Gitlab pages domain serving gitlab repositories - wildcard domain support

(redirected from https://gitlab.com/gitlab-org/gitlab/issues/37432)

We have setup gitlab pages (omnibus) according to https://docs.gitlab.com/ce/administration/pages/#wildcard-domains-with-tls-support

With this setup (see below for the gitlab.rb ) gitlab itself (i.e. the repositories) are served both through https://git.embl.de as well as https://embl-community.io. How do I ensure embl-community.io only serves the gitlab pages and not Gitlab?

Due to the TLS setup, the browser does warn about embl-community.io presenting the wrong certificate (from git.embl.de ), but I feel it shouldn’t forward or listen on this address at all.

gitlab.rb :

external_url "https://git.embl.de"
pages_external_url "https://embl-community.io/"
gitlab_pages['access_control'] = true
pages_nginx['redirect_http_to_https'] = true
pages_nginx['ssl_certificate'] = "/etc/gitlab/ssl/combined.pem"
pages_nginx['ssl_certificate_key'] = "/etc/ssl/private/pages.key"

Hi,

git.embl.de and embl-community.io are two different domains, wildcard support only works for subdomains in this regard. You’ll need to create and sign a SAN certificate for multiple domains. That can be seen with populating the CN in the certificate subject.

Let’s encrypt for example supports that, you’d only need to pass multiple domains with the -d flag. Question is how your certificate is generated/signed.

Cheers,
Michael

Thanks for the answer, however I’m a bit confused. embl-community.io is supporting the subdomains and the certificate is valid for e.g. https://stamper.embl-community.io/horsing-around/
We have another single domain certificate for git.embl.de.
To me this is how things are described in the docs incl. respecting the notion of “Note: You should not use the GitLab domain to serve user pages.”