GitLab Registry with existing Nginx reversed proxy (https)

Hello gitlab community,

I got problems with enabling my gitlab docker registry. I tried to do it like the example in the gitlab docs but I actually stuck with getting the docker registry enabled.

Nginx:

upstream registry {
  server gitlab_gitlab:5000;
}

## Redirects all HTTP traffic to the HTTPS host
server {
  listen 80;
  server_name  registry.project-oc.de;
  return 301 https://$http_host:$request_uri;
  access_log  /var/log/nginx/gitlab_registry_access.log;
  error_log   /var/log/nginx/gitlab_registry_error.log;
}

server {
  # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/config/gitlab.yml.example#L182,
  # it should be declared here as well
  listen 443 ssl http2;
  server_name  registry.project-oc.de;

  client_max_body_size 0;
  chunked_transfer_encoding on;

  ssl on;
  # ssl_certificate /path/to/cert;
  # ssl_certificate_key /path/to/certkey;

  ssl_session_cache  builtin:1000  shared:SSL:10m;
  ssl_session_timeout  5m;

  access_log  /var/log/nginx/gitlab_registry_access.log;
  error_log   /var/log/nginx/gitlab_registry_error.log;

  location / {
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;

    proxy_pass          http://registry;
  }

    ssl_certificate /etc/letsencrypt/live/registry.project-oc.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/registry.project-oc.de/privkey.pem; # managed by Certbot
}

gitlab.rb:

registry_external_url 'https://registry.project-oc.de'
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_port'] = "5005"
registry['enable'] = true

I actually tested it with

docker login docker login registry.project-oc.de:5005
and I get a “connection refused”. I already checked my firewall.