Bad Gateway behind Reverse Proxy

archie · January 3, 2021, 8:41pm

Hello.

I’ve a Dockerised Nginx reverse proxy setup that works fine. Other web sites and apps are being serves as normal. However, after numerous tries, Gitlab still fails on me with a 502 Bad Gateway error.

Here is my docker-compose.yml file:

version: "3"

services:
  gitlab:
    image: gitlab/gitlab-ce:latest
    container_name: gitlab
    restart: unless-stopped
    expose:
      - 80
    hostname: "https://gitlab.mydomain.com"
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://gitlab.mydomain.com'
      VIRTUAL_HOST: gitlab.mydomain.com
      LETSENCRYPT_HOST: gitlab.mydomain.com
      LETSENCRYPT_EMAIL: me@mydomain.com
    volumes:
      - /srv/gitlab/config:/etc/gitlab
      - /srv/gitlab/logs:/var/log/gitlab
      - /srv/gitlab/data:/var/opt/gitlab

networks:
  default:
    external:
      name: nginx-proxy

It’s pretty much the same compared to the one suggested by the Gitlab documentation but has some minor additions to accomodate my Nginx reverse proxy.

After checking the logs, it can be seen that Chef is complaining:

================================================================================
Chef encountered an error attempting to load the node data for "https://gitlab.cansurmeli.com"
================================================================================
Unexpected Error:
-----------------
Chef::Exceptions::ValidationFailed: Property name's value https://gitlab.cansurmeli.com does not match regular expression /^[\-[:alnum:]_:.]+$/
System Info:
------------
chef_version=15.14.0
ruby=ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-linux]
program_name=/opt/gitlab/embedded/bin/chef-client
executable=/opt/gitlab/embedded/bin/chef-client

Running handlers:
Running handlers complete
Chef Infra Client failed. 0 resources updated in 01 seconds
There was an error running gitlab-ctl reconfigure:
Property name's value https://gitlab.cansurmeli.com does not match regular expression /^[\-[:alnum:]_:.]+$/
Thank you for using GitLab Docker Image!
Current version: gitlab-ce=13.7.1-ce.0
Configure GitLab for your system by editing /etc/gitlab/gitlab.rb file
And restart this container to reload settings.
To do it use docker exec:
  docker exec -it gitlab vim /etc/gitlab/gitlab.rb
  docker restart gitlab
For a comprehensive list of configuration options please see the Omnibus GitLab readme
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md
If this container fails to start due to permission problems try to fix it by executing:
  docker exec -it gitlab update-permissions
  docker restart gitlab
Cleaning stale PIDs & sockets
Preparing services...
Starting services...
Configuring GitLab...
/opt/gitlab/embedded/bin/runsvdir-start: line 24: ulimit: pending signals: cannot modify limit: Operation not permitted
/opt/gitlab/embedded/bin/runsvdir-start: line 34: ulimit: max user processes: cannot modify limit: Operation not permitted
/opt/gitlab/embedded/bin/runsvdir-start: line 37: /proc/sys/fs/file-max: Read-only file system
Starting Chef Infra Client, version 15.14.0

I checked the gitlab.rb file inside the container and the external_url variable doesn’t have the https:// prefix even though I’ve explicitly defined it in the Compose file.

Also, when I list my containers, my gitlab container’s status is always up but its health is starting. I assume, because of its health status, when I exec into the container, it throws me out after a few moments.

I’ve been tackling this problem for a few days. Any suggestions?

hchouraria · February 6, 2021, 11:58pm

The hostname field requires just a name of the domain, but a HTTP protocol URL is being passed:

services:
  gitlab:
    […]
    hostname: "https://gitlab.mydomain.com"
    […]

Leading to the hostname content validation failing:

Chef::Exceptions::ValidationFailed: Property name’s value https://gitlab.cansurmeli.com does not match regular expression /^[1]+$/

-[:alnum:]_:. ↩︎

archie · February 7, 2021, 12:39pm

Yeah, you’re right. Couple a days ago, I realised that myself as well and changed it. Forgot to reflect on here. Thanks!

Although, there is a new error with the same outcome(502 Bad Gateway) right now. When I execute gitlab-ctl reconfigure, everything goes fine but in the end, it complains about Let’s Encrypt:

letsencrypt_certificate[gitlab.cansurmeli.com] (letsencrypt::http_authorization line 5) had an error: RuntimeError: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error: RuntimeError: ruby_block[create certificate for gitlab.cansurmeli.com] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/acme/resources/certificate.rb line 108) had an error: RuntimeError: [gitlab.cansurmeli.com] Validation failed, unable to request certificate

Any ideas?

hchouraria · February 7, 2021, 12:51pm

I haven’t taken a deep look but perhaps this slightly older thread may offer some help: LetsEncrypt certificates fail in domain validation - #20 by mafftor

archie · February 8, 2021, 7:56am

Perhaps I missed something but that didn’t help.

Would really appreciate it if you could take a deep look.