Nginx as reverse proxy for GitLab with SSL?

I have GitLab’s nginx setup to listen at . Then I have a system nginx (installed via apt-get on Ubuntu) setup as reverse proxy with HTTPS:

upstream gitlab {
    server                    localhost:8088 fail_timeout=0;

server {
    listen          80;
    return          301 https://$server_name$request_uri;

# let gitlab deal with the redirection
server {
    listen                      443 ssl;
    server_name       ;

    ssl_certificate             /srv/www/;
    ssl_certificate_key         /srv/www/;

    location / {
        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;

        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header        Host              $http_host;
        proxy_set_header        X-Real-IP         $remote_addr;
        proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header        X-Frame-Options   SAMEORIGIN;

        proxy_pass              http://gitlab;

This worked okay, and basically all requests are forwarded to HTTPS. However, because GitLab still thinks it’s running in HTTP, a few graphics resources on the page, and Gravatar are using HTTP scheme. How do I solve this problem?

Of course I understand that I can configure gitlab.rb to use an HTTPS URL. However when this is done, GitLab will start asking for certificates to setup its own nginx. I really only need its own nginx to run in HTTP, at local loopback.

1 Like

I feel like nobody has the same problem ?
Am i the only one to wish to have Gitlab and wep app installed on the same server ?

I’m using the following official file with success:

If you don’t have a separate nginx server running yet, you also COULD use the build-in nginx server provided by Gitlab itself.

Just in case anyone is still looking for an answer. I had the same issue, this -> fixed it.


@kthxbai you saved my day! For anyone googling: I’m using docker nginx-proxy ang gitlab and got too many redirects because both of them were redirecting to https

It requires the header X-Forwarded-Ssl: on.

@deskoh That’s right, this works also, but I understood the original requirement as ssl termination by reverse proxy in front of the gitlab (container).
Then @kthxbai s link is the correct answer. (But Your answer is more secure, also using https between proxy and gitlab (container))