Gitlab Docker uses HTTPS despite being disabled

:hugs: Please help fill in this template with all the details to help others help you more efficiently. Use formatting blocks for code, config, logs and ensure to remove sensitive data.

Problem to solve

Describe your question in as much detail as possible:

I’m trying to run gitlab as a docker container, behind a reverse proxy, however the container keeps trying to use https, regardless of me disabling it.

  • What are you seeing, and how does that differ from what you expect to see?
  • Consider including screenshots, error messages, and/or other helpful visuals
    I shouldn’t be seeing given that I have https disabled for NGINX
gitlab  | ==> /var/log/gitlab/nginx/error.log <==
gitlab  | 2024/11/04 19:30:54 [emerg] 2038#0: cannot load certificate "/etc/gitlab/ssl/gitlab.example.com.crt": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/gitlab.example.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)

Steps to reproduce

Which troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been?

Configuration

Provide screenshots from the GitLab UI showing relevant configuration, if applicable.
On self-managed instances, add the relevant configuration settings or changes.

I’m trying to run this in docker compose, with the following configuration:

services:
  gitlab:
    image: gitlab/gitlab-ce
    container_name: gitlab
    restart: always
    hostname: 'gitlab.example.com'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url = 'https://gitlab.example.com'
        gitlab_rails['gitlab_shell_ssh_port'] = 2424
        nginx['listen_port'] = 80
        nginx['listen_https'] = "false"
        nginx['real_ip_trusted_addresses'] = ['reverse_proxy_ip']
        nginx['real_ip_header'] = 'X-Forwarded-For'
        nginx['real_ip_recursive'] = 'on'
        letsencrypt['enable'] = false
        letsencrypt['auto_renew'] = false
    ports:
      - '80:80' # HTTP Port
      - '2424:22' # SSH Port
    volumes:
      - './gitlab_data/config:/etc/gitlab'
      - './gitlab_data/logs:/var/log/gitlab'
      - './gitlab_data/data:/var/opt/gitlab'
    shm_size: '256m'

I have a Caddy instance on another machine that should reverse proxy “gitlab.example.com” to “local_ip:80”, however I have not touched that yet, as port 80 seems to either use https, or the web server just doesn’t start due to missing certificates.

Versions

Please add an x whether options apply, and add the version information.

  • Self-managed
  • GitLab.com SaaS
  • Dedicated

Versions

  • GitLab (Web: /help or self-managed system information sudo gitlab-rake gitlab:env:info): 17.3.6-ce.0

Helpful resources

  1. Check the FAQ for helpful documentation, issues/bugs/feature proposals, and troubleshooting tips.
  2. Before opening a new topic, make sure to search for keywords in the forum search
  3. Check the GitLab project for existing issues. If you encounter a bug, please create a bug report issue.
  4. Review existing troubleshooting docs.

Thanks for taking the time to be thorough in your request, it really helps! :blush:

external_url is the URL that the GitLab application will direct traffic to.

In your case, I see you have:

external_url = 'https://gitlab.example.com'

If you don’t want to use HTTPS, you should change https:// to http://

So I do use https, but its managed by the reverse proxy, not NGINX, hence why I have listen_https set to false. In my case, it should talk to localhost on port 80, on http, and usually connections should come in on “https://gitlab.example.com”, which are forwarded by the reverse proxy to my http port.

EDIT: My original post seems to have been flagged for spam due to “the community feel[ing that] it is an advertisement”, not really sure why.

After implementing the change of using http instead of https in the external url field, the container still seems to look for https certificates to use, which don’t exist.

Hey, @gitlab-greg, I have the exact same issue as plenty of other people I think, but nowhere seems a solution to be found. I also have a reverse proxy, working perfectly fine, and gitlab requires the external_address . Once you provide the https:// address, it starts doing werid things seemingly, which break the gitlab instance. What config options must we set for gitlab to just take the https URL as external_url, without beginning to run differently than it did before with the plain http URL, which is only for the nginx proxy ?

I’m not sure of the intended method to do this, but I completely removed the external_url parameter from my docker compose environment variables, and instead directly modified my gitlab.rb config from within my mapped volume. As the docs suggest, I disabled the nginx['listen_https'] directive, and set the nginx listen port to 80. my external_url within the gitlab.rb file has the prefix https://, and this setup seems to work just fine for me.

2 Likes

Found it, finally.

my listen_port didn’t correspond to the one I was using in my docker container running gitlab, (however gitlab was aware of that one). So while having this in docker:
$ docker ps --filter "name=gitlab"

gitlab/gitlab-ee:latest   0.0.0.0:8088->8088/tcp, :::8088->8088/tcp, 0.0.0.0:2424->22/tcp, :::2424->22/tcp, 0.0.0.0:4434->443/tcp, :::4434->443/tcp   gitlab

these are the settings that got it working for me:

external_url 'https://<myUrl>' // my HTTPS url with SSL handled by reverse proxy
gitlab_rails['gitlab_shell_ssh_port'] = 2022 // fortwarded by reverse proxy
gitlab_rails['gitlab_ssh_host'] = 'ssh.<myUrl>' // fortwarded by reverse proxy
nginx['listen_port'] = 8088 // the port from docker
nginx['listen_https'] = false // disable SSH