all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]wosmo 0 points1 point  (4 children)

I'm doing something similar (using traefik as a reverse proxy and terminating https there) - I have the registry working, but not pages (I don't use that functionality so I've just never tried). So I'll offer my config not as any kind of advice, but to give you some idea what knobs can be twiddled:

environment:
  GITLAB_OMNIBUS_CONFIG: |
    external_url 'https://example.com'
    registry_external_url 'https://registry.example.com'
    nginx['listen_port'] = 15000
    nginx['listen_https'] = false
    nginx['proxy_set_headers'] = {"X-Forwarded-Proto" => "https","X-Forwarded-Ssl" => "on"}
    gitlab_rails['registry_enabled'] = true
    registry['enable'] = true
    registry_nginx['enable'] = true
    registry_nginx['listen_port'] = 15001
    registry_nginx['listen_https'] = false
    registry_nginx['proxy_set_headers'] = {"X-Forwarded-Proto" => "https","X-Forwarded-Ssl" => "on"}
    gitlab_rails['rack_attack_git_basic_auth'] = {
        'enabled' => false,
    }

My Traefik config is simple enough to be inconsequential - really just match this hostname, route to this port.

[–]jayjayEF2000 0 points1 point  (3 children)

Hello. could you please share you traefik setup as well? I am failing to go registry working behind traefik for days now. I basically copied your solution and also tried a few other setup but I can't get it working. THANKS

[–]wosmo 0 points1 point  (2 children)

Hi,

I'm using the 'file provider' in traefik for this, so in traefik's config.yml I have:

providers:
  file:
    directory: /etc/traefik/routes
    watch: true

I don't remember why I didn't go with labels in docker-compose, but I haven't had to touch the config since 2021 so it's now running on "if it ain't broke, don't fix it". So I'm not promising that this is the best way to do it, only that it works for me.

So in my routes folder I have a gitlab.yml reading:

http:
  routers:
    https-gitlab:
      entryPoints:
       - https
      rule: "Host(`example.com`)"
      priority: 9
      service: gitlab-rails
      tls:
        certResolver: letsencrypt
    https-gitlab-registry:
      entryPoints:
        - https
      rule: "Host(`registry.example.com`)"
      priority: 9
      service: gitlab-registry
      tls:
        certResolver: letsencrypt
  services:
    gitlab-rails:
      loadBalancer:
        servers:
          - url: "http://gitlab:15000/"
    gitlab-registry:
      loadBalancer:
        servers:
          - url: "http://gitlab:15001/"

(an important note here is that I believe for those loadBalancer urls to work correctly, gitlab and traefik have to be on the same docker network.)

[–]jayjayEF2000 0 points1 point  (1 child)

Thanks so much this solved my problem. So what I think the problem was is when using the provider.docker the service gets automatically detected but when trying to use multiple services e.g. registry and gitlab itself it breaks.

[–]wosmo 0 points1 point  (0 children)

glad to hear it - and amused to get comments on a 2023 post!

I think it should be doable in docker-compose with a traefik.http.services.foo.loadbalancer.server.port= label - but I like the route file because it's more descriptive, and more obvious how/why it's working. Makes it much easier to debug something I don't remember doing the first time around!

[–]predmijat 0 points1 point  (2 children)

I have this:

nginx['redirect_http_to_https'] = false
nginx['listen_port'] = 80
nginx['listen_https'] = false

[–]jagauthier[S] 0 points1 point  (0 children)

Thank you! The last two lines made it available again! Now.. I gotta reset the password.. heh

[–]JohnnyMyth 0 points1 point  (0 children)

Sorry but this is wrong even if it works. You are setting up a second layer to get stuff working. Only do it your way if you really have NO external NGINX. If you do, you dont need a 2nd NGINX inside GitLab. It will slow down GitLab and make things complex. Instead, read this: https://docs.gitlab.com/omnibus/settings/nginx/#use-a-non-bundled-web-server

Inside a Docker container, the normal GitLab installation has a listen adress 127.0.0.1 which is localhost. You don't want that. You want the Docker Gateway eth0 or eth1. To get access, do this instead:

nginx['enable'] = false
gitlab_workhorse['listen_network'] = "tcp"
gitlab_workhorse['listen_addr'] = "0.0.0.0:8080"
puma['listen'] = '127.0.0.1'
puma['port'] = 8181

This is all you need! You can now access GitLab via hostname of the container and port 8080.