This document describes the full process of configuring SSH access for a GitLab instance running inside a Docker container, behind an ISP router with dynamic IP, using Cloudflare DNS and a Cloudflare Tunnel for HTTPS.
Environment:
Code: Select all
GitLab Docker Image | gitlab/gitlab-ce:18.10.0-ce.0
Container IP | 172.0.1.10 (cloudflare_tunnel network)
Docker Host LAN IP | 192.168.1.70
GitLab HTTPS URL | https://gitlab.url.tld
SSH Subdomain | ssh.gitlab.url.tld
ISP DDNS Hostname | your-ddns-hostname.go.ro
SSH Port | 2224
Network | Behind ISP NAT router, dynamic public IP
Git clone via SSH was not working. The GitLab container was only accessible via HTTPS through a Cloudflare Tunnel. Cloudflare Tunnel does not proxy raw TCP/SSH traffic, so SSH connections were timing out.
Root Causes:
- 1. expose in docker-compose.yml does not bind ports to the host - ports is required.
- 2. Cloudflare proxied DNS routes SSH traffic through Cloudflare, which drops raw TCP.
- 3. No ISP router port forwarding rule existed for port 2224.
- 4. Port mapping 2224:22 (GitLab SSH listens on port 22 inside the container)
Solution: Bypass Cloudflare for SSH
Use a dedicated subdomain ssh.code.scripting.ro with DNS only (no Cloudflare proxy), pointing to the real public IP via the ISP's DDNS hostname. SSH traffic goes directly to the server, bypassing Cloudflare entirely.
Code: Select all
Client
└── ssh.gitlab.url.tld (CNAME → your-ddns-hostname.go.ro, DNS only)
└── public IP (86.254.30.0) - YOUR ROUTER PUBLIC IP
└── ISP Router (port forward 2224 → 192.168.1.70)
└── Docker host :2224
└── GitLab container :22
- Step 1 — Fix docker-compose.yml
Code: Select all
services:
code:
image: 'gitlab/gitlab-ce:18.10.0-ce.0'
restart: always
hostname: 'gitlab.url.tld'
container_name: gitlab.url.tld
tty: true
environment:
TZ: Europe/Bucharest
ulimits:
sigpending: 62793
nproc: 131072
nofile: 60000
core: 0
expose:
- 443
ports:
- "2224:22" # host:2224 → container:22 (GitLab SSH)
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /apps/docker/docker-containers/gitlab.url.tld/config:/etc/gitlab
- /apps/docker/docker-containers/gitlab.url.tld/logs:/var/log/gitlab
- /apps/docker/docker-containers/gitlab.url.tld/data:/var/opt/gitlab
- /apps/docker/docker-containers/gitlab.url.tld/hosts:/etc/hosts
- /apps/docker/docker-containers/gitlab.url.tld/scripts-boot:/root/scripts-boot
mac_address: 00:00:00:00:00:02
networks:
cloudflare_tunnel:
ipv4_address: 172.0.1.10
shm_size: '1024m'
networks:
cloudflare_tunnel:
external: true
volumes:
code:
driver: local
Code: Select all
docker compose down && docker compose up -d
- Step 2 — Configure Cloudflare DNS
Code: Select all
Name | Type | Value | Proxy Status
ssh.gitlab.url.tld | CNAME | your-ddns-hostname.go.ro | ⬜ DNS only
Important: Proxy status must be DNS only (grey cloud). If proxied, Cloudflare will block raw TCP/SSH traffic.- Step 3 — ISP Router Port Forwarding
Code: Select all
Name | GitLab SSH
Protocol | TCP
WAN Port | 2224
LAN Host IP | 192.168.1.70 (Docker host)
LAN Port | 2224
- Step 4 — Configure gitlab.rb
Code: Select all
external_url 'https://gitlab.url.tld'
# SSH configuration
gitlab_rails['gitlab_shell_ssh_host'] = 'ssh.gitlab.url.tld'
gitlab_rails['gitlab_shell_ssh_port'] = 2224
Code: Select all
docker exec -it container_name gitlab-ctl reconfigure
Code: Select all
docker exec -it container_name gitlab-ctl restart