Gitlab Docker with Apache reverse proxy and SSL

How to Use GitLab
, ,
1

Im am trying to get the Gitlab Docker image to run behind an Apache reverse proxy. Everything is fine without SSL. But as soon as I want to enable SSL within Gitlab, I cannot reach Gitlab anymore. My Apache reverse proxy conf redirects successfully to https, but then I am stuck. I tried a lot of things already, but either there is an error message in the browser complaining that the certificate is not for gitlab.mydomain.com but for someothersslvhost.mydomain.com, or it complains because it is kind of a self signed certificate and not a Letsencrypt certificate.

This is my docker-compose file:

version: '3'

services:
    gitlab:
        image: 'gitlab/gitlab-ce:latest'
        restart: always
        hostname: 'gitlab.mydomain.com'
        environment:
            GITLAB_OMNIBUS_CONFIG: |
                external_url 'https://gitlab.mydomain.com'
                gitlab_rails['time_zone'] = "UTC"
                gitlab_rails['gitlab_shell_ssh_port']=10022
                letsencrypt['contact_emails'] = ["my_email@mydomain.com"]
                nginx['redirect_http_to_https'] = true
                nginx['proxy_set_headers'] = {
                    "X-Forwarded-Proto" => "http",
                    "X-Forwarded-Ssl" => "on",
                    "X-Url-Scheme" => "https"
                }
        ports:
            - '10080:80'
            - '10443:443'
            - '10022:22'
        volumes:
            - '/srv/gitlab/config:/etc/gitlab'
            - '/srv/gitlab/logs:/var/log/gitlab'
            - '/srv/gitlab/data:/var/opt/gitlab'

This is my Apache vhost conf file for the non-SSL-vhost:

<VirtualHost *:80>
   ServerAdmin webmaster@mydomain.com
   ServerName gitlab.mydomain.com
   ErrorLog /var/log/apache2/gitlab-error.log
   CustomLog /var/log/apache2/gitlab-access.log combined
   RewriteEngine On

   <Location />
      Options -Indexes -ExecCGI +FollowSymLinks
      AllowOverride None
      Order allow,deny
      Allow from all
   </Location>

   ProxyPreserveHost On
   ProxyRequests off
   ProxyPass / http://localhost:10080/
   ProxyPassReverse / http://localhost:10080/

</VirtualHost>

Question is: Do I need a special Apache vhost also for SSL, or is this handled by nginx inside the Docker container? If I need this file, what would it look like? If not, what am I missing in the docler compose file?

Thanks so much for helping!

2

Did you ever figure this out? I am also doing the same on a server that has multiple docker images and various sites with Apache. 2.4.

Thanks!

3

Unfortunately not. I switched to a new server and decided to dockerize everything and so I used nginx-proxy with gitlab instead of apache.

4

Any update on this?

5

You can try this, its working for me:

server {
    if ($host = gitlab.xxxx.xx) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80;
        server_name gitlab.xxxx.xx;
    return 404; # managed by Certbot
}
server {
    server_name gitlab.xxxx.xx;

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/gitlab.xxxx.xx/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/gitlab.xxxx.xx/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
	
    access_log  /var/log/nginx/gitlab_access.log;
    error_log   /var/log/nginx/gitlab_error.log;
    location / {
            client_max_body_size 0;
            gzip off;
            proxy_read_timeout      300;
            proxy_connect_timeout   300;
            proxy_redirect          off;
            proxy_http_version 1.1;
            proxy_set_header    Host                $http_host;
            proxy_set_header    X-Real-IP           $remote_addr;
            proxy_set_header    X-Forwarded-Ssl     on;
            proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Proto   $scheme;
            proxy_pass http://127.0.0.1:8080;
    }
}