GitLab behind reverse proxy to AzureAD


I have a GitLab EE installation done via recommended method (script) on Centos server. Since I already use apache for serving other pages, I decided to put GitLab behind it using reverse proxy. This is a common setup for me, and everything works fine until here. There is a certbot (letsencrypt) on the apache responsible for https, which also work as expected.

Interesting part comes here. I would like to connect my AzureAD with GitLab installation. I have registered app and put the correct data to config file. So far so good.
Problem happens with redirect URI. GitLab does not know that it is behind proxy, so it sends the redirect URI as ', but it should send

My question is, how to configure GitLab that it will send the “fixed” requests with correct domain name, and not http, as it is configured to listen.

GitLab has set:
external_url ‘
nginx[‘listen_addresses’] = [‘’]
nginx[‘listen_port’] = 81
nginx[‘real_ip_trusted_addresses’] = [‘’]
nginx[‘real_ip_header’] = ‘X-Forwarded-For’
nginx[‘real_ip_recursive’] = ‘on’

Apache config:

Azure error:

Any help is appreciated.

Kind regards,

You have configured gitlab to use for it’s external_url as well as the nginx entries. That’s not how it should be done, so it’s unsurprising that it doesn’t work.

Even if Gitlab is behind a proxy, it should still use a valid DNS entry which goes via your Apache reverse proxy. Be that or Once you have these entries configured properly instead of using localhost/ then it will work properly.

Hey, thanks for that input. As soon as I change external_url to the, I get a nginx error 400 - The plain HTTP request was sent to HTTPS port. I assume that when I put https to the external_url, nginx starts to listen to the SSL traffic on port 81.

Are you familiar with any option to set external_url to, but force nginx to listen to non-ssl http?

Yeah, you need to look at the docs and ensure nginx is disabled: NGINX settings | GitLab

that particular section is geared for a proxy with nginx, but the main gitlab.rb changes ensure that the bundled nginx is disabled. Also, you need to look at what type of configuration you are doing between your reverse proxy and Gitlab.

For example, if you want HTTPS to Apache, but then for everything else to go via HTTP, then you configure the external_url accordingly, so instead of https. This is also known as SSL offload. This is also explained further down that first link, here is the direct link to that section: NGINX settings | GitLab

You might need to adapt a little bit of the documentation in terms of what configuration changes to make in Apache (if at all), or just ensure that Gitlab is configured appropriately, so that it doesn’t attempt to use the bundled nginx.

1 Like

Thank you Ian! I managed to set external_url with HTTPS, and set nginx to listen at HTTP.
Here is the working configuration, if anyone else face this issue in future.

→ Apache reverse proxy is set to http
→ gitlab.rb config:

external_url ''

gitlab_rails['trusted_proxies'] = ['']

nginx['listen_addresses'] = ['']
nginx['listen_port'] = 81
nginx['listen_https'] = false
nginx['real_ip_trusted_addresses'] = ['']
nginx['real_ip_header'] = 'X-Forwarded-For'
nginx['real_ip_recursive'] = 'on'

letsencrypt['enable'] = false