I just could not get this running.
I wanted a single machine running an instance of Gitlab behind a gateway firewall. Not too bad if you want to accept the http defaults, but who the hell wants to use plain old http these days ?
Gitlab config is messy and this particular issue is not very well explained IMHO. But anyways, here is how I did it. I am assuming you know what you are doing here.
I had Gitlab running, but like many I struggled with the reverse proxy. I am grateful to this post which finally helped me unravel things. It was a bit out of date as it was for Apache 2.2 and not 2.4 I think (the proxy lines gave an error) but it pointed me in the right direction:
https://oliversmith.io/technology/2014/07/18/reverse-proxying-gitlab-with-apache-and-ssl/
This method leaves Gitlab running it's own version of nginx with SSL and reverse proxying Apache to that. It is simple and works.
First, get your ducks in a row.
I decided to use Devuan. A bit of systemd free goodness :-)
I am going to use an external port of 8443 with apache then reverse proxying that to the Gitlab port on 4443 Make sure you have the port forwarded on your firewall. I also suggest adding some iptables on your server just for good measure so allow the right ports there too.
So install Devuan (ASCII), gitlab-ce (cheat and use the debian repo) and apache
For gitlab-ce a sources.list file with this - you'll need keys & all that jazz :
deb https://packages.gitlab.com/gitlab/gitlab-ce/debian/ jessie main
Get yourself a Letsencrypt certificate. They are free. It is pointless not doing this.
You don't need bloatware - use the dehydrated script from here:
https://github.com/lukas2511/dehydrated
Here's my gitlab.rb It lets Gitlab run its own instance of nginx but on a https/ssl port. We will then use Apache to proxy to it.
Here's the gitlab.rb configuration file showing the only uncommented lines.
cat /etc/gitlab/gitlab.rb |egrep -v "(^#.*|^$)"
external_url 'https://gitlab.example.com:4443'
nginx['ssl_certificate']= "/etc/gitlab/trusted-certs/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/gitlab/trusted-certs/privkey.pem"
For Apache you will need some modules:
a2enmod proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html xml2enc ssl
I suggest you can hit the Apache instance both internally and externally, using first http and then https.
cat /etc/apache2/ports.conf |egrep -v "(^#.*|^$)"
# http Listen disabled
# Note if you do not add 0.0.0.0 you will get IPv6 only !
Listen 0.0.0.0:8443
Listen 0.0.0.0:8443
cat /etc/apache2/sites-available/gitlab-https.conf |egrep -v "(^#.*|^$)"
ServerName gitlab.example.com
SSLEngine on
SSLCertificateFile /etc/gitlab/trusted-certs/fullchain.pem
SSLCertificateKeyFile /etc/gitlab/trusted-certs/privkey.pem
Require all granted
SSLProxyEngine on
ProxyRequests Off
ProxyPass / https://gitlab.example.com:4443/
ProxyPassReverse / https://gitlab.example.com/
Header edit Location ^http://gitlab.example.com/ https://gitlab.example.com/
RequestHeader set X-Forwarded-Proto "https"
(make sure there is a symlink to sites-enabled)
I basically got Gitlab running in standard mode with no ssl. Then Apache in http mode. Then I finally added SSL to Gitlab and to Apache.
Some handy check commands for ports etc:
netstat -anp |grep apache
netstat -tan | grep 4443
iptables -L -n -v
Hope that helps someone.
No comments:
Post a Comment