Gitlab behind a reverse proxy
I am using GitLab for private projects. GitLab is run using the Docker image provided by GitLab. I can access my instance from outside via a reverse proxy (Apache).
The setup is simple:
- GitLab Docker container is running on NUC and listens on port 7080 for HTTP connections
- NUC is connected via OpenVPN to the server on AWS
- Apache as a reverse proxy listening on port 443 for HTTPS
- Apache terminates SSL: incoming requests are HTTPS, but forwarded as HTTP to GitLab
- Apache forwards incoming requests to GitLab on Docker
Standard setup of GitLab in Docker with Apache as reverse proxy will give access to GitLab without problems. Start GitLab container, configure Apache, done. You can access GitLab from the internet, create repositories, clone, push, etc.
While the setup will work out of the box, you need to carry out additional configuration for GitLab to really make it work with SSL terminating. What is not working correctly is:
- The external URL is not configured, so the URL in the repository clone dialog is not using HTTPS.
- You cannot upload attachments in the Wiki
- You cannot add pictures in the Wiki via copy & paste from the clipboard
- Uploading files / images may work in the issues dialog, but not in the wiki, as the wiki is using different upload service.
Attaching an image from clipboard fails.
Problem
My external URL is https://gitlab.itsfullofstars.de. Setting this value as external URL in gitlab.rb. You configure GitLab by setting the parameters in the file gitlab.rb and then reconfigure GitLab.
## GitLab URL ##! URL on which GitLab will be reachable. external_url 'https://gitlab.itsfullofstars.de'
Run reconfigure to enable the configuration.
gitlab-ctl reconfigure
Accessing gitlab.itsfullofstars.de:
This will set all parameters in all involved components of GitLab based on the values set in gitlab.rb. You can see the new value by looking at the automatically generated configuration file for the internal web server.
## GitLab settings gitlab: ## Web server settings (note: host is the FQDN, do not include http://) host: gitlab.itsfullofstars.de port: 443 https: true
The problem is: GitLab thinks it is running standalone, with direct access to the internet. There is not a specific parameter to inform that the requests are coming from a reverse proxy with SSL termination. Setting the values in gitlab.rb will result in an erroneous configuration:
- SSL for internal GitLab web server (nginx) is enabled
- Nginx is not listening on port 80, only on 443
- My Apache reverse proxy is configured to connect to nginx port 80. Hence the Service Unavailable error.
Port 80 is not working any longer. Accessing GitLab directly via 192.168.x.x:7443 on HTTPS port (Docker mapping 7443 to 443).
Access will work. GitLab tries to get a new TLS certificate during the reconfiguration process, but fails, therefore the self signed certificate.
Attaching an image won’t work
Because of the external_url value, GitLab will redirect to gitlab.itsfullofstars.de. As the reverse proxy is not able to connect, it’s a 503 error.
Configuring the external GitLab URLs results in:
- An incorrect HTTPS configuration due to wrong certificate
- Adjustment of Apache reverse proxy: no longer SSL termination
I do not want to take of managing GitLabs internal TLS certificate. I want to access it via HTTP only and use Apache for SSL termination.
Solution
The solution is to configure the external URL and to let the internal nginx run on port 80 and no HTTPS.
Gitlab.rb
Configure a value for external_url.
vim config/gitlab.rb
external_url 'https://gitlab.itsfullofstars.de' nginx['listen_port'] = 80 nginx['listen_https'] = false gitlab-ctl reconfigure
GitLab HTTP server
Check the configuration for the internal GitLab web server. The server should be gitlab.itsfullofstars, the port 80 and protocol HTTP.
more data/gitlab-rails/etc/gitlab.yml
## GitLab settings gitlab: ## Web server settings (note: host is the FQDN, do not include http://) host: gitlab.itsfullofstars.de port: 80 https: false
Optional: Restart
Running reconfigure restarts the services, but if you want to be sure, restart GitLab.
gitlab-ctl restart
Apache configuration
My Apache configuration. Maybe not all parameters are needed, but it works.
<VirtualHost *:443> ServerName gitlab.itsfullofstars.de ProxyPreserveHost On ProxyRequests Off SSLProxyEngine on SSLEngine on SSLHonorCipherOrder on <Location /> RequestHeader unset Accept-Encoding RequestHeader set Host "gitlab.itsfullofstars.de" RequestHeader add X-Forwarded-Ssl on RequestHeader set X-Forwarded-Proto "https" ProxyPass http://nuc:7080/ ProxyPassReverse http://nuc:7080/ Order allow,deny Allow from all </Location> </VirtualHost>
Result
After executing the above steps, your configuration should be:
- External URL is https://gitlab.itsfullofstars.de
- The internal GitLab nginx is listening
- Port: 80
- Protocol: HTTP
- Server: gitlab.itsfullofstars.de
An external request is now for server gitlab.itsfullofstars.de. Apache does SSL termination, and nginx is accepting the request without either blocking it or trying to redirect to HTTPS.
Attaching an image to GitLab Wiki by pasting it from the clipboard
Links
Some resources I found while solving the issue for myself.
https://gitlab.com/gitlab-org/gitlab-ce/issues/27583
https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
10 Comments
Ernstl · February 10, 2020 at 19:54
This was helpful. Installed GitLab CE via Docker and was very upset with default configuration.
Chai · April 10, 2020 at 10:16
Can’t appreciate any more. It helps me sovle the problem.
Syndesi · May 1, 2020 at 21:27
Thank you 🙂
Tiemo · July 15, 2020 at 12:32
Thank you so much, Tobias! You made my day! Work like a charm.
ppenguin · November 18, 2020 at 11:45
Thanks, this saved me a lot of time, since the documentation is lacking in this respect (even though it must be a common case?). Much easier than completely switching of the internal nginx.
srikanth · October 19, 2021 at 02:07
Thanks for the details. What about the gitlab runner url configuration part.?
gitlab host url starts with https://gitlab.* on standalone nginx reverse proxy and docker gitlab-rail port pointed to 80. On the console, gitlab config for runner url shows are https://gitlab*:80 which will be problem runner configuration.
annonymous · April 7, 2024 at 07:36
It doesn’t work, contents of gitlab.yml are rewritten on every reconfigure.
Using Gitlab docker behind nginx proxy manager docker - Boot Panic · March 19, 2022 at 00:17
[…] I’ve tried this: https://www.itsfullofstars.de/2019/06/gitlab-behind-a-reverse-proxy/ […]
Using Gitlab docker behind nginx proxy manager docker - ITTone · April 6, 2022 at 07:02
[…] I’ve tried this:https://www.itsfullofstars.de/2019/06/gitlab-behind-a-reverse-proxy/ […]
Using Gitlab docker behind nginx proxy manager docker – Ten-tools.com · October 26, 2022 at 08:34
[…] I’ve tried this: Gitlab behind a reverse proxy | It’s full of stars! […]