This article is published under a SIGNATURE 4.0 International (CC BY 4.0) license. Signature 4.0 International (CC BY 4.0)
Author: Su Yang
Creation time: August 18, 2019 statistical word count: 3653 words reading time: 8 minutes to read this article links: soulteary.com/2019/08/18/…
How to configure GitLab to use HTTPS
This article discusses how to properly configure GitLab to provide HTTPS services to users in three scenarios.
For the sake of simplicity, here all use containers to build configuration, if you are source code, software package deployment, modify the corresponding file configuration can be.
Use GitLab directly to process HTTPS
If you don’t need to centrally manage SSL certificates or force traffic to come through only one gateway, then using GitLab directly to handle HTTPS requests is probably the best solution.
The solution simply requires the certificate to be deployed to the GitLab server and then slightly modify the configuration.
When the compose configuration is used, after removing all the irrelevant configurations, the configuration involved in handling HTTPS is as follows (see the history article for the full configuration and the GitLab TAB for more on this) :
version: '3'
services:
gitlab:
image: 'gitlab/gitlab - ce: 12.0.2 - ce. 0'
hostname: 'gitlab.lab.com'
ports:
- "80:80"
- "443:443"
volumes:
- './cert/lab.com.crt:/etc/gitlab/ssl/lab.com.crt:ro'
- './cert/lab.com.key:/etc/gitlab/ssl/lab.com.key:ro'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.lab.com'
nginx['enable'] = true
nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
nginx['ssl_certificate'] = "/etc/gitlab/ssl/lab.com.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/lab.com.key"
nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_protocols'] = "TLSv1.2"
nginx['http2_enabled'] = true
nginx['proxy_set_headers'] = {
"X-Forwarded-Proto"= >"http"
}
Copy the codeBecause GitLab is used to handle HTTP/HTTPS traffic, ports 80 and 443 need to be open.
After configuring the port correctly, the most critical configuration is external_URL.
The configuration information must contain the HTTPS protocol header. In addition, enter the correct certificate path in nginx[‘ SSL_certificate ‘] and nginx[‘ SSL_Certificate_key ‘] configuration items.
Use other software to handle HTTPS
There are two main scenarios, the first using proxy software such as Traefik and the other using SLB services from cloud hosts.
Whether you want to unify the management of certificates or reduce the exposure of public ports, traffic is forwarded to specific applications through a unified portal, you can use the following solution.
Let’s talk about using Traefik as a gateway.
Use Traefik as the gateway
The traefik. Toml configuration file contains the following configuration for handling HTTP traffic:
defaultEntryPoints = ["http"."https"]
[entryPoints]
[entryPoints.http]
address = ": 80"
compress = true
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ": 443"
compress = true
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "/data/ssl/lab.com.pem"
keyFile = "/data/ssl/lab.com.key"
Copy the codeAs in the previous section, after removing all irrelevant configurations, the core configuration is as follows:
version: '3'Services: Gitlab: image: gitlab/ gitlab-CE :12.1.6-ce.0 Hostname:'gitlab.lab.com'
expose:
- 80
labels:
- "traefik.enable=true"
- "traefik.gitlab.port=80"
- "traefik.gitlab.frontend.rule=Host:gitlab.lab.com"
- "traefik.gitlab.frontend.entryPoints=http,https"
- "traefik.gitlab.frontend.headers.SSLProxyHeaders=X-Forwarded-For:https"
- "traefik.gitlab.frontend.headers.STSSeconds=315360000"
- "traefik.gitlab.frontend.headers.browserXSSFilter=true"
- "traefik.gitlab.frontend.headers.contentTypeNosniff=true"
- "traefik.gitlab.frontend.headers.customrequestheaders=X-Forwarded-Ssl:on"
- "traefik.gitlab.frontend.passHostHeader=true"
- "traefik.gitlab.frontend.passTLSCert=false"
networks:
- traefik
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.lab.com'
nginx['enable'] = true
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['http2_enabled'] = false
nginx['redirect_http_to_https'] = true
networks:
traefik:
external: true
Copy the codeSince Traefik is used to handle HTTP/HTTPS traffic, GitLab only needs to open port 80, but needs to define various rules for service discovery in the Label.
Similarly, the core configuration is external_URL and nginx[‘listen_https’]. The former must still have HTTPS, but must be set to false.
Use SLB as the gateway
If you want to use the SLB of a cloud provider to manage HTTPS traffic and certificates, the above configuration can be further simplified:
version: '3'Services: Gitlab: image: gitlab/ gitlab-CE :12.1.6-ce.0 Hostname:'gitlab.lab.com'
ports:
- 80:80
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.lab.com'
nginx['enable'] = true
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
"Host"= >"$$http_host"."X-Real-IP"= >"$$remote_addr"."X-Forwarded-For"= >"$$proxy_add_x_forwarded_for"."X-Forwarded-Proto"= >"http"
}
networks:
traefik:
external: true
Copy the codeAfter delete all labels content, GitLab still is not working, we must set up nginx [‘ proxy_set_headers], configuration “X-ray Forwarded – Proto” = > “HTTP”, let GitLab accept traffic, Returns the correct response to the agent software.
The last
I will stop here and talk about how to use GitLab more efficiently after the project is launched.
– EOF
I now have a small toss group, which gathered some like to toss small partners.
In the case of no advertisement, we will talk about software, HomeLab and some programming problems together, and also share some technical salon information in the group from time to time.
Like to toss small partners welcome to scan code to add friends. (Please specify source and purpose, otherwise it will not be approved)
All this stuff about getting into groups