How to separate two URL after domain name?

How to Use GitLab
1

Hi!
I have the Ubuntu server with docker+ docker registry (https://git-registry.local.com/v2/_catalog
I install GitLab-ee server to this server (It is currently working on a port 80). But I want it to answer the URL https://git-gitlab.local.com
How it is possible? Need used GitLab-Nginx for other URL! Or maybe need install individual Nginx!
Nginx reverse proxy can split every source URL to own dns name? And what is the example!?

By default after installing, GitLab nginx is enabled?

2

Hi,

try this post as a base: https://www.reddit.com/r/gitlab/comments/5zd329/container_registry_behind_reverse_proxy/

Just add one server{} entry for gitlab and another one for the registry both with the acc. redirects in gitlab.rb.

3

I trying:
gitlab port 80 (127.0.0.1:8080)
registry:2 port 5000

nginx reverse proxy as virtual host. Two differents dns name (wildcard cert) and published:

server {
listen 443;
server_name gitlab.local.com;

location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}

server {
listen 443;
server_name registry.local.com;

location / {
    proxy_pass http://127.0.0.1:5000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}

This work. I see both site as https. But registry is a problem for remote images push to registry. I didn’t find how registry:2 allow remote access with HTTP

I resolv it. I configure all remote docker hosts for insecure-registries:

cat > /etc/docker/daemon.json

{
“insecure-registries” : [“hostanme.ip:5000”]
}

and add in nginx.conf sub http

#set client body size to *M #
client_max_body_size 1024M;

4

Well done. I assume that you’re using your own CA for the certificates?! Have a look here. Place the CA cert in the described directory and you don’t need the insecure setting. For me it works without the port included in the directory name.

The client_max_body_size if 1G is probably a bit small when you try to push larger images…

Good luck!

5

I use godady wildcard certificate. If you advice I’ll bet, I thought CA not required. I’ll test this method on Monday. Snx.

6

After switching to NGINX (as virtual host) began problem

To write (push) images can well but pull is an error :frowning: (Kubernetes cluster)

Q.

  1. In /etc/default/docker this is correctly?

DOCKER_OPTS=’–insecure-registry 10.94.10.128:5000’
DOCKER_OPTS=’–insecure-registry 10.94.10.128:443’
DOCKER_OPTS=’–insecure-registry registry.local:443’

  1. In /etc/docker/daemon.json this is correctly?

{
“insecure-registries” : [“10.94.10.128:5000”]
“insecure-registries” : [“10.94.10.128:443”]
“insecure-registries” : [“registry.local:443”]
}

  1. In:
    /etc/docker/certs.d/10.94.10.128:443/ca.crt
    /etc/docker/certs.d/registry.local:443/ca.crt
    this is correctly if ca.crt contain 3 certificats?

-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
rw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----

two godady chain and my certificate
this is correctly?

7

What OS you’re using? Some OS probably using different path - refer to the docker link I provided earlier. Provide the logs when you discover error during the pull operation.

  1. What release of GitLab you’re using, there were some changes with the certificates handling?

  2. The configuration you mentioned under point 1 and 2 is not necessary I would say. I do not use them and push and pull works fine.

  3. To what you mentioned in point 3 the following:

  • I’m using only the CA certificate nothing else. Including the entire chain should work.
  • Using IP adresses in certificates is probably not the best choice, use a CNAME!
  • I don’t know godady - just try to access a URL with such a certificate with Chrome or Firefox. When the browser worrying about the authentizity it is not part of the system certificate key chain and not accepted by any tool.

It’s not such an easy think to configure the SSL configuration. I spend a lot of time. Use Google when you have error messages during access.

Good luck

8

I use Ubuntu (16.04 UP) and Debian (8 UP) OS. This server is a Ubuntu 17.
I use GitLab-ee latest

After 1) 2) 3) configured to all remote docker and Kubernetes hosts. Deploy (pull/push) happened well. Which method helped I don’t know. Most likely ca.crt, because I don’t restart any dockers daemon.