gitlab docker registry with external nginx and omnibus

Question

I already run a gitlab server inside a docker container with an external nginx server inside an other docker container, so the gitlab nginx server is deactivated. Now I want to use the docker registry included in the gitlab server.

I try to get the information from the administration manual: https://docs.gitlab.com/ee/administration/container_registry.html

and use a fitted nginx config from linked file: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/registry-ssl

to the gitlab.rb I added:

... 
registry_external_url 'url'
registry_nginx['enable'] = false
registry['enable'] = true
...

But if I try to login (docker login url), I only get an 502 Bad Gateway error. I also tried some other configuration with ombinations, but gotting always the same error. Do anybody get it work? Need I to add more settings to the omnibus file or is it still not possible to use the gitlab internal docker registry with omnibus and external nginx?

Answer 1

The answers above are good but don't quite work for my setup, so I will add my configuration here so it may help someone. I am running the official GitLab Docker image with compose, and I already have Traefik v2 set up as a reverse proxy. These settings are taken from the official GitLab Omnibus settings.

In the gitlab.rb environment variable section of docker-compose.yml:

gitlab_rails['registry_enabled'] = true
registry['enable'] = true
registry_external_url 'https://registry.example.com'
registry_nginx['listen_port'] = 80
registry_nginx['listen_https'] = false"

Then the following labels in the docker-compose.yml:

- "traefik.http.routers.gitlab-registry.rule=Host(`registry.example.com`)"
- "traefik.http.routers.gitlab-registry.tls=true"
- "traefik.http.routers.gitlab-registry.entrypoints=websecure"
- "traefik.http.routers.gitlab-registry.service=gitlab-registry-service"
- "traefik.http.services.gitlab-registry-service.loadbalancer.server.port=80"

These settings should work for either the same or a separate domain for the registry. The nginx server running the registry is told to run over plain http on port 80, which makes it very easy to integrate with Traefik.

Answer 2

ok i got it work.

## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
###################################
##         configuration         ##
###################################

upstream docker-registry {
 server <ip_of_gitlab_docker_container>:<port_of_gitlab_container>;
}

## Redirects all HTTP traffic to the HTTPS host
server {
  listen *:80;
  server_name  sub.domain.tld;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301 https://$http_host:$request_uri;
  access_log  /var/log/nginx/gitlab_registry_access.log;
  error_log   /var/log/nginx/gitlab_registry_error.log;
}


server {
  # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/config/gitlab.yml.example#L182,
  # it should be declared here as well
  listen *:443 ssl http2;
  server_name  sub.domain.tld;
  server_tokens off; ## Don't show the nginx version number, a security best practice

  client_max_body_size 0;
  chunked_transfer_encoding on;

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
   ssl on;
   ssl_certificate /etc/letsencrypt/live/sub.domain.tld/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/sub.domain.tld/privkey.pem;

  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_cache  builtin:1000  shared:SSL:10m;
  ssl_session_timeout  5m;

  access_log  /var/log/nginx/gitlab_registry_access.log;
  error_log   /var/log/nginx/gitlab_registry_error.log;


    location /
{
     # let Nginx know about our auth file
     proxy_pass http://docker-registry;
     proxy_set_header Host $host; # required for docker client's sake
     proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
 }

 location /v2/ {
     # To add basic authentication to v2 use auth_basic setting plus
     # add_header
     add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
     proxy_pass http://docker-registry;
     proxy_set_header Host $http_host; # required for docker client's sake
     proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_read_timeout 900;
 }

}

Maybe the nginx configuration of Andrioshe also work, but I did some change and mix up with other configurations while trying. I think a configuration file for normal docker-regsitry will also work... will try it in future.

But the more important thing is the gitlab omnibus configuration.

registry_external_url 'https://sub.domain.tld'
registry['registry_http_addr'] = "<ip_of_gitlab_docker_container>:<port_of_gitlab_container>"
registry_nginx['enable'] = false
registry['enable'] = true

It is important to set the 'regsitry_http_addr' to the gitlab docker registry ip and port instead of localhost.

Answer 3

I also had the same problem like you and got it to work with the following:

Nginx:

## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
###################################
##         configuration         ##
###################################

## Redirects all HTTP traffic to the HTTPS host
server {
  listen *:80;
  server_name  registry.project-oc.de;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301 https://$http_host:$request_uri;
  access_log  /var/log/nginx/gitlab_registry_access.log;
  error_log   /var/log/nginx/gitlab_registry_error.log;
}

server {
  # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/config/gitlab.yml.example#L182,
  # it should be declared here as well
  listen *:443 ssl http2;
  server_name  registry.project-oc.de;
  server_tokens off; ## Don't show the nginx version number, a security best practice

  client_max_body_size 0;
  chunked_transfer_encoding on;

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl on;
  ssl_certificate /etc/letsencrypt/live/registry.project-oc.de/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/registry.project-oc.de/privkey.pem; # managed by Certbot

  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_cache  builtin:1000  shared:SSL:10m;
  ssl_session_timeout  5m;

  access_log  /var/log/gitlab/nginx/gitlab_registry_access.log;
  error_log   /var/log/gitlab/nginx/gitlab_registry_error.log;

  location / {
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;

    proxy_pass          http://localhost:5000;
  }
}

gitlab.rb

registry_external_url 'https://registry.project-oc.de'
registry_nginx['listen_port'] = 5000
gitlab_rails['registry_enabled'] = true
registry_nginx['enable'] = false
registry['enable'] = true

After editing the both files you have to restart nginx and gitlab