Pull/push from outside LAN issue

I’m self-hosting an instance in my server running in a docker container and I’m quite happy with it.
Inside my LAN, I can access my service without any issues.
From outside my LAN, I can also access it but I’m not able to pull/push neither by ssh nor by https.

I guess this must be due to a misconfiguration in my docker-compose or my router.

My docker-compose file:

version: '3.6'
# GITLAB ==> Version control repository
    image: 'gitlab/gitlab-ce:15.4.2-ce.0'
    container_name: gitlab
    restart: unless-stopped
        external_url 'https://git.mydomain.com:33333'
        nginx['listen_https'] = false
        nginx['listen_port'] = 80
        gitlab_rails['gitlab_shell_ssh_port'] = 10222
        gitlab_rails['time_zone'] = 'Europe/Berlin'
        puma['worker_processes'] = 0
        sidekiq['concurrency'] = 5
        postgresql['shared_buffers'] = "256MB"

        # Add any other gitlab.rb configuration here, each on its own line
      - "33333:33333"
      - "10222:22"
      - admin_network
      - /media/Storage_Server/Gitlab/config:/etc/gitlab
      - /media/Storage_Server/Gitlab/logs:/var/log/gitlab
      - /media/Storage_Server/Gitlab/data:/var/opt/gitlab
    shm_size: '256m'
      - traefik.enable=true
      - traefik.http.routers.gitlab.rule=Host(`git.mydomain.com`)
      - traefik.http.routers.gitlab.entrypoints=secure
      - traefik.http.routers.gitlab.tls.certresolver=le
      - traefik.http.services.gitlab.loadbalancer.server.port=80
      - traefik.tcp.routers.gitlab-ssh.rule=HostSNI(`git.mydomain.com`)
      - traefik.tcp.routers.gitlab-ssh.entrypoints=ssh
      - traefik.tcp.routers.gitlab-ssh.service=gitlab-ssh-svc
      - traefik.tcp.services.gitlab-ssh-svc.loadbalancer.server.port=33333
    external: true

Anything fishy in my docker-compose?

Thanks in advance

Yes, you have HTTPS disabled in your docker-compose file.

also for ports, you have 10222 redirecting to port 22 inside the container. This is fine, however, it means your external SSH connections will have to be on port 10222 to be able to connect to your Gitlab SSH docker instance. You will need to ensure this port is open on your firewall. You can test it easily enough by doing:

ssh -T -p 10222 git@mygitlabhost.domain

replace mygitlabhost.domain with your hostname for your Gitlab install which you are using.

Thx for your reply @iwalker.

If I set nginx['listen_https'] = true, I get a

400 Bad Request

The plain HTTP request was sent to HTTPS port

I guess that’s due to how traefik handles things.

Regarding the ssh test, I have done from different locations:
From a machine outside my LAN? Timed out :frowning:

ssh: connect to host git.mydomain.com port 10222: Connection timed out

From a machine ouside my LAN but connected to my LAN via VPN? Refused :frowning:

ssh: connect to host git.mydomain.com port 10222: Connection refused

From a machine inside my LAN? I got a welcome message :slight_smile:

Welcome to GitLab, @kimawari!

From the container itself? As I don’t use the ssh key, I got permission denied:

git@git.mydomain.com: Permission denied (publickey).

So internal LAN it works fine, you don’t need to do it from inside the container. For outside your LAN you need to configure your firewall to allow incoming connections for port 10222 and make sure they are redirected to the docker host where Gitlab is running.

I don’t use docker or traefik with Gitlab anyway, so not sure but you may need to look at the Gitlab docker configuration for resolving the problems with HTTPS since that service should be used by Gitlab, and nothing else. Obviously assuming that your docker host doesn’t already have something running on port 443.

But not only that, in your docker-composer, you don’t have anything in the ports section for even exposing port 443. So I would check the Gitlab docker documentation.GitLab Docker images | GitLab