Omnibus gitlab-ce behind nginx reverse proxy -- settings for Pages

How to Use GitLab
, ,
1

Hello. I think other users have this setup, and hopefully this post can document for others how to get it going!

I run an omnibus gitlab-ce behind an nginx reverse proxy that performs ssl termination but get 404 when attempting to route for Pages.

I have a wildcard cert for my domain, and I would like to use it.

I have active runners, and I have cloned the template for Jekyll, the pipe succeeds, and if I download the artifact I see inside the zip file an index.html

At this point, I can only assume my proxy/routing are bad, so if anyone can please help me fix them, here are my current settings:

external nginx proxy, conf file for pages:

upstream gitlab-pages {
    server gitlab_gitlab_1:8090;
}

server {
    listen 80;
    listen 443;

    server_name pages.ttr.services;

    ssl_certificate /certs/ttr.services/fullchain.pem;
    ssl_certificate_key /certs/ttr.services/privkey.pem;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # This is too small for the places_service image.
    # client_max_body_size 1000M;
    #
    # Setting to 0 turns off checking (i.e. no limit)
    client_max_body_size 0;

    # following two lines needed for DNS propagation to work
#    resolver 127.0.0.11 ipv6=off valid=10s;
#    set $gitlab $gitlab-pages;

    location / {
        proxy_pass http://gitlab-pages;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;
        proxy_redirect off;
    }
}

Here are all settings from gitlab.rb (some redactions, and replaced my tld to “acme.services” which my LE cert covers .acme.services and I do use it with docker.acme.services already )

external_url 'https://gitlab.acme.services'
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'x'
gitlab_rails['gitlab_email_display_name'] = 'Gitlab'
gitlab_rails['gitlab_email_reply_to'] = 'x'
gitlab_rails['gitlab_email_subject_suffix'] = ''
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "x"
gitlab_rails['smtp_port'] = 25
gitlab_rails['smtp_domain'] = "x"
gitlab_rails['smtp_authentication'] = "none"
gitlab_rails['smtp_enable_starttls_auto'] = false
gitlab_rails['smtp_tls'] = false
gitlab_rails['incoming_email_enabled'] = true
gitlab_rails['incoming_email_address'] = "x"
gitlab_rails['incoming_email_email'] = "x"
gitlab_rails['incoming_email_password'] = "x"
gitlab_rails['incoming_email_host'] = "x"
gitlab_rails['incoming_email_port'] = 993
gitlab_rails['incoming_email_ssl'] = true
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  # LDAP SETTINGS - WORKS FINE
EOS
gitlab_rails['gitlab_shell_ssh_port'] = 2222
registry_external_url 'https://docker.acme.services'
 registry['log_level'] = "debug"
unicorn['worker_processes'] = 4
nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/acme.services.crt"
nginx['listen_port'] = 80
nginx['listen_https'] = false
pages_external_url "http://pages.acme.services/"
gitlab_pages['enable'] = true
gitlab_pages['redirect_http'] = false
gitlab_pages['inplace_chroot'] = true
gitlab_pages['external_http'] = []
gitlab_pages['listen_proxy'] = "0.0.0.0:8090"
pages_nginx['enable'] = true
pages_nginx['listen_https'] = false
pages_nginx['redirect_http_to_https'] = false
 registry_nginx['enable'] = true
 registry_nginx['listen_port'] = 4567
prometheus['listen_address'] = '0.0.0.0:9090'
letsencrypt['enable'] = false

both gitlab and docker work fine behind the proxy.

Assuming someone comments that my non-Pages settings won’t affect things, I will remove them for clarity for later forum lurkers :smile:

I really appreciate any help!

Thanks

2

our working configuration for gitlab-cce on Ubuntu, behind Nginx is:

server {
    listen 80 ;
    server_name  git.<snip>;

    listen 443 ssl; # managed by Certbot

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/<snip>/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/<snip>/privkey.pem; # managed by Certbot
    #
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    #
    # Redirect non-https traffic to https
    if ($scheme != "https") {
       return 301 https://$host$request_uri;
         } # managed by Certbot

    client_max_body_size 1024m;

    # individual nginx logs for this gitlab vhost
    access_log  /var/log/nginx/gitlab_access.log;
    error_log   /var/log/nginx/gitlab_error.log;
    #
    location / {
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   Host      $host;
    proxy_pass         http://127.0.0.1:8888;
    #
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    #
    proxy_set_header        X-Forwarded-Proto    https;
#    proxy_set_header        Host                 $host;
#    proxy_set_header        X-Real-IP            $remote_addr;
    proxy_set_header        X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header        X-Frame-Options      SAMEORIGIN;
    proxy_set_header        X-Forwarded-Ssl      on;
    }
}

From gitlab.rb

external_url 'https://git.<snip>'
nginx['listen_port'] = 8888 # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
nginx['listen_https'] = false # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
3

Thanks sdunt.

Mine is pretty similar, and my gitlab instance is working fine (as well as the docker repo) behind nginx – it’s just Pages that seems to be the problem.

Did you get pages setup and working?

4

We don’t use ‘pages’, plenty of other tools around, but in my reading through it, pages uses a separate IP address? that is distinct from the GitLab instance IP address?

That would imply 2 nginx configurations, one for pages and one for Gitlab itself.