How to run Gitlab in docker container with nginx-proxy over ssl with letsencrypt securely

Question

I have been fighting with this configuration for days now and whatever I do I cannot get it to work completely. Can anyone help me please ??

I am using this solution described here: https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion which works perfectly for all my other containers but not for gitlab. Using this method only the gitlab login page is fully secured once logged in the green padlock and text Secure goes away and the https tells me; "Your connection to this site is not fully secure". I have checked the logs inside gitlab container, it finds the ssl certificates fine and gives no other errors or indication that something is wrong. Anyone?

file: start.up

#!/bin/bash
docker run -d \
    --name ng \
    -p 80:80 \
    -p 443:443 \
    -v /etc/nginx/conf.d  \
    -v /root/network/nginx/vhost.d:/etc/nginx/vhost.d \
    -v /root/network/nginx/html:/usr/share/nginx/html \
    -v /root/network/nginx/certs:/etc/nginx/certs:ro \
    -e DEFAULT_HOST=domain.com \
    -e VIRTUAL_PROTO=https \
    -e VIRTUAL_PORT=443 \
    --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy \
    nginx

docker run -d \
    --name ngg \
    --volumes-from ng \
    -v /root/network/nginx/templates:/etc/docker-gen/templates:ro \
    -v /var/run/docker.sock:/tmp/docker.sock:ro \
    --label com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen \
    jwilder/docker-gen \
    -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf

docker run -d \
    --name ngl \
    --volumes-from ng \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    -v /root/network/nginx/certs:/etc/nginx/certs:rw \
    jrcs/letsencrypt-nginx-proxy-companion

file: docker-compose.yml

version: "3"

services:

  gitlab:
    container_name: gl
    image: "gitlab/gitlab-ce:latest"
    restart: always
    hostname: "gitlab.domain.com"
    environment:
      GITLAB_OMNIBUS_CONFIG:
        external_url "https://gitlab.domain.com"
    expose:
    - 80
    - 443
    - 22
    volumes:
    - "./gitlab/config:/etc/gitlab"
    - "./gitlab/logs:/var/log/gitlab"
    - "./gitlab/data:/var/opt/gitlab"
    - "./nginx/certs:/etc/gitlab/ssl"
    environment:
    - VIRTUAL_HOST=gitlab.domain.com
    - LETSENCRYPT_HOST=gitlab.domain.com
    - LETSENCRYPT_EMAIL=info@domain.com
    network_mode: "bridge"

Answer 1

I had the same problem and solved it by running GitLab docker on a custom HTTP port.

docker-compose.yaml:

web:
  image: 'gitlab/gitlab-ee:latest'
  restart: always
  hostname: 'git.example.com'
  environment:
    GITLAB_OMNIBUS_CONFIG: |
      external_url 'https://git.example.com'
      gitlab_rails['gitlab_shell_ssh_port'] = 2224
      nginx['listen_port'] = 8929
      nginx['listen_https'] = false
  ports:
    - '8929:8929'
    - '2224:22'

Nginx config:

server {
    server_name git.example.com;

    location / {
        proxy_pass http://localhost:8929;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/git.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/git.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

Answer 2

I think you are missing the nginx config in your docker-compose.yml.

environment:
  GITLAB_OMNIBUS_CONFIG: |
    external_url 'https://gitlab.example.com'
    nginx['listen_port'] = 80
    nginx['listen_https'] = false
    nginx['proxy_set_headers'] = {
      "X-Forwarded-Proto" => "https",
      "X-Forwarded-Ssl" => "on"
    }

The following gist helped me a lot! https://gist.github.com/netdesk/c1db2985b542f9916995139318e5a7ce