- Bundled nginx doesn’t have to be disabled. If you do however, you will need to look in the Gitlab documentation to make sure everything that the bundled Nginx did is now configured correctly on your external nginx. Thus, if you leave the bundled nginx running, all you need to worry about is forwarding from your external nginx to the internal/bundled one on Gitlab.
- If you do disable nginx in
gitlab.rb, then none of the configuration is used. - No, puma runs on port 8080 by default, therefore if you disable bundled nginx, ports 7380 and 7343 no longer exist. In which case as per the Gitlab nginx documentation, and the expanded nginx.config as already mentioned in point 1 will need to be configured on your external nginx. A lot more work.
If it was me, I would leave nginx working on Gitlab using ports 7380 and 7343 (https) and use the external nginx to just redirect to those ports on the Gitlab nginx. Otherwise it gets more complicated.
Once you get the basic nginx redirecting from one to the other, only at this point would I think of disabling the bundled nginx if I felt it would give me benefits of some sort.
First, let’s forget about HTTPS and port 7343 for now. Let’s just configure it to work on port 7380 with normal http. Then later think about SSL if you want https → https between your external NGINX and Gitlab nginx. Try the following config options in gitlab.rb:
external_url 'http://gitlab.example.com:7380'
nginx['listen_port'] = 7380
nginx['proxy_protocol'] = true
nginx['proxy_set_headers'] = {
"Host" => "$http_host_with_default",
"X-Real-IP" => "$remote_addr",
"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "http",
# "X-Forwarded-Ssl" => "on",
# "Upgrade" => "$http_upgrade",
# "Connection" => "$connection_upgrade"
}
all those options exist in your gitlab.rb just search for them, rather than just copy/paste what I put above. You will notice 3 options are hashed, because they are related to SSL which we are not using right now. Once you get it working on http, then you can try https by changing your external_url and changing http to https, and changing the port from 7380 to 7343. Then, unhash those three options, and you will also need to add:
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
nginx['listen_https'] = 7343
Gitlab nginx will still listen on 7380 and 7343. In theory at this point, any connections to http on 7380 should automatically redirect to https on port 7343 although we don’t need that, since your external NGINX is working on port 80/443 anyway so it’s irrelevant.
Again, only think about enabling those SSL options if you need to, and only after it works first on normal http.
I personally haven’t tried the above, but it should work. I would have to make a server and installation to physically test it, but I’m pretty sure it should work based on the Gitlab documentation.