I would like to completely disable (not redirect) the HTTP page for the web UI. Currently, the following is being shown when accessing the http url. The https page is working as expected.
For security reasons, I need there to be no result at all for the http page. I am hoping for a result like this:
What I would suggest is that you open /etc/nginx/sites-available/default and comment out the two lines:
listen 80 default_server;
listen [::]:80 default_server;
After that restart your nginx.
I am using docker to deploy GitLab - I probably should have mentioned that in the original post. Do you know where I can find these settings if using docker?
Here is my docker-compose:
version: "3.1"
services:
gitlab:
image: 'hostname:9091/gitlab/gitlab-ce:13.2.4-ce.0'
deploy:
placement:
constraints:
- node.hostname == hostname.dev.local
restart_policy:
condition: any
hostname: 'hostname.dev.local'
environment:
CHEF_FIPS: ''
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://hostname:9096'
gitlab_exporter['enable'] = false
gitlab_rails['gitlab_username_changing_enabled'] = false
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'gitlab@hostname'
gitlab_rails['gitlab_email_display_name'] = 'GitLab'
gitlab_rails['gitlab_email_reply_to'] = 'noreply@nobody'
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "example.com"
gitlab_rails['smtp_openssl_verify_mode'] = 'none'
nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256"
user: root
ports:
- '9096:9096'
- '30022:22'
volumes:
- '/u01/cicd/gitlab/config:/etc/gitlab'
- '/u01/cicd/gitlab/logs:/var/log//gitlab'
- '/u01/cicd/gitlab/data:/var/opt/gitlab'
- '/u01/cicd/toolkit:/var/opt/toolkit'
- '/u01/cicd/gitlab/backups:/var/opt/gitlab/backups'
- '/home/DEV/appadm/keystore:/keystores'
Hmm i’m not familiar with docker however i might suggest then that you block the port 80 (HTTP server), if you only want access via HTTPS. I would add iptables rule in that case.
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
sudo iptables -A INPUT -p tcp --dport 80 -j DROP
This will disable HTTP access. However if that is something that doesn’t work out for you then just use the commands below to revert those changes.
sudo iptables -D INPUT -p tcp --dport 8080 -j DROP
sudo iptables -D INPUT -p tcp --dport 80 -j DROP
Thanks for the suggestion, however I am using port 9096 for the connection. The valid url is https://hostname:9096/ and the one that I am trying to disable is http://hostname:9096/. So I am not sure how to block the port for http without also blocking it for https
No problem. Good luck in finding a solution that suits you 