带有外部 nginx 和 omnibus 的 gitlab docker 注册表
gitlab docker registry with external nginx and omnibus
我已经 运行 一个 docker 容器内的 gitlab 服务器和另一个 docker 容器内的外部 nginx 服务器,因此 gitlab nginx 服务器已停用。现在我想使用 gitlab 服务器中包含的 docker 注册表。
我尝试从管理手册中获取信息:https://docs.gitlab.com/ee/administration/container_registry.html
并使用来自链接文件的合适的 nginx 配置:
https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/registry-ssl
我在 gitlab.rb 中添加了:
...
registry_external_url 'url'
registry_nginx['enable'] = false
registry['enable'] = true
...
但是如果我尝试登录(docker 登录 url),我只会收到 502 Bad Gateway 错误。我还尝试了一些其他的组合配置,但总是得到同样的错误。有人让它工作吗?我需要向 omnibus 文件添加更多设置,还是仍然无法将 gitlab 内部 docker 注册表与 omnibus 和外部 nginx 一起使用?
我也遇到了和你一样的问题,并通过以下方式解决了它:
Nginx:
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
###################################
## configuration ##
###################################
## Redirects all HTTP traffic to the HTTPS host
server {
listen *:80;
server_name registry.project-oc.de;
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$http_host:$request_uri;
access_log /var/log/nginx/gitlab_registry_access.log;
error_log /var/log/nginx/gitlab_registry_error.log;
}
server {
# If a different port is specified in https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/config/gitlab.yml.example#L182,
# it should be declared here as well
listen *:443 ssl http2;
server_name registry.project-oc.de;
server_tokens off; ## Don't show the nginx version number, a security best practice
client_max_body_size 0;
chunked_transfer_encoding on;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
ssl_certificate /etc/letsencrypt/live/registry.project-oc.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/registry.project-oc.de/privkey.pem; # managed by Certbot
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 5m;
access_log /var/log/gitlab/nginx/gitlab_registry_access.log;
error_log /var/log/gitlab/nginx/gitlab_registry_error.log;
location / {
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
proxy_pass http://localhost:5000;
}
}
gitlab.rb
registry_external_url 'https://registry.project-oc.de'
registry_nginx['listen_port'] = 5000
gitlab_rails['registry_enabled'] = true
registry_nginx['enable'] = false
registry['enable'] = true
编辑这两个文件后,您必须重新启动 nginx 和 gitlab
好的,我成功了。
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
###################################
## configuration ##
###################################
upstream docker-registry {
server <ip_of_gitlab_docker_container>:<port_of_gitlab_container>;
}
## Redirects all HTTP traffic to the HTTPS host
server {
listen *:80;
server_name sub.domain.tld;
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$http_host:$request_uri;
access_log /var/log/nginx/gitlab_registry_access.log;
error_log /var/log/nginx/gitlab_registry_error.log;
}
server {
# If a different port is specified in https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/config/gitlab.yml.example#L182,
# it should be declared here as well
listen *:443 ssl http2;
server_name sub.domain.tld;
server_tokens off; ## Don't show the nginx version number, a security best practice
client_max_body_size 0;
chunked_transfer_encoding on;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
ssl_certificate /etc/letsencrypt/live/sub.domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sub.domain.tld/privkey.pem;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 5m;
access_log /var/log/nginx/gitlab_registry_access.log;
error_log /var/log/nginx/gitlab_registry_error.log;
location /
{
# let Nginx know about our auth file
proxy_pass http://docker-registry;
proxy_set_header Host $host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /v2/ {
# To add basic authentication to v2 use auth_basic setting plus
# add_header
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
也许 Andrioshe 的 nginx 配置也可以,但我在尝试时做了一些更改并与其他配置混合。我认为普通 docker-regsitry 的配置文件也可以使用...将来会尝试。
不过更重要的是gitlab omnibus的配置。
registry_external_url 'https://sub.domain.tld'
registry['registry_http_addr'] = "<ip_of_gitlab_docker_container>:<port_of_gitlab_container>"
registry_nginx['enable'] = false
registry['enable'] = true
It is important to set the 'regsitry_http_addr' to the gitlab docker registry ip and port instead of localhost.
我从 docker 更新 Gitlab 后遇到了同样的问题。
刚刚通过添加修复:
gitlab_rails['registry_enabled'] = true
registry_nginx['enable'] = false
registry['enable'] = true
上面的答案很好,但不太适合我的设置,因此我将在此处添加我的配置,以便对某些人有所帮助。我正在 运行 使用 compose Docker 构建官方 GitLab Docker 图像,并且我已经将 Traefik v2 设置为反向代理。这些设置取自 official GitLab Omnibus settings.
在docker-compose.yml的gitlab.rb环境变量部分:
gitlab_rails['registry_enabled'] = true
registry['enable'] = true
registry_external_url 'https://registry.example.com'
registry_nginx['listen_port'] = 80
registry_nginx['listen_https'] = false"
然后在docker-compose.yml中添加如下标签:
- "traefik.http.routers.gitlab-registry.rule=Host(`registry.example.com`)"
- "traefik.http.routers.gitlab-registry.tls=true"
- "traefik.http.routers.gitlab-registry.entrypoints=websecure"
- "traefik.http.routers.gitlab-registry.service=gitlab-registry-service"
- "traefik.http.services.gitlab-registry-service.loadbalancer.server.port=80"
这些设置应该适用于注册表的相同域或不同域。 nginx 服务器 运行 注册中心被告知 运行 通过端口 80 上的纯 http,这使得与 Traefik 集成变得非常容易。
我已经 运行 一个 docker 容器内的 gitlab 服务器和另一个 docker 容器内的外部 nginx 服务器,因此 gitlab nginx 服务器已停用。现在我想使用 gitlab 服务器中包含的 docker 注册表。
我尝试从管理手册中获取信息:https://docs.gitlab.com/ee/administration/container_registry.html
并使用来自链接文件的合适的 nginx 配置: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/registry-ssl
我在 gitlab.rb 中添加了:
...
registry_external_url 'url'
registry_nginx['enable'] = false
registry['enable'] = true
...
但是如果我尝试登录(docker 登录 url),我只会收到 502 Bad Gateway 错误。我还尝试了一些其他的组合配置,但总是得到同样的错误。有人让它工作吗?我需要向 omnibus 文件添加更多设置,还是仍然无法将 gitlab 内部 docker 注册表与 omnibus 和外部 nginx 一起使用?
我也遇到了和你一样的问题,并通过以下方式解决了它:
Nginx:
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
###################################
## configuration ##
###################################
## Redirects all HTTP traffic to the HTTPS host
server {
listen *:80;
server_name registry.project-oc.de;
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$http_host:$request_uri;
access_log /var/log/nginx/gitlab_registry_access.log;
error_log /var/log/nginx/gitlab_registry_error.log;
}
server {
# If a different port is specified in https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/config/gitlab.yml.example#L182,
# it should be declared here as well
listen *:443 ssl http2;
server_name registry.project-oc.de;
server_tokens off; ## Don't show the nginx version number, a security best practice
client_max_body_size 0;
chunked_transfer_encoding on;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
ssl_certificate /etc/letsencrypt/live/registry.project-oc.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/registry.project-oc.de/privkey.pem; # managed by Certbot
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 5m;
access_log /var/log/gitlab/nginx/gitlab_registry_access.log;
error_log /var/log/gitlab/nginx/gitlab_registry_error.log;
location / {
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
proxy_pass http://localhost:5000;
}
}
gitlab.rb
registry_external_url 'https://registry.project-oc.de'
registry_nginx['listen_port'] = 5000
gitlab_rails['registry_enabled'] = true
registry_nginx['enable'] = false
registry['enable'] = true
编辑这两个文件后,您必须重新启动 nginx 和 gitlab
好的,我成功了。
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
###################################
## configuration ##
###################################
upstream docker-registry {
server <ip_of_gitlab_docker_container>:<port_of_gitlab_container>;
}
## Redirects all HTTP traffic to the HTTPS host
server {
listen *:80;
server_name sub.domain.tld;
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$http_host:$request_uri;
access_log /var/log/nginx/gitlab_registry_access.log;
error_log /var/log/nginx/gitlab_registry_error.log;
}
server {
# If a different port is specified in https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/config/gitlab.yml.example#L182,
# it should be declared here as well
listen *:443 ssl http2;
server_name sub.domain.tld;
server_tokens off; ## Don't show the nginx version number, a security best practice
client_max_body_size 0;
chunked_transfer_encoding on;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
ssl_certificate /etc/letsencrypt/live/sub.domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sub.domain.tld/privkey.pem;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 5m;
access_log /var/log/nginx/gitlab_registry_access.log;
error_log /var/log/nginx/gitlab_registry_error.log;
location /
{
# let Nginx know about our auth file
proxy_pass http://docker-registry;
proxy_set_header Host $host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /v2/ {
# To add basic authentication to v2 use auth_basic setting plus
# add_header
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
也许 Andrioshe 的 nginx 配置也可以,但我在尝试时做了一些更改并与其他配置混合。我认为普通 docker-regsitry 的配置文件也可以使用...将来会尝试。
不过更重要的是gitlab omnibus的配置。
registry_external_url 'https://sub.domain.tld'
registry['registry_http_addr'] = "<ip_of_gitlab_docker_container>:<port_of_gitlab_container>"
registry_nginx['enable'] = false
registry['enable'] = true
It is important to set the 'regsitry_http_addr' to the gitlab docker registry ip and port instead of localhost.
我从 docker 更新 Gitlab 后遇到了同样的问题。
刚刚通过添加修复:
gitlab_rails['registry_enabled'] = true
registry_nginx['enable'] = false
registry['enable'] = true
上面的答案很好,但不太适合我的设置,因此我将在此处添加我的配置,以便对某些人有所帮助。我正在 运行 使用 compose Docker 构建官方 GitLab Docker 图像,并且我已经将 Traefik v2 设置为反向代理。这些设置取自 official GitLab Omnibus settings.
在docker-compose.yml的gitlab.rb环境变量部分:
gitlab_rails['registry_enabled'] = true
registry['enable'] = true
registry_external_url 'https://registry.example.com'
registry_nginx['listen_port'] = 80
registry_nginx['listen_https'] = false"
然后在docker-compose.yml中添加如下标签:
- "traefik.http.routers.gitlab-registry.rule=Host(`registry.example.com`)"
- "traefik.http.routers.gitlab-registry.tls=true"
- "traefik.http.routers.gitlab-registry.entrypoints=websecure"
- "traefik.http.routers.gitlab-registry.service=gitlab-registry-service"
- "traefik.http.services.gitlab-registry-service.loadbalancer.server.port=80"
这些设置应该适用于注册表的相同域或不同域。 nginx 服务器 运行 注册中心被告知 运行 通过端口 80 上的纯 http,这使得与 Traefik 集成变得非常容易。