Https Configuration

So my current setup is that gitlab is configured on http and connected to a reverseproxy on a seperate vm and the reverseproxy is connected via https.

Currently my friends asked me if I can reconfigure it to https, because if they want to clone it uses my internal ip rather than the domain name.

I assume this is the ‘external-url’ setting in the configuration file. However I have tried this is the past and got errors when reconfiguring it.
I assume to keep the same setup I leav the httptohttps redirect on false?

Are there other settings i’m missing?

Seoncd question I see that when creating repositories and pipeline, sometimes bot account are created internally by gitlab, is there some guid or documentation available when they are created and with what purpose?

For bot accounts, or internal users, see: Internal users | GitLab(sometimes,count%20towards%20a%20license%20limit.

For Gitlab behind a reverse proxy, see the docs: NGINX settings | GitLab since that will help out with a lot of what you are doing. If you have DNS configured, there is no reason to use an IP address to clone for. That doesn’t make sense. Just use the DNS entry. That’s what DNS is for, so that you don’t have to use IP. I would say no if someone asked me this for my Gitlab server, and tell them to use the DNS entry.

that was my first change, I changed the external-url to my domain instead of the local ip and then reconfigured, but it finished with errors and then rolledback.

In the documentation is explained additional configuration if you are behind a reverse proxy. Just changing external_url isn’t going to do it.

well let’s say i’m half way there except for one thing I don’t understand,
So just to make things clear my gitlab has build in nginx enabled the reverse proxy is just forwarding.

i put the external url to https://external-domain (is domain you goto reverseproxy)
httptohttpsredirect = false
httptohttpsredirect-port = 80
listen_port = 80.
reconfiguration succeeded however going to the local ip aswell as the external domain gives me plain http request sent to https. which is kind weird to me since I put the redirection to false.

found the solution thanks

From what I remember when I did this:

external_url 'https://gitlab.example.com'
nginx['listen_port'] = 80
nginx['listen_https'] = false

No SSL config is in gitlab.rb, because all SSL will go via the nginx reverse proxy that you have separate from Gitlab. The connection between nginx and gitlab will be http (even though external_url says https).

the other redirect stuff is not needed.

1 Like

yes true that was my mistake, locally it works externally not, but i may have to change the config in the reverseproxy for that.

Internally and externally they should use the same URL anyway, and both should go via the nginx proxy. No direct connections should be made to Gitlab.

I use a direct connection because I host everything at home, so I guess it would be useless to use an external domain if I can use the internal domain form my internal dns, but both should however work, I don’t know what happens if I try to connect to the external domain when i’m internally connected, Does the home router directly redirect or does it go to the isp and come back.

Even internally, if you have both the nginx and gitlab at home, all your internal connections via http/https should go via nginx and not direct to Gitlab. So your internal DNS should point to nginx for everything and nginx redirects to Gitlab.

For external connections, your router should redirect incoming http/https to the internal nginx server, which then redirects to gitlab.

Otherwise, just use the internal nginx and drop using the external nginx with reverse proxy config. That way is far simpler, and everything goes direct to the Gitlab server.

yeah, thats a good one, I use the reverseproxy as an extra security layer, but it doesn’t seem to work after the reconfiguring, because my reverseproxy alwasy seems to forward to https://gitlab instead of http, even do the redirect was set to false :frowning:

Most likely the proxy redirect in nginx is incorrectly configured, since this should be redirecting to http://gitlab instead. Check the nginx config with the Gitlab docs to ensure this.

It seems like you encountered some errors during the reconfiguration process after changing the external URL to your domain.