Gitlab Behind a Apache Revers proxy with SSL


#1

Hey

I have two servers on the same network, server “A” is the Web server for our lan party website that is running Debian 9.4 with Apache2 and gets SSL certificate from LetsEncrypt.
Server “A” is also responsible to proxy every request to server “B” and upgrade the connection to use HTTPS

Server “B” is running Ubuntu 18.04 a dedicated Gitlab server (In a Docker container) for development for the website and other tools we use on the party

Every thing works fine when i use HTTPS but,
The problem begins when i try to setup HTTPS then i always gets

> Service Unavailable
> The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

What i have tried til now is

I Have read this site to try to enable HTTPS

Using this config file on Apache2

tried to change diffrent headers on the proxy

And much more :confused:


#2

I had a similar issue which I resolved but I’m currently out on the road so can’t post my configs.

Will try to do so later today.


#3

FYI my install is a gitlab-ce on Devuan.

Here is the apache2 sites-enabled config. Note that I use 8443 as the external https port.

<VirtualHost *:8443>

    ServerName gitlab.mydomain.com
    SSLEngine on
    SSLCACertificateFile /etc/gitlab/trusted-certs/cert.pem
    SSLCertificateFile /etc/gitlab/trusted-certs/fullchain.pem
    SSLCertificateKeyFile /etc/gitlab/trusted-certs/privkey.pem
<Proxy *>
    Require all granted
</Proxy>

SSLProxyEngine on
ProxyRequests Off
ProxyPass / https://gitlab.mydomain.com:4443/
ProxyPassReverse / https://gitlab.mydomain.com/

Header edit Location ^http://gitlab.mydomain.com/ https://gitlab.domain.com/
RequestHeader set X-Forwarded-Proto "https"

Here are the relevant bits in gitlab.rb

external_url ‘https://gitlab.mydomain.com:4443
nginx[‘ssl_client_certificate’] = “/etc/gitlab/trusted-certs/cert.pem”
nginx[‘ssl_certificate’]= “/etc/gitlab/trusted-certs/fullchain.pem”
nginx[‘ssl_certificate_key’] = “/etc/gitlab/trusted-certs/privkey.pem”

Here are the scp commands from the Letsencrypt server to the gitlab box.

You will need a gitlab-ctl reconfigure so that gitlab picks the certs up and generates the corect links.

Note I also use a non standard ssh port.

scp -P 2211 /etc/dehydrated/certs/mydomain.com/fullchain.pem root@gitlab.mydomain.com://etc/gitlab/trusted-certs/fullchain.pem
scp -P 2211 /etc/dehydrated/certs/mydomain.com/privkey.pem root@gitlab.mydomain.com://etc/gitlab/trusted-certs/privkey.pem
scp -P 2211 /etc/dehydrated/certs/mydomain.com/cert.pem root@gitlab.mydomain.com://etc/gitlab/trusted-certs/cert.pem

Hope that gets you running - took me days to figure this lot out.

Essentially you leave the nginx webserver running and proxy external->apache->nginx->gitlab

You CAN dispense with nginx, but then you need to proxy direct to the various required ports - see the gitlab nginx confs if you want to see how. I decided it was easier to leave the CE nginx install in place and running.

Note also that I don’t run any http only access to the gitlab box.

Hope that helps…


#4

Super duper much thank you <3
I just needet to add

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

Thank you again, I have now struggled wtih this problem over a month >.<


#5

Hi @xaner4 and @reetp

I am struggling with this issue and have been for weeks. I reached the web set up and went through all of the web set up but could never reach the gitlab CE using the my subdomain. I finally decided to uninstall gitlab and start from scratch. I posted in this forum but have not received any comment.

How is your system working? And what advise, from your experience, do you have as I proceed with this solution?

Is it possible to post other relevant pieces of gitlab.rb, please?

Is it true the <VirtualHost *:4443> resides on the reverse proxy server which is also called apache2 sites-enabled config and Letsencrypt server?

What is the or the apache2 configuration on the gitlab box? What is meant by “Note also that I don’t run any http only access to the gitlab box.”

Thanks!


#6

I dont remember much of how I did it right now but her is the only part of the gitlab.rb files that is related to this.

    external_url 'https://gitlab.domain.com'
    gitlab_rails['trusted_proxies'] = ["172.16.1.50"] # The local aadress from where apache is
    nginx['ssl_client_certificate'] = "/etc/gitlab/trusted-certs/cert.pem"
    nginx['ssl_certificate'] = "/etc/gitlab/trusted-certs/fullchain.pem"
    nginx['ssl_certificate_key'] = "/etc/gitlab/trusted-certs/privkey.pem"

You need to have the SSL certificate on the Gitlab server too.


#7

Thanks @xaner4


#8

I am reaching the gitlab server which is of course behind the apache reverse proxy but the directory is being shown.
For the gitlab server the DocumentRoot is:

/opt/gitlab/embedded/services/gitlab-rails/public

What is the correct DocumentRoot for the gitlab server?


#9

Is that DocumentRoot pointing to a place on the Apache server? or is apache installed on the gitlab server?


#10

x - client, computer on internet, user
y - reverse proxy
z - gitlab computer

x —> y —> z —>

or

Client --> Reverse Proxy Server      ---------------------->  Gitlab Server
           
x  --- >    y = < VirtualHost  *: 443 >  -------------------> z =   <VirtualHost * : 80>
                   ServerName y                                        ServerName x
                   ProxyPass / http:// z                               DocumentRoot ???????
                   ReverseProxyPass / http:// z                        ( other directives )                   
                 < / VirturalHost>                                  < / VirturalHost>

z = GitLab Server DocumentRoot: /opt/gitlab/embedded/service/gitlab-rails/public (???)

Apache runs on y = Reverse Proxy Server. The Reverse Proxy Server ProxyPass/ReverseProxyPass to z = GitLab Server. The GitLab Server serves up GitLab for x = client

The DocumentRoot is pointing to a place on the GitLab Server running Apache.


#11

Hmmm, I don’t know the DocumentRoot to use on the “Z” host.

My setup is a little different,

A - Client
B - Apache revers Proxy
C - Nginx proxy (Provided by Gitlab-omnibus install on docker)
D - Gitlab


#12

Thanks @xaner4. The set up for the GitLab Server was found here:

The only modification I made was to copy /opt to where web services are served from and chown -R www-data:www-data opt