Omnibus gitlab-ce behind nginx reverse proxy -- settings for Pages

Hello. I think other users have this setup, and hopefully this post can document for others how to get it going!

I run an omnibus gitlab-ce behind an nginx reverse proxy that performs ssl termination but get 404 when attempting to route for Pages.

I have a wildcard cert for my domain, and I would like to use it.

I have active runners, and I have cloned the template for Jekyll, the pipe succeeds, and if I download the artifact I see inside the zip file an index.html

At this point, I can only assume my proxy/routing are bad, so if anyone can please help me fix them, here are my current settings:

external nginx proxy, conf file for pages:

upstream gitlab-pages {
    server gitlab_gitlab_1:8090;

server {
    listen 80;
    listen 443;


    ssl_certificate /certs/;
    ssl_certificate_key /certs/;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # This is too small for the places_service image.
    # client_max_body_size 1000M;
    # Setting to 0 turns off checking (i.e. no limit)
    client_max_body_size 0;

    # following two lines needed for DNS propagation to work
#    resolver ipv6=off valid=10s;
#    set $gitlab $gitlab-pages;

    location / {
        proxy_pass http://gitlab-pages;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;
        proxy_redirect off;

Here are all settings from gitlab.rb (some redactions, and replaced my tld to “” which my LE cert covers and I do use it with already )

external_url ''
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'x'
gitlab_rails['gitlab_email_display_name'] = 'Gitlab'
gitlab_rails['gitlab_email_reply_to'] = 'x'
gitlab_rails['gitlab_email_subject_suffix'] = ''
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "x"
gitlab_rails['smtp_port'] = 25
gitlab_rails['smtp_domain'] = "x"
gitlab_rails['smtp_authentication'] = "none"
gitlab_rails['smtp_enable_starttls_auto'] = false
gitlab_rails['smtp_tls'] = false
gitlab_rails['incoming_email_enabled'] = true
gitlab_rails['incoming_email_address'] = "x"
gitlab_rails['incoming_email_email'] = "x"
gitlab_rails['incoming_email_password'] = "x"
gitlab_rails['incoming_email_host'] = "x"
gitlab_rails['incoming_email_port'] = 993
gitlab_rails['incoming_email_ssl'] = true
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
gitlab_rails['gitlab_shell_ssh_port'] = 2222
registry_external_url ''
 registry['log_level'] = "debug"
unicorn['worker_processes'] = 4
nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/"
nginx['listen_port'] = 80
nginx['listen_https'] = false
pages_external_url ""
gitlab_pages['enable'] = true
gitlab_pages['redirect_http'] = false
gitlab_pages['inplace_chroot'] = true
gitlab_pages['external_http'] = []
gitlab_pages['listen_proxy'] = ""
pages_nginx['enable'] = true
pages_nginx['listen_https'] = false
pages_nginx['redirect_http_to_https'] = false
 registry_nginx['enable'] = true
 registry_nginx['listen_port'] = 4567
prometheus['listen_address'] = ''
letsencrypt['enable'] = false

both gitlab and docker work fine behind the proxy.

Assuming someone comments that my non-Pages settings won’t affect things, I will remove them for clarity for later forum lurkers :smile:

I really appreciate any help!


our working configuration for gitlab-cce on Ubuntu, behind Nginx is:

server {
    listen 80 ;
    server_name  git.<snip>;

    listen 443 ssl; # managed by Certbot

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/<snip>/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/<snip>/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    # Redirect non-https traffic to https
    if ($scheme != "https") {
       return 301 https://$host$request_uri;
         } # managed by Certbot

    client_max_body_size 1024m;

    # individual nginx logs for this gitlab vhost
    access_log  /var/log/nginx/gitlab_access.log;
    error_log   /var/log/nginx/gitlab_error.log;
    location / {
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   Host      $host;
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_set_header        X-Forwarded-Proto    https;
#    proxy_set_header        Host                 $host;
#    proxy_set_header        X-Real-IP            $remote_addr;
    proxy_set_header        X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header        X-Frame-Options      SAMEORIGIN;
    proxy_set_header        X-Forwarded-Ssl      on;

From gitlab.rb

external_url 'https://git.<snip>'
nginx['listen_port'] = 8888 # override only if you use a reverse proxy:
nginx['listen_https'] = false # override only if your reverse proxy internally communicates over HTTP:

Thanks sdunt.

Mine is pretty similar, and my gitlab instance is working fine (as well as the docker repo) behind nginx – it’s just Pages that seems to be the problem.

Did you get pages setup and working?

We don’t use ‘pages’, plenty of other tools around, but in my reading through it, pages uses a separate IP address? that is distinct from the GitLab instance IP address?

That would imply 2 nginx configurations, one for pages and one for Gitlab itself.