0

I'm trying to enable gitlab registry running in docker behing nginx proxy on centos lxd container :)

Nginx's configuration on centos

server {
 listen *:80;
 server_name registry.site.name;
 return 301 https://$server_name$request_uri; 
 access_log /var/log/nginx/gitlab_access.log;
 error_log /var/log/nginx/gitlab_error.log;
}
server{
 listen 443 ssl http2;
 server_name registry.site.name;
 server_tokens off;
 ssl_certificate /etc/letsencrypt/live/site.name/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/site.name/privkey.pem;
 ssl_session_timeout 1d;
 ssl_session_tickets off;
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers off;
 ssl_stapling on;
 ssl_stapling_verify on;
 add_header Strict-Transport-Security "max-age=63072000" always;
 location /{
 proxy_pass http://localhost:8085;
 proxy_redirect off;
 proxy_set_header Host $http_host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Protocol $scheme;
 proxy_set_header X-Url-Scheme $scheme;
 }
}

Gitlab.rb configuration

registry_external_url 'https://registry.site.name'
gitlab_rails['registry_enabled'] = true
registry['enable'] = true
registry['registry_http_addr'] = "git.site.name:8085" # (it is the same as gitlab ip - 172.17.0.3:8085)
registry_nginx['enable'] = false

Docker-compose

version: '2.3'
services:
 web:
 image: 'gitlab/gitlab-ce:latest'
 restart: always
 container_name: 'git'
 hostname: 'git.site.name'
 ports:
 - '22:22'
 - '8081:8081'
 - '8085:8085'
 volumes:
 - '/data/Projects/git/config:/etc/gitlab'
 - '/var/log/git:/var/log/gitlab'
 - '/data/Projects/git/data:/var/opt/gitlab'
 network_mode: bridge

Looks good. If i make a request to registry.site.name, i see it in gitlab/registry/current log. Registry page also opens good in the project.

But, i can't use CLI Every time i'm trying to docker login registry.site.name it fails with

Error response from daemon: Get https://registry.site.name/v2/: remote error: tls: protocol version not supported

And this request stopped before git docker container, my nginx proxy logs:

2020年08月05日 10:42:21 [crit] 268168#0: *9 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 10.200.3.1, server: 0.0.0.0:443

The same error is triggered if i try to check tls1.2 connection with curl -I -v -L --tlsv1.2 --tls-max 1.2 registry.site.name

So maybe docker login uses tls 1.2 but i don't understand why it is not working, because i set it up in nginx config.

I also tried nginx configuraton from that question gitlab docker registry with external nginx and omnibus

but still no luck

asked Aug 5, 2020 at 10:53

1 Answer 1

0

The mistake was that nginx config FOR git.site.conf didn't contain TLSv1.2

So be sure that both config (git&registry) have tls 1.2 support

answered Aug 5, 2020 at 11:01
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.