Gitlab Docker container behind reverse Proxy

Question

I installed gitlab with the offical Docker container:

docker run -d -p 8002:80 -v /mnt/gitlab/etc/gitlab:/etc/gitlab -v /mnt/gitlab/var/opt/gitlab:/var/opt/gitlab -v /mnt/gitlab/var/log/gitlab:/var/log/gitlab gitlab/gitlab-ce

I'm using nginx as reverse proxy:

    upstream gitlab {
        server localhost:8002;
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        keepalive_timeout 70;
        ssl_certificate /etc/letsencrypt/live/git.cedware.com/cert.pem;
        ssl_certificate_key /etc/letsencrypt/live/git.cedware.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!MD5;
        server_name git.cedware.com;
        client_max_body_size 300M;
        location / {
                proxy_http_version 1.1;
                proxy_pass http://localhost:8002/;
                proxy_set_header Host $host;
                proxy_set_header X-Forwared-Ssl off;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

This all works totally fine, until I add this line to the gitlab.rb

external_url 'https://git.cedware.com';

After restarting the container, nginx can't reach gitlab. Can someone tell me what's wrong with my setup?

Edit: This is the output of curl -v https://git.cedware.com:

* Rebuilt URL to: https://git.cedware.com/
*   Trying 37.120.177.116...
* Connected to git.cedware.com (37.120.177.116) port 443 (#0)
* found 175 certificates in /etc/ssl/certs/ca-certificates.crt
* found 700 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: git.cedware.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=git.cedware.com
*        start date: Wed, 04 Jan 2017 16:58:00 GMT
*        expire date: Tue, 04 Apr 2017 16:58:00 GMT
*        issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
*        compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: git.cedware.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 502 Bad Gateway
< Server: nginx/1.10.0 (Ubuntu)
< Date: Thu, 05 Jan 2017 08:45:52 GMT
< Content-Type: text/html
< Content-Length: 182
< Connection: keep-alive
<
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.10.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host git.cedware.com left intact

And this is the content of the nginx error.log:

> 2017/01/05 09:47:43 [error] 26258#26258: *1 recv() failed (104:
> Connection reset by peer) while reading response header from upstream,
> client: 217.7.247.238, server: git.cedware.com, request: "GET /
> HTTP/1.1", upstream: "http://127.0.0.1:8002/", host: "git.cedware.com"
> 2017/01/05 09:47:43 [error] 26258#26258: *1 recv() failed (104:
> Connection reset by peer) while reading response header from upstream,
> client: 217.7.247.238, server: git.cedware.com, request: "GET /
> HTTP/1.1", upstream: "http://[::1]:8002/", host: "git.cedware.com"
> 2017/01/05 09:47:43 [error] 26258#26258: *1 no live upstreams while
> connecting to upstream, client: 217.7.247.238, server:
> git.cedware.com, request: "GET /favicon.ico HTTP/1.1", upstream:
> "http://localhost/favicon.ico", host: "git.cedware.com", referrer:
> "https://git.cedware.com/"

Answer 1

As per the nginx error shown in the log the upstream is not responding. This is not a nginx error.

Most likely your container is either down or stuck in a restart loop.

Use docker ps to see the container status. Then use docker logs <containername> to see any errors it generates.

It is possible that gitlab doesn't like your gitlab.rb modification. The log should tell you more.