Last active
February 7, 2024 19:38
-
-
Save dkarlovi/5f6ab416aa882086c7305b004b590dd4 to your computer and use it in GitHub Desktop.
GitLab's Container Registry (docker) behind Apache 2.4 reverse proxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <VirtualHost *:80> | |
| ServerName registry.example.com | |
| ServerSignature Off | |
| RewriteEngine on | |
| RewriteCond %{HTTPS} !=on | |
| RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L] | |
| </VirtualHost> | |
| <VirtualHost *:443> | |
| SSLEngine on | |
| #strong encryption ciphers only | |
| #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html | |
| SSLProtocol all -SSLv2 -SSLv3 | |
| SSLHonorCipherOrder on | |
| SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" | |
| Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" | |
| SSLCompression Off | |
| SSLCertificateFile /root/ssl/example.com/*.example.com/certs/*.example.com.cert | |
| SSLCertificateKeyFile /root/ssl/example.com/*.example.com/private/*.example.com.key | |
| SSLCACertificateFile /root/ssl/example.com/*.example.com/certs/CA/*.example.com.cert | |
| ServerName registry.example.com | |
| ServerSignature Off | |
| ProxyRequests Off | |
| ProxyPreserveHost On | |
| Header set Host "registry.example.com" | |
| <Location /> | |
| Require all granted | |
| ProxyPass http://127.0.0.1:5000/ timeout=900 | |
| ProxyPassReverse http://127.0.0.1:5000/ | |
| </Location> | |
| Header always set Docker-Distribution-Api-Version "registry/2.0" | |
| RequestHeader set X-Forwarded-Proto "https" | |
| LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded | |
| ErrorLog /var/log/httpd/registry.example.com_error.log | |
| CustomLog /var/log/httpd/registry.example.com_forwarded.log common_forwarded | |
| CustomLog /var/log/httpd/registry.example.com_access.log combined env=!dontlog | |
| CustomLog /var/log/httpd/registry.example.com.log combined | |
| </VirtualHost> |
This config works for me within gitlab.rb:
registry_external_url 'https://registry.your.tld'
gitlab_rails['registry_enabled'] = true
registry_nginx['enable'] = true
registry_nginx['listen_https'] = false
registry_nginx['proxy_set_headers'] = {
"Host" => "$http_host",
"X-Real-IP" => "$remote_addr",
"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"
}
registry_nginx['listen_port'] = 5050
example reverse proxy nginx config:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
server {
add_header X-Served-By $host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
location / {
proxy_pass http://registry-ip-address:5050$request_uri;
}
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name registry.your.tld;
ssl_certificate /etc/letsencrypt/live/.../fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/.../privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = registry.your.tld) {
return 301 https://$host$request_uri;
}
listen 80 ;
listen [::]:80 ;
server_name registry.your.tld;
return 404;
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What additional configuration is needed in gitlab.rb?