Problem to solve
I am trying to enable the Pages feature of Gitlab(17.1.0-ce.0), I have a private domain a.org, public domain b.com, private domain and private dns are implemented using Windows, The public network is reverse proxy to git.a.org by nginx deployed on the Windows service by accessing git.b.com:8443, How do I configure nginx on a Windows server so that <repo_namespace>.pages.b.com can access Pages from Gitlab correctly?
Steps to reproduce
I try to follow this document to configure my gitlab.rb
Configuration
/etc/gitlab/gitlab.rb configuration
# GitLab Pages Settings
gitlab_rails['pages_path'] = '/mnt/data/gitlab/pages'
# case doc said pages domain must not be gitlab domain's child domain, so i use the public domain
pages_external_url "http://pages.b.com:8443"
gitlab_pages['enable'] = true
gitlab_pages['namespace_in_path'] = true
pages_nginx['enable'] = true
pages_nginx['listen_port'] = 81
pages_nginx['listen_https'] = false
pages_nginx['redirect_http_to_https'] = false
gitlab_pages['listen_proxy'] = "127.0.0.1:8090"
/var/opt/gitlab/nginx/conf/gitlab-pages.conf
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
###################################
## configuration ##
###################################
## Experimental - Handle requests having namespace in path
## See https://gitlab.com/gitlab-org/gitlab/-/issues/211677
server {
listen *:81;
server_name ~^pages\.b\.com$;
server_tokens off; ## Don't show the nginx version number, a security best practice
## Disable symlink traversal
disable_symlinks on;
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
## HSTS Config
## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=63072000 ";
## Individual nginx logs for this GitLab vhost
access_log /mnt/data/gitlab/logs/gitlab-nginx/gitlab_pages_access.log gitlab_access;
error_log /mnt/data/gitlab/logs/gitlab-nginx/gitlab_pages_error.log error;
# Define custom error pages
error_page 403 /403.html;
error_page 404 /404.html;
# In case of a unique domain URL, add a trailing '/' if it's missing
location ~ ^/(?<namespace>[^/]+)$ {
return 301 $scheme://$http_host$request_uri/;
}
# Pass when namespace in path to pages daemon after the rewrite
location ~ ^/(?<namespace>[^/]+)/(?<project>.*)$ {
## Rewrite remove namespace from path
rewrite ^/([^/]+)/(.*)$ /$2 break;
## Put namespace back in host from path
proxy_set_header Host $1.$http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Gitlab-Namespace-In-Path $namespace;
# Prevent NGINX from caching pages in response to the pages `Cache-Control`
# header.
#
# Browsers already respect this directive and Pages can handle the request
# volume without help from NGINX.
#
# If this changes in the future, ensure `proxy_cache_key` is set to a value
# like `$scheme$host$request_uri`, as the default value does not take the
# Pages hostname into account, leading to incorrect responses being served.
#
# See https://gitlab.com/gitlab-org/gitlab-pages/issues/73
proxy_cache off;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8090;
## Put namespace in path from host before sending it to the user
proxy_redirect ~^http://([^/]*)\.(pages\.b\.com:8443)/(.*)$ http://$2/$1/$3;
proxy_redirect ~^//([^/]*)\.(pages\.b\.com:8443)/(.*)$ http://$2/$1/$3;
proxy_redirect ~^/(.*)$ http://pages\.b\.com:8443/$namespace/$1;
}
}
server {
listen *:81;
server_name ~^(?<group>.*)\.pages\.b\.com$;
server_tokens off; ## Don't show the nginx version number, a security best practice
## Disable symlink traversal
disable_symlinks on;
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
## HSTS Config
## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=63072000 ";
## Individual nginx logs for this GitLab vhost
access_log /mnt/data/gitlab/logs/gitlab-nginx/gitlab_pages_access.log gitlab_access;
error_log /mnt/data/gitlab/logs/gitlab-nginx/gitlab_pages_error.log error;
# Define custom error pages
error_page 403 /403.html;
error_page 404 /404.html;
# Pass everything to pages daemon when namespace in host
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_hide_header X-Gitlab-Namespace-In-Path;
# Prevent NGINX from caching pages in response to the pages `Cache-Control`
# header.
#
# Browsers already respect this directive and Pages can handle the request
# volume without help from NGINX.
#
# If this changes in the future, ensure `proxy_cache_key` is set to a value
# like `$scheme$host$request_uri`, as the default value does not take the
# Pages hostname into account, leading to incorrect responses being served.
#
# See https://gitlab.com/gitlab-org/gitlab-pages/issues/73
proxy_cache off;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8090;
}
}
/var/opt/gitlab/gitlab-pages/gitlab-pages-config
pages-domain=pages.b.com
pages-root=/mnt/data/gitlab/pages
api-secret-key=/var/opt/gitlab/gitlab-pages/.gitlab_pages_secret
listen-proxy=127.0.0.1:8090
log-format=json
use-http2=true
artifacts-server=http://git.a.org/api/v4
artifacts-server-timeout=10
gitlab-server=http://git.a.org
namespace-in-path=true
config of nginx in Windows Server
server {
listen 80;
server_name git.b.com;
access_log logs/gitlab.access.log;
error_log logs/gitlab.error.log;
location / {
proxy_pass http://git.a.org:80;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_redirect http://git.a.org/ /;
client_max_body_size 250m;
}
}
server {
listen 80;
server_name ~^pages\.b\.com$;
charset utf-8;
access_log logs/gitlab.pages.access.log;
error_log logs/gitlab.pages.error.log;
location / {
proxy_pass http://172.16.0.9:81;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
client_max_body_size 250m;
}
}
Versions
Please select whether options apply, and add the version information.
- [ x ] Self-managed
- GitLab.com SaaS
Versions
- GitLab (Web:
/helpor self-managed system information):
System information
System: Ubuntu 20.04
Current User: git
Using RVM: no
Ruby Version: 3.1.5p253
Gem Version: 3.5.11
Bundler Version:2.5.11
Rake Version: 13.0.6
Redis Version: 7.0.15
Sidekiq Version:7.1.6
Go Version: unknown
GitLab information
Version: 17.1.0
Revision: 35cd573d799
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 14.11
URL: http://git.a.org
HTTP Clone URL: http://git.a.org/some-group/some-project.git
SSH Clone URL: git@git.a.org:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.36.0
Repository storages:
- default: unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Gitaly
- default Address: unix:/var/opt/gitlab/gitaly/gitaly.socket
- default Version: 17.1.0
- default Git Version: 2.45.1
Helpful resources
If need all log for detail information ,please contact me by email (info@orientalgames.cn)and i will reply in email attaches