HTTPS Redirection for Gitlab CE Docker

Community
1

Hello,

I am trying to host GitLab version 18.5.0-ce.0 with docker on a Ubuntu 24.04.3 LTS server internally for my company. My problem is that there is some weird HTTPS redirection issue, where I am redirected to https://gitlab.example.com:80, instead of just https://gitlab.example.com (or https://gitlab.example.com:443). This redirection is configured in /var/opt/gitlab/nginx/conf/service_conf/gitlab-rails.conf in the docker container. Well, at least I think that is the issue based on my troubleshooting steps so far.

One of the ways to reproduce the problem is:

  1. log in with root (Admin) account
  2. Go to Admin settings
  3. Open any section and click save
  4. Now the page reloads, and you will get an HTTPS error in your browser saying that the secure site is not available and that the website most likely does not support HTTPS.
  5. Click the Go Back Button and now HTTPS works again

I suppose the problem would be fixed if nginx is configured so that it redirects to https://gitlab.example.com instead of https://gitlab.example.com:80, but I am no expert in configuring nginx. As far as I know port 80 is used because it is set in /var/opt/gitlab/gitlab-rails/etc/gitlab.yml and /var/opt/gitlab/nginx/conf/service_conf/gitlab-rails.conf is generated by the template nginx-gitlab-rails.conf.erb with the parameters configured in nginx.rb.

This is my docker-compose.yaml:

# For more info see
#   * https://docs.gitlab.com/install/docker
#   * https://github.com/danieleagle/gitlab-https-docker/blob/master/README.md
services:
  gitlab:
    container_name: gitlab

    # See https://hub.docker.com/r/gitlab/gitlab-ce
    image: gitlab/gitlab-ce:18.5.0-ce.0

    restart: unless-stopped

    hostname: 'gitlab.example.com'

    # Ensure that `docker compose up` does not create a new network,
    # but uses the existing `docker0` bridge instead.
    network_mode: bridge

    # See https://docs.gitlab.com/install/docker/troubleshooting/#devshm-mount-not-having-enough-space-in-docker-container
    shm_size: '512m'

    ports:
      - '80:80'
      - '443:443'

    environment:
      # If container needs internet access.
      http_proxy: "http://proxy.example.com:8080"
      https_proxy: "http://proxy.example.com:8080"
      no_proxy: "localhost,127.0.0.0/8,::1,127.0.0.1,10.*,example.com"

      # No need for this, we mount custom config file ./assets/gitlab.rb into container.
      # See volumes: section down below.
      #GITLAB_OMNIBUS_CONFIG: ...

    volumes:
      # Volumes exclusive to GitLab data.
      - '/mnt/gitlab-config:/etc/gitlab'
      - '/mnt/gitlab-log:/var/log/gitlab'
      - '/mnt/gitlab-data:/var/opt/gitlab'

      # See https://docs.gitlab.com/omnibus/settings/ssl/#install-custom-public-certificates
      # Mount host certificates into container as read-only.
      - '/etc/ssl/certs:/etc/ssl/certs:ro' # Maybe this is not needed?
      - '/etc/ca-certificates:/etc/ca-certificates:ro'
      - '/etc/ca-certificates.conf:/etc/ca-certificates.conf:ro'
      - '/usr/share/ca-certificates:/usr/share/ca-certificates:ro'
      - '/usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro'

      # Self-signed HTTPS certificate for GitLab.
      - './assets/cert:/etc/gitlab/ssl:ro'

      # Configuration file for GitLab.
      - './assets/gitlab.rb:/etc/gitlab/gitlab.rb:ro'

This is ./assets/gitlab.rb:

###
# General configurations.
###

gitlab_rails["time_zone"] = "Europe/Berlin"

# No need for direct SSH connection into container.
gitlab_sshd["enable"] = false

###
# Configure root account.
###

# Change the initial default admin password and shared runner registration tokens.
# **Only applicable on initial setup, changing these settings after database
#   is created and seeded won"t yield any change.**
gitlab_rails["initial_root_password"] = "..."
gitlab_rails["initial_shared_runners_registration_token"] = "..."

# Toggle if root password should be printed to STDOUT during initialization
gitlab_rails["display_initial_root_password"] = false

# Toggle if initial root password should be written to /etc/gitlab/initial_root_password
gitlab_rails["store_initial_root_password"] = false

###
# Configure support for self-signed/internal certificates.
###

# Tell container to use same system certificates as host.
#
# See https://docs.gitlab.com/omnibus/settings/ssl/
#
# See mounted volumes: section in docker-compose.yaml
gitlab_rails["env"] = {
  "SSL_CERT_FILE" => "/etc/ssl/certs/ca-certificates.crt",
  "SSL_CERT_DIR" => "/etc/ssl/certs"
}

###
# Configure self-signed gitlab.example.com certificate.
###

# See:
#   * https://blog.programster.org/dockerized-gitlab-configure-ssl
#   * https://docs.gitlab.com/omnibus/settings/ssl/#configure-https-manually
#   * https://docs.gitlab.com/omnibus/settings/nginx/#enable-https
#   * https://github.com/danieleagle/gitlab-https-docker/blob/master/README.md
#
# Also see the nginx http.conf template:
# https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-rails.conf.erb

external_url = "https://gitlab.example.com"
#gitlab_rails["gitlab_host"] = "gitlab.example.com"
#gitlab_rails["gitlab_port"] = 443
#gitlab_rails["gitlab_https"] = true

letsencrypt["enable"] = false
nginx["enable"] = true

nginx["redirect_http_to_https"] = true

nginx["listen_https"] = true
nginx["listen_addresses"] = ["*"]

# This is the port the HTTPS server listens on.
nginx["listen_port"] = 443

# This is the port the redirect server listens on.
# All requests received by this server are redirected
# to the HTTPS server.
nginx['redirect_http_to_https_port'] = 80

nginx["http2_enabled"] = true
nginx["gzip_enabled"] = true
nginx["client_max_body_size"] = "250m"

# **Defaults to forcing web browsers to always communicate using only HTTPS**
# Docs: https://docs.gitlab.com/omnibus/settings/ssl/#configure-the-http-strict-transport-security-hsts
nginx["hsts_max_age"] = 63072000
nginx["hsts_include_subdomains"] = false

# **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
nginx["ssl_protocols"] = "TLSv1.2 TLSv1.3"

# Self signed certificate with custom name.
#
# See mounted volumes: section in docker-compose.yaml
nginx["ssl_certificate"] = "/etc/gitlab/ssl/my_gitlab_cert.crt"
nginx["ssl_certificate_key"] = "/etc/gitlab/ssl/my_gitlab_cert.key"

###
# Configure authentication with Keycloak
###

# See https://docs.gitlab.com/integration/omniauth/?tab=Docker#configure-common-settings
gitlab_rails["omniauth_enabled"] = true
gitlab_rails["omniauth_allow_single_sign_on"] = ["openid_connect"]

# We control openid_connect (Keycloak) so no need to put "new"
# GitLab users in pending approval state.
gitlab_rails["omniauth_block_auto_created_users"] = false

gitlab_rails["omniauth_sync_email_from_provider"] = "openid_connect"
#gitlab_rails["omniauth_auto_sign_in_with_provider"] = "openid_connect"
gitlab_rails["omniauth_auto_link_user"] = true

# See https://docs.gitlab.com/integration/omniauth/?tab=Docker#keep-omniauth-user-profiles-up-to-date
gitlab_rails["omniauth_sync_profile_from_provider"] = ["openid_connect"]
gitlab_rails["omniauth_sync_profile_attributes"] = ["name", "email"]

# See https://docs.gitlab.com/administration/auth/oidc/#configure-keycloak
gitlab_rails["omniauth_providers"] = [
  {
    "name" => "openid_connect", # do not change this parameter
    "label" => "Keycloak", # optional label for login button, defaults to "Openid Connect"
    "args" => {
      "name" => "openid_connect",
      "scope" => ["openid", "profile", "email"],
      "response_type" => "code",
      "issuer" => "https://keycloak.example.com/auth/realms/companyrealm",
      "client_auth_method" => "query",
      "discovery" => true,
      "uid_field" => "preferred_username",
      "pkce" => true,
      # The client details in Keycloak.
      "client_options" => {
        "identifier" => "gitlab",
        "secret" => "...",
        "redirect_uri" => "https://gitlab.example.com/users/auth/openid_connect/callback"
      }
    }
  }
]

###
# Configure SMTP.
###

# See:
#   * https://docs.gitlab.com/omnibus/settings/smtp/

gitlab_rails["smtp_enable"] = true
gitlab_rails["smtp_domain"] = "example.com"
gitlab_rails["smtp_address"] = "smtp.example.com"
gitlab_rails["smtp_port"] = 25

# https://docs.gitlab.com/omnibus/settings/smtp/#smtp-without-ssl
gitlab_rails["smtp_enable_starttls_auto"] = false
gitlab_rails["smtp_openssl_verify_mode"] = "none"
gitlab_rails["smtp_tls"] = false
gitlab_rails["smtp_force_ssl"] = false
gitlab_rails["smtp_ssl"] = false

# Our SMTP server has no authentication...
#gitlab_rails["smtp_authentication"] = "login"
#gitlab_rails["smtp_user_name"] = "smtp user"
#gitlab_rails["smtp_password"] = "smtp password"

# If your SMTP server does not like the default "From: gitlab@localhost" you
# can change the "From" with this setting.
gitlab_rails["gitlab_email_from"] = "gitlab@example.com"
gitlab_rails["gitlab_email_reply_to"] = "gitlab-noreply@example.com"

###
# Configure appearance.
###

### Default Theme
###! Available values:
###! `1`  for Indigo
###! `2`  for Dark
###! `3`  for Light
###! `4`  for Blue
###! `5`  for Green
###! `6`  for Light Indigo
###! `7`  for Light Blue
###! `8`  for Light Green
###! `9`  for Red
###! `10` for Light Red
gitlab_rails["gitlab_default_theme"] = 7

### Default Color Mode
### Available values:
##! `1`  for Light mode
##! `2`  for Dark mode
##! `3`  for Auto (follow system preferences)
gitlab_rails["gitlab_default_color_mode"] = 2

I also uploaded all relevant files to this public GitLab repo:

  • docker-compose.yaml
  • gitlab.rb (referenced as ./assets/gitlab.rb in docker-compose.yaml)
  • /var/opt/gitlab/nginx/conf/service_conf/gitlab-rails.conf (from running docker container)
  • /var/opt/gitlab/gitlab-rails/etc/gitlab.yml (from running docker container)