Skip to content

Instantly share code, notes, and snippets.

Last active February 7, 2024 19:38
Show Gist options
  • Save dkarlovi/5f6ab416aa882086c7305b004b590dd4 to your computer and use it in GitHub Desktop.
Save dkarlovi/5f6ab416aa882086c7305b004b590dd4 to your computer and use it in GitHub Desktop.
GitLab's Container Registry (docker) behind Apache 2.4 reverse proxy
<VirtualHost *:80>
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
<VirtualHost *:443>
SSLEngine on
#strong encryption ciphers only
#see ciphers(1)
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off
SSLCertificateFile /root/ssl/**
SSLCertificateKeyFile /root/ssl/**
SSLCACertificateFile /root/ssl/**
ServerSignature Off
ProxyRequests Off
ProxyPreserveHost On
Header set Host ""
<Location />
Require all granted
ProxyPass timeout=900
Header always set Docker-Distribution-Api-Version "registry/2.0"
RequestHeader set X-Forwarded-Proto "https"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/httpd/registry.example.com_error.log
CustomLog /var/log/httpd/registry.example.com_forwarded.log common_forwarded
CustomLog /var/log/httpd/registry.example.com_access.log combined env=!dontlog
CustomLog /var/log/httpd/ combined
Copy link

What additional configuration is needed in gitlab.rb?

Copy link

herzog-network commented Feb 7, 2024

This config works for me within gitlab.rb:

registry_external_url 'https://registry.your.tld'
gitlab_rails['registry_enabled'] = true
registry_nginx['enable'] = true
registry_nginx['listen_https'] = false

registry_nginx['proxy_set_headers'] = {
	"Host" => "$http_host",
	"X-Real-IP" => "$remote_addr",
	"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
	"X-Forwarded-Proto" => "https",
	"X-Forwarded-Ssl" => "on"
registry_nginx['listen_port'] = 5050

example reverse proxy nginx config:

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		try_files $uri $uri/ =404;

server {
	add_header       X-Served-By $host;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-Scheme $scheme;
	proxy_set_header X-Forwarded-Proto  $scheme;
	proxy_set_header X-Forwarded-For    $remote_addr;
	proxy_set_header X-Real-IP          $remote_addr;
	location / {
		proxy_pass       http://registry-ip-address:5050$request_uri;

	listen 443 ssl http2;
	listen [::]:443 ssl http2;

       server_name registry.your.tld;
       ssl_certificate /etc/letsencrypt/live/.../fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/.../privkey.pem;
       include /etc/letsencrypt/options-ssl-nginx.conf;
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

server {
    if ($host = registry.your.tld) {
        return 301 https://$host$request_uri;
	listen 80 ;
	listen [::]:80 ;
    server_name registry.your.tld;
    return 404;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment