Using GitLab Container Registry Internally with HTTP Only (No HTTPS) (Selfhosted)

Question

Hello,

I'm working on setting up a CI/CD pipeline with GitLab in my local environment, and I need some advice on using the GitLab Container Registry internally, strictly over HTTP without HTTPS.

Current Setup:

• Proxmox Environment: I have a local Proxmox cluster where I manage multiple VMs and containers.
• GitLab Instance: GitLab is up and running, and I can authenticate and perform all Git operations without any issues.
• Domain Exposure: I expose my GitLab instance to the internet through a Cloudflare Zero Trust tunnel, which provides a secure external connection (for me).

The Challenge:

Internally, I want to set up and use the GitLab Container Registry, but I would like to avoid using HTTPS for internal communications within my Proxmox network. Since all the traffic within my network is private and secure, I see no need to enforce HTTPS, which is adding unnecessary complexity.

• External Access: I can push and pull code from GitLab externally without any issues thanks to Cloudflare's secure tunnel.
• Internal Registry Use: The real problem arises when I try to use the GitLab Container Registry internally for building and deploying my applications. The default setup forces SSL communication, which I want to avoid.

Questions:

1. Is it possible to configure the GitLab Container Registry to use HTTP only for internal traffic? I want to bypass HTTPS for the registry when accessed within my Proxmox network.
2. How can I configure my GitLab CI/CD pipelines to communicate with the registry over HTTP without SSL? I'm looking for guidance on any specific configuration changes or environment variables that need to be set.
3. Are there any security considerations or best practices I should be aware of when doing this? Since I'm keeping everything internal, I want to make sure I'm not introducing any security risks by disabling HTTPS.

I'm really looking forward to learning how to streamline my internal CI/CD workflow while keeping the setup simple and effective. Any help or pointers would be greatly appreciated!

Thanks in advance!

We tried to expose it through the Zero Trust authentication, which unfortunetly did not work out. We passed the verification, but it failed later on and we can't really identify the issue.

Beside that we don't think it's the right way to get out of the local network, just to come back to it later on to access the container registry.

Answer 1

Even locally, you typically would want TLS in play because credentials are being passed between different tools and resources, deployment environments, etc. Credentials can be plucked off the wire even remotely when doing things via insecure means. there may even be more headaches when dealing with browsers or toolchains warning or even failing to establish connections because of violating security practices.

Gitlab provides some easiER workflows with issuing letsencrypt certificates to make the process better, but certs will always introduce some level of administrative burden. letsencrpyt automation reduces this burden. once you have it setup, renewals should be relatively painless.

So, with that being said, im pretty certain you just need to make sure the baseurl (external_url) of your instance is using http://<url> vs https://<url> in the gitlab.rb, and make sure you comment out any nginx cert variables.

EDIT: and to expose the container registry without TLS, its the same procedure to set registry_external_url to use http://<url>

some sleuthing to what other problems may be happening is if the nginx reverse proxy in the gitlab services stack needs to also need to accommodate this..

Disable Let's Encrypt

letsencrypt['enable'] = false

Disable automatic redirection to HTTPS

nginx['redirect_http_to_https'] = false

registry_nginx['redirect_http_to_https'] = false

Ensure SSL is disabled for the registry

registry_nginx['ssl_certificate'] = nil

registry_nginx['ssl_certificate_key'] = nil