Skip to content

Instantly share code, notes, and snippets.

@dkarlovi

dkarlovi/registry.example.com.conf

Last active February 7, 2024 19:38
Show Gist options
  • Save dkarlovi/5f6ab416aa882086c7305b004b590dd4 to your computer and use it in GitHub Desktop.
Save dkarlovi/5f6ab416aa882086c7305b004b590dd4 to your computer and use it in GitHub Desktop.
Download ZIP
GitLab's Container Registry (docker) behind Apache 2.4 reverse proxy
Raw
registry.example.com.conf
<VirtualHost *:80>
ServerName registry.example.com
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
#strong encryption ciphers only
#see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off
SSLCertificateFile /root/ssl/example.com/*.example.com/certs/*.example.com.cert
SSLCertificateKeyFile /root/ssl/example.com/*.example.com/private/*.example.com.key
SSLCACertificateFile /root/ssl/example.com/*.example.com/certs/CA/*.example.com.cert
ServerName registry.example.com
ServerSignature Off
ProxyRequests Off
ProxyPreserveHost On
Header set Host "registry.example.com"
<Location />
Require all granted
ProxyPass http://127.0.0.1:5000/ timeout=900
ProxyPassReverse http://127.0.0.1:5000/
</Location>
Header always set Docker-Distribution-Api-Version "registry/2.0"
RequestHeader set X-Forwarded-Proto "https"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/httpd/registry.example.com_error.log
CustomLog /var/log/httpd/registry.example.com_forwarded.log common_forwarded
CustomLog /var/log/httpd/registry.example.com_access.log combined env=!dontlog
CustomLog /var/log/httpd/registry.example.com.log combined
</VirtualHost>
@herzog-network
Copy link

herzog-network commented Feb 7, 2024
edited
Loading

This config works for me within gitlab.rb:

registry_external_url 'https://registry.your.tld'
gitlab_rails['registry_enabled'] = true
registry_nginx['enable'] = true
registry_nginx['listen_https'] = false

registry_nginx['proxy_set_headers'] = {
	"Host" => "$http_host",
	"X-Real-IP" => "$remote_addr",
	"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
	"X-Forwarded-Proto" => "https",
	"X-Forwarded-Ssl" => "on"
}
registry_nginx['listen_port'] = 5050

example reverse proxy nginx config:

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		try_files $uri $uri/ =404;
	}
}

server {
	add_header       X-Served-By $host;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-Scheme $scheme;
	proxy_set_header X-Forwarded-Proto  $scheme;
	proxy_set_header X-Forwarded-For    $remote_addr;
	proxy_set_header X-Real-IP          $remote_addr;
	location / {
		proxy_pass       http://registry-ip-address:5050$request_uri;
	}

	listen 443 ssl http2;
	listen [::]:443 ssl http2;

       server_name registry.your.tld;
       ssl_certificate /etc/letsencrypt/live/.../fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/.../privkey.pem;
       include /etc/letsencrypt/options-ssl-nginx.conf;
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
    if ($host = registry.your.tld) {
        return 301 https://$host$request_uri;
    }
	listen 80 ;
	listen [::]:80 ;
    server_name registry.your.tld;
    return 404;
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment