Exclusive port 443 access of the Gitlab Runner to the Gitlab instance

I have a self-managed version of Gitlab. I would like my Gitlab instance to be accessible only via a specific IP (port 443,80,22). The problem here is that the Gitlab Runner needs access to the server via port 443. Since the Gitlab Runner is running on the Gitlab instance, would it be sufficient to give the Gitlab server’s own IP access to port 443 via ufw?

For performance reasons, you shouldn’t be running anything else on your Gitlab server. The runner should be installed on a totally separate server.

That said, it should work as you mention by allowing access via ufw, but I don’t recommend it. You are only going to have performance issues in the future.

1 Like

Thanks @iwalker for your repley. That performance issues was not on my list. :wink: What is your recommandation for the technical specification for the gitlab server?

A good start is 4cpu and 8gb ram, then it just depends on how many users, how many repositories, etc to see if you need to increase it further, be it cpu/ram or disk space.

Okay thanks. Thats very helpfull.

I have configured the firewall. Port 443 and 80 is free for the own IP. But unfortunately the Runner no longer has access to gitlab.

I look in the/var/log/syslog and i found a certificate error tls: failed to verify certificate: x509: certificate signed by unknown authority.

After the renew https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates-targeting-the-gitlab-server the runners was accessable from gitlab.