Proxying to correct container registry ports

I’m trying to enable a container registry on my dockerized Gitlab install according to these instructions.

I’m also exposing my install on different ports, and using an nginx reverse-proxy to successfully route (https) traffic to the regular GitLab instance with the following docker-compose command (again, an external nginx reverse-proxy listens, e.g. on port 443 and proxies to 8443):

sudo docker run --detach \
    --hostname \
    --publish 8443:443 --publish 8080:80 --publish 2222:22 \
    --name gitlab \
    --restart always \
    --volume /srv/gitlab/config:/etc/gitlab \
    --volume /srv/gitlab/logs:/var/log/gitlab \
    --volume /srv/gitlab/data:/var/opt/gitlab \

I’ve been stuck on enabling the Container Registry, however. I can’t seem to get the right incantation for directing SSL-terminated traffic from my nginx reverse-proxy to the docker container that is exposing the registry service on (what I believe to be port 5000).

I keep on getting 502 errors at my reverse-proxy, since there seem to be SSL handshake errors when communicating with the registry host, or I’m trying to connect to the wrong GitLab registry host/port altogether.

Some posts on SO mention that registry_http_addr must be set with a specific IP and host (instead of just localhost), but I’m fairly sure I’m confused as to what IP and port that should be.

Here are some of my current relevant settings from /srv/gitlab/config/gitlab.rb:

registry_external_url '' # the port that the nginx reverse-proxy listens to

gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = ""

registry['enable'] = true

# registry['registry_http_addr'] = "localhost:5000" # untouched, for now?

The above is in addition to exposing 5005 via --port 5005:5000 (in the docker-compose command above) as well.

Any direction is much appreciated!

I have a similar setup, a gitlab container hidden behind a separately running nginx container, and when I try to connect to my i get the 404 from gitlab.

Was it a special proxy entry on the external nginx you had to make maybe?