Hello,
I have a GitLab EE installation done via recommended method (script) on Centos server. Since I already use apache for serving other pages, I decided to put GitLab behind it using reverse proxy. This is a common setup for me, and everything works fine until here. There is a certbot (letsencrypt) on the apache responsible for https, which also work as expected.
Interesting part comes here. I would like to connect my AzureAD with GitLab installation. I have registered app and put the correct data to config file. So far so good.
Problem happens with redirect URI. GitLab does not know that it is behind proxy, so it sends the redirect URI as 'http://127.0.0.1/users/auth/azure_activedirectory_v2/callback, but it should send https://gitlab.mydomain.com/users/auth/azure_activedirectory_v2/callback.
My question is, how to configure GitLab that it will send the âfixedâ requests with correct domain name, and not 127.0.0.1 http, as it is configured to listen.
GitLab has set:
external_url âhttp://127.0.0.1â
nginx[âlisten_addressesâ] = [â127.0.0.1â]
nginx[âlisten_portâ] = 81
nginx[âreal_ip_trusted_addressesâ] = [â127.0.0.1â]
nginx[âreal_ip_headerâ] = âX-Forwarded-Forâ
nginx[âreal_ip_recursiveâ] = âonâ
Apache config:
Azure error:
Any help is appreciated.
Kind regards,
Matej
You have configured gitlab to use 127.0.0.1 for itâs external_url as well as the nginx entries. Thatâs not how it should be done, so itâs unsurprising that it doesnât work.
Even if Gitlab is behind a proxy, it should still use a valid DNS entry which goes via your Apache reverse proxy. Be that https://gitlab.mydomain.com or http://gitlab.mydomain.com. Once you have these entries configured properly instead of using localhost/127.0.0.1 then it will work properly.
Hey, thanks for that input. As soon as I change external_url to the https://gitlab.mydomain.com, I get a nginx error 400 - The plain HTTP request was sent to HTTPS port. I assume that when I put https to the external_url, nginx starts to listen to the SSL traffic on port 81.
Are you familiar with any option to set external_url to https://gitlab.mydomain.com, but force nginx to listen to non-ssl http?
Yeah, you need to look at the docs and ensure nginx is disabled: NGINX settings | GitLab
that particular section is geared for a proxy with nginx, but the main gitlab.rb changes ensure that the bundled nginx is disabled. Also, you need to look at what type of configuration you are doing between your reverse proxy and Gitlab.
For example, if you want HTTPS to Apache, but then for everything else to go via HTTP, then you configure the external_url accordingly, so http://gitlab.mydomain.com instead of https. This is also known as SSL offload. This is also explained further down that first link, here is the direct link to that section: NGINX settings | GitLab
You might need to adapt a little bit of the documentation in terms of what configuration changes to make in Apache (if at all), or just ensure that Gitlab is configured appropriately, so that it doesnât attempt to use the bundled nginx.
1 Like
Thank you Ian! I managed to set external_url with HTTPS, and set nginx to listen at HTTP.
Here is the working configuration, if anyone else face this issue in future.
â Apache reverse proxy is set to http 127.0.0.1:81
â gitlab.rb config:
external_url 'https://gitlab.mydomain.com'
gitlab_rails['trusted_proxies'] = ['127.0.0.1']
nginx['listen_addresses'] = ['127.0.0.1']
nginx['listen_port'] = 81
nginx['listen_https'] = false
nginx['real_ip_trusted_addresses'] = ['127.0.0.1']
nginx['real_ip_header'] = 'X-Forwarded-For'
nginx['real_ip_recursive'] = 'on'
letsencrypt['enable'] = false