Running omnibus-gitlab behind an AWS ELB

I’m trying to get omnibus-gitlab working. I used the CentOS gitlab-ce RPM for the install. I want my users to use https://gitlab.mydomain.com to access GitLab and https://registry.mydomain.com to get to the registry. I have two different ELBs set up, one for https://gitlab.mydomain.com and one for https://registry.mydomain.com. However, with the /etc/gitlab/gitlab.rb installer, if I set external_url 'https://gitlab.mydomain.com', then the default 443 port for the registry gets messed up. But if I do something like external_url 'https://gitlab.mydomain.com:8443', then the HTTPS URL that GitLab uses has the ‘8443’ as well, and I don’t want that. Should I follow the directions for setting up nginx behind a reverse proxy?

For completeness sake I’ll put down an answer for ELB situations here:

/etc/gitlab/gitlab.rb:

external_url 'https://gitlab.yourdomain.here'

nginx['listen_https'] = false
nginx['listen_port'] = 80
nginx['proxy_set_headers'] = {
  "X-Forwarded-Proto" => "https"
}
nginx['enable'] = true
nginx['redirect_http_to_https'] = false
nginx['redirect_http_to_https_port'] = 81

On your ELB you can then map instance port 81 to ELB port 80 as HTTP -> HTTP listener, and instance port 80 to ELB port 443 as HTTPS -> HTTP listener.

Hello

Just sharing the way I managed to get it working for me, for the next guys ending up around here.

I’m running Gitlab from the official docker, on EC2 instance booted by an ASG. ASG’s ELB is carrying the cert and doing the SSL stuff. But it won’t redirect HTTP to HTTPS like you’ld do with Nginx or HTTPD.
So I put the https:// url for Gitlab’s nginx to enforce https:// scheme. But nginx cried about not finding gitlab.crt, then mattermost.crt, then registry.crt…

Here’s the relevant piece of conf.

external_url 'https://${gitlab_host}'
mattermost_external_url 'https://${mattermost_host}'
registry_external_url 'https://${docker_registry_host}'

# Gitlab proxied SSL https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
  'X-Forwarded-Proto' => 'https',
  'X-Forwarded-Ssl' => 'on'
}

# Registry proxied SSL, same idea
registry_nginx['listen_port'] = 80
registry_nginx['listen_https'] = false
registry_nginx['proxy_set_headers'] = {
  'X-Forwarded-Proto' => 'https',
  'X-Forwarded-Ssl' => 'on'
}

# Mattermost proxied SSL, same with one more flag from https://docs.gitlab.com/omnibus/gitlab-mattermost/README.html#running-gitlab-mattermost-with-https
mattermost['service_use_ssl'] = true
mattermost_nginx['listen_port'] = 80
mattermost_nginx['listen_https'] = false
mattermost_nginx['proxy_set_headers'] = {
  'X-Forwarded-Proto' => 'https',
  'X-Forwarded-Ssl' => 'on'
}
1 Like

My setup is behind an AWS ELB/ALB. However my ALB listens on 80 and 443 so gitlab does the redirection currently. I also needed to see the real IP address of users and this is achieved by populating real_ip_trusted_addresses.

http://ben.goodacre.name/tech/Setup_Gitlab_behind_off-loaded/reverse_proxy_SSL_(such_as_AWS_ALB)