'GitLab Container Registry behind AWS Load Balancer

I currently have a GitLab instance setup behind an AWS load balancer (just to achieve HTTPS with my Amazon issued certificate). I'm running nginx for the main GitLab service with the following settings (from /etc/gitlab/gitlab.rb):

nginx['enable'] = true
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
    "X-Forwarded-Proto" => "https",
    "X-Forwarded-Ssl" => "on"
}

I was trying to setup something similar for the Container Registry:

registry_nginx['enable'] = true
registry_nginx['listen_port'] = 5000
registry_nginx['listen_https'] = false
registry_nginx['proxy_set_headers'] = {
  "X-Forwarded-Proto" => "https",
  "X-Forwarded-Ssl" => "on"
}

gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "<REDACTED>"
gitlab_rails['registry_port'] = "5005"

However, whenever I try to login from my local machine via docker I just get 400 Bad Request. I believe the traffic is flowing as such:

Local --|HTTPS:5005|--> AWS ELB --|HTTP:5000|--> registry nginx --|HTTP:5005|--> GitLab Container Registry

Is that correct? Could the issue be that the traffic hitting the container registry is in the form of HTTP and is thus being rejected by the container registry service? If so, how would I correct my setup? I'd like to use GitLab's container registry if possible, but using AWS ECR is also a possibility.

UPDATE: Tried logging in from the GitLab instance to the container registry and received a 400 error code stating that the request header or cookie is too large. I'm trying to figure out how to update the nginx configuration for the container registry to allow for a larger request to be sent.

nginxgitlabelastic-load-balancer


Solution 1:[1]

here are my configurations that work for me with ALB that listen on port 5050 HTTPS and forwards to 5050 HTTP

nginx['listen_port'] = 80
nginx['listen_https'] = false
registry_external_url 'https://<subdomain>.<domain>:5050 
gitlab_rails['registry_enabled'] = false
registry_nginx['listen_https'] = false
registry_nginx['listen_port'] = 5050

to get to GitLab (not the registry) add another listener to ALB for HTTPS 443 to HTTP 80 and set

external_url 'https://<subdomain>.<domain>

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Anis

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function