GitLab behind reverse proxy to AzureAD

Hello,

I have a GitLab EE installation done via recommended method (script) on Centos server. Since I already use apache for serving other pages, I decided to put GitLab behind it using reverse proxy. This is a common setup for me, and everything works fine until here. There is a certbot (letsencrypt) on the apache responsible for https, which also work as expected.

Interesting part comes here. I would like to connect my AzureAD with GitLab installation. I have registered app and put the correct data to config file. So far so good.
Problem happens with redirect URI. GitLab does not know that it is behind proxy, so it sends the redirect URI as 'http://127.0.0.1/users/auth/azure_activedirectory_v2/callback, but it should send https://gitlab.mydomain.com/users/auth/azure_activedirectory_v2/callback.

My question is, how to configure GitLab that it will send the “fixed” requests with correct domain name, and not 127.0.0.1 http, as it is configured to listen.

GitLab has set:
external_url ‘http://127.0.0.1
nginx[‘listen_addresses’] = [‘127.0.0.1’]
nginx[‘listen_port’] = 81
nginx[‘real_ip_trusted_addresses’] = [‘127.0.0.1’]
nginx[‘real_ip_header’] = ‘X-Forwarded-For’
nginx[‘real_ip_recursive’] = ‘on’

Apache config:
image

Azure error:
image

Any help is appreciated.

Kind regards,
Matej

You have configured gitlab to use 127.0.0.1 for it’s external_url as well as the nginx entries. That’s not how it should be done, so it’s unsurprising that it doesn’t work.

Even if Gitlab is behind a proxy, it should still use a valid DNS entry which goes via your Apache reverse proxy. Be that https://gitlab.mydomain.com or http://gitlab.mydomain.com. Once you have these entries configured properly instead of using localhost/127.0.0.1 then it will work properly.

Hey, thanks for that input. As soon as I change external_url to the https://gitlab.mydomain.com, I get a nginx error 400 - The plain HTTP request was sent to HTTPS port. I assume that when I put https to the external_url, nginx starts to listen to the SSL traffic on port 81.

Are you familiar with any option to set external_url to https://gitlab.mydomain.com, but force nginx to listen to non-ssl http?

Yeah, you need to look at the docs and ensure nginx is disabled: NGINX settings | GitLab

that particular section is geared for a proxy with nginx, but the main gitlab.rb changes ensure that the bundled nginx is disabled. Also, you need to look at what type of configuration you are doing between your reverse proxy and Gitlab.

For example, if you want HTTPS to Apache, but then for everything else to go via HTTP, then you configure the external_url accordingly, so http://gitlab.mydomain.com instead of https. This is also known as SSL offload. This is also explained further down that first link, here is the direct link to that section: NGINX settings | GitLab

You might need to adapt a little bit of the documentation in terms of what configuration changes to make in Apache (if at all), or just ensure that Gitlab is configured appropriately, so that it doesn’t attempt to use the bundled nginx.

1 Like

Thank you Ian! I managed to set external_url with HTTPS, and set nginx to listen at HTTP.
Here is the working configuration, if anyone else face this issue in future.

→ Apache reverse proxy is set to http 127.0.0.1:81
→ gitlab.rb config:

external_url 'https://gitlab.mydomain.com'

gitlab_rails['trusted_proxies'] = ['127.0.0.1']

nginx['listen_addresses'] = ['127.0.0.1']
nginx['listen_port'] = 81
nginx['listen_https'] = false
nginx['real_ip_trusted_addresses'] = ['127.0.0.1']
nginx['real_ip_header'] = 'X-Forwarded-For'
nginx['real_ip_recursive'] = 'on'

letsencrypt['enable'] = false