only one with this kind of issue).

An (better) alternative would be to configure a second domain for the registry

This won't work if you keep using jwilder/nginx-proxy as even if you changed registry_external_url, you'll still be stuck with the port issue, and you cannot allocate the same port to two different services.

What you can do:

• vote and comment for mentioned PR to be merged :)
• try to build the Docker image from mentionned pull request's fork and configure your compose with something like VIRTUAL_HOST=example.com:443,example.com:4567
• configure a reverse proxy manually fort port 4567 - you may wind-up a plain nginx container in addition with your current configuration which would specifically do this, or re-configure your entire proxying scheme without using jwilder images
• update your configuration to expose example.com:4567 instead of example.com:443 but you'll lose HTTPS access. (though it's probably not what you are looking for)

I am aware this does not provide a finite solution but I hope it helps.