Disable GitLab HTTP page

dkapoor · October 9, 2020, 5:04pm

I would like to completely disable (not redirect) the HTTP page for the web UI. Currently, the following is being shown when accessing the http url. The https page is working as expected.

400badrequest

For security reasons, I need there to be no result at all for the http page. I am hoping for a result like this:

cantreached

alhemicar · October 12, 2020, 9:13pm

What I would suggest is that you open /etc/nginx/sites-available/default and comment out the two lines:

 listen 80 default_server;
        listen [::]:80 default_server;

After that restart your nginx.

dkapoor · October 14, 2020, 2:03pm

I am using docker to deploy GitLab - I probably should have mentioned that in the original post. Do you know where I can find these settings if using docker?

Here is my docker-compose:

version: "3.1"
services:
    gitlab:
        image: 'hostname:9091/gitlab/gitlab-ce:13.2.4-ce.0'
        deploy:
          placement:
            constraints:
              - node.hostname == hostname.dev.local
          restart_policy:
            condition: any
        hostname: 'hostname.dev.local'
        environment:
            CHEF_FIPS: ''
            GITLAB_OMNIBUS_CONFIG: |
                external_url 'https://hostname:9096'
                gitlab_exporter['enable'] = false
                gitlab_rails['gitlab_username_changing_enabled'] = false
                gitlab_rails['gitlab_email_enabled'] = true
                gitlab_rails['gitlab_email_from'] = 'gitlab@hostname'
                gitlab_rails['gitlab_email_display_name'] = 'GitLab'
                gitlab_rails['gitlab_email_reply_to'] = 'noreply@nobody'
                gitlab_rails['smtp_enable'] = true
                gitlab_rails['smtp_address'] = "example.com"
                gitlab_rails['smtp_openssl_verify_mode'] = 'none'
                nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256"
        user: root
        ports:
            - '9096:9096'
            - '30022:22'
        volumes:
            - '/u01/cicd/gitlab/config:/etc/gitlab'
            - '/u01/cicd/gitlab/logs:/var/log//gitlab'
            - '/u01/cicd/gitlab/data:/var/opt/gitlab'
            - '/u01/cicd/toolkit:/var/opt/toolkit'
            - '/u01/cicd/gitlab/backups:/var/opt/gitlab/backups'
            - '/home/DEV/appadm/keystore:/keystores'

alhemicar · October 14, 2020, 9:09pm

Hmm i’m not familiar with docker however i might suggest then that you block the port 80 (HTTP server), if you only want access via HTTPS. I would add iptables rule in that case.

sudo iptables -A INPUT -p tcp  --dport 8080 -j DROP
sudo iptables -A INPUT -p tcp  --dport 80 -j DROP

This will disable HTTP access. However if that is something that doesn’t work out for you then just use the commands below to revert those changes.

sudo iptables -D INPUT -p tcp  --dport 8080 -j DROP
sudo iptables -D INPUT -p tcp  --dport 80 -j DROP

dkapoor · October 15, 2020, 4:10pm

Thanks for the suggestion, however I am using port 9096 for the connection. The valid url is https://hostname:9096/ and the one that I am trying to disable is http://hostname:9096/. So I am not sure how to block the port for http without also blocking it for https

alhemicar · October 20, 2020, 1:08pm

No problem. Good luck in finding a solution that suits you