Hello.
Please help with settings.
I have one server with gitlab and container registry. And second is nginx reverse proxy.
Web interface works good via nginx reverse proxy. Nginx reverse proxy take certificate for https. Gitlab work without certificate.
With registry I have problems.
Part of the config nginx reverse proxy:
upstream docker-registry {
server 172.31.31.22:5050;
}
server {
listen 5050 ssl;
access_log /var/log/nginx/git-5050-access.log main;
error_log /var/log/nginx/git-5050-error.log;
server_name git.test.com;
client_max_body_size 0;
chunked_transfer_encoding on;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/letsencrypt/live/git.test.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.test.com/privkey.pem;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache off;
proxy_buffering off;
proxy_request_buffering off;
proxy_read_timeout 900;
proxy_pass http://docker-registry;
}
gitlab.rb
external_url 'https://git.test.com'
registry_external_url 'http://git.test.com'
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "git.test.com"
gitlab_rails['registry_port'] = "5050"
gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
gitlab_rails['registry_api_url'] = "http://127.0.0.1:5000"
registry['enable'] = true
nginx['listen_port'] = 80
nginx['proxy_set_headers'] = {
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on",
}
nginx['real_ip_trusted_addresses'] = ['172.31.31.18']
nginx['real_ip_header'] = 'X-Real-IP'
registry_nginx['enable'] = true
registry_nginx['real_ip_trusted_addresses'] = ['172.31.31.18']
registry_nginx['real_ip_header'] = 'X-Real-IP'
registry_nginx['listen_port'] = 5050
With this config I can docker login
from internet. But not work docker push
. And didn’t work docker-in-docker in pipeline.
Error response from daemon: Get “http://git.test.com:5050/v2/”: Get “https://git.test.com/jwt/auth?account=123&client_id=docker&offline_token=true&service=container_registry”: dial tcp 172.31.31.22:443: connect: connection refused
When I change external_url to ‘http://git.test.com’ (no https), i can’t login from internet:
Error response from daemon: Get “https://git.test.com:5050/v2/”: denied: access forbidden
But work pipeline with dind, it’s can login in registry.
I know about of a lot of similar themes, i try to fix it some days. And read a lot, but could not understand what is needed.