Changing GitLab's nginx proxy from using port 443 to something else

Hello Friends:

As of this writing, I have the latest version of GitLab CE (via RPM: gitlab-ce-13.1.0-ce.0.el7.x86_64.rpm).

I believe the included nginx proxy listens on port 443, and passes requests to backend services running on their respective domain-names and ports – e.g. gitlab.example.com:1443, registry.example.com:2443, mattermost.example.com:3443, and so on. (Note: I made those ports up).

In /etc/gitlab/gitlab.rb (or wherever else), how does one change the nginx port from 443 to something else (to say 8081), yet still preserve passing requests to the backend, as described above.

The reason I ask is that I’m already running behind a reverse proxy this is using port 443.

For my GitLab CE version, is the correct solution this one?

Thank you in advance! :relaxed:

1 Like

Hello :smile:

The port actually is determined by the external_url in the gitlab.rb. You can see how to customize that in our Omnibus NGINX documentation, but basically you can just specify the port like so:

external_url "https://gitlab.example.com:2443"

Which will then have GitLab NGINX listening on port 2443

Hi @olearycrew :

Thank you. Indeed I saw the docs. I had tried that, and while it does change the GitLab port, the nginx port remains at port 443. In other words, you end up with two ports, ports 2443 and 443 (among the rest), when you do that. So that doesn’t work (because port 443 is still in the way).

In fact, I tried many configuration variations, each having their own oddities. For example, leaving GitLab’s external_url without a port and changing the nginx port itself to, say, port 2443, causes both GitLab and nginx to use port 2443. Great, but as I recall (and forgive me because I’m typing this from my phone), either the registry or mattermost comes in to assume port 443 (now that it’s available). So then I tried configuring the services to use nginx and several others changes, but nothing achieved what I needed, which is this:

Have port 2443 be what nginx runs on (as the reverse proxy port), and then have every other omnibus service - gitlab, registry, mattermost - be accessible through that same 2443 port (instead of through port 443).

Try to achieve that. You may be surprised at how tricky it is. :blush:

In the end, I gave up because the series of changes were adding up, and I didn’t want the platform to become unstable because of undocumented methods or possible bugs.

If you come up with the series of changes to achieve the above, I’d love to try them. :relaxed: Thank you.

Regards,
Noelle

Hello @nmvega -

Thanks for the detailed response, especially from a mobile phone :wink:. I would agree that you have to weight the cost of maintenance in this customization, as it seems that it is not fully designed to make that particular set of ports easily configurable.

Another option you could try, though I’ve never done so myself and it has a high “maintenance cost” in your equation is injecting a custom NGINX configuration with the nginx['custom_nginx_config'] setting. This may allow you to “override” or change the settings that GitLab is writing to it’s own NGINX configuration…

I hesitate even saying that as a GitLab team member because it seems to me you could get into a situation that was hard to support, but figured I’d at least note that extra configuration piece if it helps :smile:

Hi again @olearycrew :

Thank you for your second reply. Yes, it’s complicated. :blush: So I think I’ll leave GitLab omnibus networking as default as possible. But other’s wandering here will definitely find our thread helpful. Thank you for the tips. :hugs:

1 Like