Hello!
I’ve recently updated my setup from Debian 10 (Buster) to Debian 11 (Bullseye) and have Gitlab installed.
I’m using Apache instead of Nginx as the system is being used as a website development server which is making use of port 80 and 443.
On my Debian 10 setup I was able to access Gitlab through a proxy / reverse proxy on a subdomain e.g. “git.example.com”
settings can be found below.
However in Debian 11 with the same configuration and setup, I am faced with an error 404 response.
Issue | Error Message
“404 : The page could not be found or you don’t have permission to view it.”
Information
Notes:
- System is running in Oracle Virtual Machine: Virtual Box
- Example.com is used in place of my DNS / domain
- Setup uses Subdomain access
- GitLab has been configured with the use of Apache2 instead of Nginx
- Docker is NOT being used.
- Port Forwarding has been configured (Router, VM and UFW Firewall)
Apache2 Modules
- headers
- rewrite
- ssl
- proxy
- proxy_http
Installation
Gitlab CE Packages
curl -s https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
sudo apt-get install gitlab-ce
Gitlab.rb
nano /etc/gitlab/gitlab.rb
## Set Url
external_url "https://gitlab.example.com"
## Give apache user privileges to listen to gitLab
web_server['external_users'] = ['www-data']
web_server['username'] = 'apache' # updated: apache, default: gitlab-www
web_server['group'] = 'apache' # updated: apache, default: gitlab-www
## Disable nginx
nginx['enable'] = false
## Config network
gitlab_workhorse['enable'] = true
gitlab_workhorse['listen_network'] = "tcp"
gitlab_workhorse['listen_umask'] = 0
gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"
gitlab_workhorse['auth_backend'] = "http://127.0.0.1:8080"
# Puma
puma['listen'] = '127.0.0.1'
puma['port'] = 8080
Apache Http.conf
nano /etc/apache2/sites-available/http.conf
<VirtualHost *:80>
ServerName git.example.com
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>
Apache Https.conf
nano /etc/apache2/sites-available/https.conf
certbot --apache
<IfModule mod_ssl.c>
<VirtualHost *:443>
# Server
ServerName git.example.com
ServerSignature Off
ProxyPreserveHost On
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
# Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:8181
ProxyPassReverse http://git.example.com
</Location>
# Apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
# Forward all requests to gitlab-workhorse except existing files like error documents
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
# Needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html
# The default directory log is usually /var/log/httpd
# As this is an Apache2 configuration, use of ${APACHE_LOG_DIR} may be more approrpaite
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog ${APACHE_LOG_DIR}/git.example.com_error.log
CustomLog ${APACHE_LOG_DIR}/git.example.com_forwarded.log common_forwarded
CustomLog ${APACHE_LOG_DIR}/git.example.com_access.log combined env=!dontlog
CustomLog ${APACHE_LOG_DIR}/git.example.com.log combined
# SSL
# Use strong encryption ciphers only
# See ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off
SSLCertificateFile /etc/letsencrypt/live/git.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/git.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
System & Gitlab
gitlab-rake gitlab:env:info
System: Debian 11
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.4
Bundler Version:2.2.33
Rake Version: 13.0.6
Redis Version: 6.2.6
Sidekiq Version:6.4.0
Go Version: unknown
GitLab information
Version: 14.10.0
Revision: 88da5554d96
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.7
URL: https://git.example.com
HTTP Clone URL: https://git.example.com/some-group/some-project.git
SSH Clone URL: git@git.example.com:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.25.1
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Gitlab Status
service gitlab-runsvdir status
gitlab-runsvdir.service - GitLab Runit supervision process
Loaded: loaded (/lib/systemd/system/gitlab-runsvdir.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-05-01 16:48:52 BST; 40min ago
Main PID: 1786 (runsvdir)
Tasks: 304 (limit: 4915)
Memory: 2.8G
CPU: 43min 49.508s
CGroup: /system.slice/gitlab-runsvdir.service
├─1786 runsvdir -P /opt/gitlab/service log: ..............................................................>
├─1788 runsv node-exporter
├─1789 runsv grafana
├─1790 runsv gitlab-workhorse
├─1791 runsv sidekiq
├─1792 runsv gitlab-kas
├─1793 runsv puma
├─1794 runsv prometheus
├─1795 runsv redis
├─1796 runsv postgresql
├─1797 runsv postgres-exporter
├─1798 runsv logrotate
├─1799 runsv redis-exporter
├─1800 runsv alertmanager
├─1801 runsv gitlab-exporter
├─1802 runsv gitaly
├─1803 svlogd -tt /var/log/gitlab/node-exporter
├─1804 svlogd -tt /var/log/gitlab/prometheus
├─1805 svlogd /var/log/gitlab/gitlab-workhorse
├─1806 svlogd -tt /var/log/gitlab/gitlab-kas
├─1807 svlogd -tt /var/log/gitlab/puma
├─1808 svlogd -tt /var/log/gitlab/redis
├─1809 svlogd /var/log/gitlab/sidekiq
├─1810 svlogd -tt /var/log/gitlab/logrotate
├─1811 /opt/gitlab/embedded/bin/node_exporter --web.listen-address=localhost:9100 --collector.mountstats ->
├─1812 svlogd -tt /var/log/gitlab/grafana
├─1813 svlogd -tt /var/log/gitlab/gitlab-exporter
├─1814 svlogd -tt /var/log/gitlab/postgresql
├─1815 svlogd -tt /var/log/gitlab/redis-exporter
├─1816 svlogd -tt /var/log/gitlab/alertmanager
├─1817 svlogd -tt /var/log/gitlab/postgres-exporter
├─1818 svlogd /var/log/gitlab/gitaly
├─1819 /opt/gitlab/embedded/bin/prometheus --web.listen-address=localhost:9090 --storage.tsdb.path=/var/op>
├─1820 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork tcp -listenUmask 0 -listenAddr localhost:8>
├─1821 /opt/gitlab/embedded/bin/gitlab-kas --configuration-file /var/opt/gitlab/gitlab-kas/gitlab-kas-conf>
├─1823 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper
├─1824 /opt/gitlab/embedded/bin/redis-server unixsocket:/var/opt/gitlab/redis/redis.socket
├─1825 ruby /opt/gitlab/embedded/service/gitlab-rails/bin/sidekiq-cluster -e production -r /opt/gitlab/emb>
├─1833 /opt/gitlab/embedded/bin/postgres -D /var/opt/gitlab/postgresql/data
├─1834 /opt/gitlab/embedded/bin/redis_exporter --web.listen-address=localhost:9121 --redis.addr=unix:///va>
├─1835 /opt/gitlab/embedded/bin/alertmanager --web.listen-address=localhost:9093 --storage.path=/var/opt/g>
lines 1-49
Debugging
As this is system running in a VM, I’ve made restore points to recover the VM and rollback if necessary.
Attempts made
- Change folder permissions and ownership of gitlab.rb & /opt/gitlab/embedded/service/gitlab-rails/public
- Checked examples of Apache Configurations from various sources
- Cleared Cache / Cookies in browser
- Used other browsers to attempt loading
- Tried loading Gitlab through localhost on Debian server directly “same result as accessing via git.example.com”