Gitlab CE behind Nginx Proxy Manager keep prompting git password

How to Use GitLab Self-managed
,
1

Problem to solve

I host a gitlab ce instance on my server. There is a nginx proxy manager to perform reverse proxy in front.

I’ve update the SSH port on the gitlab server. I’ve setup a stream on the reverse proxy to redirect the port to the SSH port of the gitlab server.

When I try to git clone a repository, it keep waiting for the git password:

Cloning into 'test'...
git@git.******.fr's password:

Here is the ssh configuration:

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

Port 2222
#AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

When I perform a ssh -p 2222 git@git.******.fr :

ssh -p 2222 git@git.******.fr
PTY allocation request failed on channel 0
Welcome to GitLab, @me!
Connection to git.******.fr closed.

If you have any idea how I can troubleshoot more. Feel free to suggest…

Versions

Please select whether options apply, and add the version information.

GitLab Community Edition v16.10.0

2

The Nginx proxy should only proxy http/80 and https/443 but not ssh/22 (or 2222 in your use case). Probably the portforwarding is configured through docker compose? Please share additional configuration, if yes.

I’m curious how this is implemented - it looks like as if that were the problem. The OpenSSH server knows about the port change, but does GitLab? How does the git clone URL look like which is offered in the GitLab repository view?

3

Hey,

Sorry for the late answer.

Gitlab instance is deploy with the omnibus version, not the docker compose one.
The Nginx Proxy Manager is deploy on another server with a docker compose and with a port forwarding
2222:2222 as it need it to stream the port the right way.

It looks the same as if the SSH port was on the 22: git@git.****.fr:group/test.git

4

I’m not sure if forwarding a different protocol works through the Nginx proxy, which supports HTTP to my knowledge. SSH is a different protocol and may need different proxy types (i.e. a SOCKS proxy).

Please share the configuration from the Nginx proxy and how it is deployed with docker compose.

So GitLab does not know that the default SSH port 22 was changed to 2222 on the GitLab server.

We had a similar discussion recently in Some questions about the GitLab - #15 by dnsmichi and the setting gitlab_shell_ssh_port - changing its value to 2222 should solve the git clone URL and use the correct port for cloning via SSH.

5

Hey @dnsmichi,

Nginx Proxy Manager does have a feature to forward port that work with a few protocole (SMTP, DNS)

I have setup a 2222 redirection on the Nginx Proxy Manager and added the right port in the configuration at the line gitlab_shell_ssh_port and it works now ! :fireworks:

Thank you for your help on this topic :slight_smile:

1 Like