代理错误后面的docker容器中的Gitlab vs Registry
Posted
技术标签:
【中文标题】代理错误后面的docker容器中的Gitlab vs Registry【英文标题】:Gitlab vs Registry in docker container behind proxy ERROR 【发布时间】:2020-11-25 12:55:31 【问题描述】:我正在尝试启用在 centos lxd 容器上的 docker behing nginx 代理中运行的 gitlab 注册表 :)
Nginx在centos上的配置
server
listen *:80;
server_name registry.site.name;
return 301 https://$server_name$request_uri;
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
server
listen 443 ssl http2;
server_name registry.site.name;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/site.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site.name/privkey.pem;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000" always;
location /
proxy_pass http://localhost:8085;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Url-Scheme $scheme;
Gitlab.rb 配置
registry_external_url 'https://registry.site.name'
gitlab_rails['registry_enabled'] = true
registry['enable'] = true
registry['registry_http_addr'] = "git.site.name:8085" # (it is the same as gitlab ip - 172.17.0.3:8085)
registry_nginx['enable'] = false
Docker 编写
version: '2.3'
services:
web:
image: 'gitlab/gitlab-ce:latest'
restart: always
container_name: 'git'
hostname: 'git.site.name'
ports:
- '22:22'
- '8081:8081'
- '8085:8085'
volumes:
- '/data/Projects/git/config:/etc/gitlab'
- '/var/log/git:/var/log/gitlab'
- '/data/Projects/git/data:/var/opt/gitlab'
network_mode: bridge
看起来不错。如果我向 registry.site.name 发出请求,我会在 gitlab/registry/current 日志中看到它。注册表页面在项目中也打开好了。
但是,我不能使用 CLI
每次我尝试docker login registry.site.name 时都会失败
Error response from daemon: Get https://registry.site.name/v2/: remote error: tls: protocol version not supported
而且这个请求在 git docker 容器之前就停止了,我的 nginx 代理日志:
2020/08/05 10:42:21 [crit] 268168#0: *9 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 10.200.3.1, server: 0.0.0.0:443
如果我尝试检查 tls1.2 连接,则会触发相同的错误
curl -I -v -L --tlsv1.2 --tls-max 1.2 registry.site.name
所以也许 docker login 使用 tls 1.2 但我不明白为什么它不起作用,因为我在 nginx 配置中设置了它。
我也从那个问题gitlab docker registry with external nginx and omnibus尝试了 nginx 配置
但仍然没有运气
【问题讨论】:
【参考方案1】:错误是 nginx config FOR git.site.conf 不包含 TLSv1.2
所以请确保两个配置(git®istry)都支持 tls 1.2
【讨论】:
以上是关于代理错误后面的docker容器中的Gitlab vs Registry的主要内容,如果未能解决你的问题,请参考以下文章
traefik 代理后面的 docker 中的 gitlab 失败(通常)
使用 Gitlab CI docker-in-docker 时如何修复 docker 容器中的“sh: tsc not found”错误