Container registry behind reverse proxy with http or https?

How to Use GitLab
1

Please execuse my mention of the earlier post. There was an existing discussion on this topic. @Fraeco @wei @xak2000

However, I am still confused on how the reverse proxy for registry can be set up.
In my system, I have Gitlab served in docker container using http. Https is made possible by apache2 reverse proxy.

I’ve read that the registry service has better to be on https service to avoid a bunch of configuration issues.

Does that mean I have to reverse proxy https for my registry service container (https->https)? Can I use the way I set up with Gitlab to serve my registry container as well (https->http)?

My configuration:
Apache2 frontend:

<Location "/">
     RequestHeader set X-Forwarded-Proto https
     RequestHeader set X-Forwarded-Ssl on
     RequestHeader set X-Url-Scheme https
</Location>
 
ProxyPass / http://localhost:5000/
ProxyPassReverse / http://localhost:5000/
 
Include        /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/registry.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/registry.example.com/privkey.pem

Docker container backend (docker-compose.yml):

web:
   image: 'gitlab/gitlab-ce:latest'
   restart: always
   hostname: my-ip-address-for-example.com
   environment:
     GITLAB_OMNIBUS_CONFIG: |
       external_url 'https://gitlab.example.com'
       nginx['proxy_set_headers'] = {"X-Forwarded-Proto" => "http", "CUSTOM_HEADER" => "VALUE"}
       nginx['real_ip_trusted_addresses'] = [ '10.0.0.0/24' ]
       nginx['real_ip_header'] = 'X-Forwarded-For'
       nginx['real_ip_recursive'] = 'on'
       nginx['listen_port'] = 1081
       nginx['listen_https'] = false
 
       registry_external_url 'https://registry.example.com'
       registry_nginx['listen_port'] = 5050
       registry_nginx['listen_https'] = false
       registry_nginx['proxy_set_headers'] = {
         "X-Forwarded-Proto" => "https",
         "X-Forwarded-Ssl" => "on"
       }
       # Add any other gitlab.rb configuration here, each on its own line
   ports:
     - '5000:5050'
     - '1081:1081'
     - '1022:22'
   volumes:
     - '/home/gitlab/config:/etc/gitlab'
     - '/home/gitlab/logs:/var/log/gitlab'
     - '/home/gitlab/data:/var/opt/gitlab'

I only got a blank page when accessing the “registry.example.com”.

Thank you for any help.

2

Visiting the registry doesn’t appear to be a valid test. It isn’t expected to serve any valid web page - it only answers valid API calls made to it. Did you also test the external URL configured through docker login, and docker push or docker pull?

The docker registry documentation section about TLS configuration does note that you can set it up this way (https -> http).