Dockerized GitLab - Configure SSL
This tutorial is for those who wish for SSL to be enabled on the GitLab container iteself. One does not have to do this, and can simply make use of a reverse proxy, that forwards plain HTTP connections to the GitLab container. However, this method may feel simpler and more straightforward.
Related Posts
Steps
Earlier, we deployed GitLab through docker, which would have created the following 3 local directories:
- ./gitlab/config
- ./gitlab/logs
- ./gitlab/data
Place SSL Certificates
The first thing we need to do, is stick our SSL certificate files within a the config directory as such:
DOMAIN="gitlab.mydomain.com"
./gitlab/config/ssl/$DOMAIN/certificate.pem
./gitlab/config/ssl/$DOMAIN/certificate.key
Update Configuration
Now we need to tell GitLab to use the NGINX webserver, and use these certificate files.
Edit the GitLab configuration file by running:
sudo editor ./gitlab/config/gitlab.rb
The first thing we should do, is add (it won't exist yet) a line to set the external_url
, which our GitLab service can be accessed on from the internet.
external_url "https://gitlab.mydomain.org:443"
=
sign!
Then uncomment the set of settings, to: 1. Enable the NGINX service 1. Set the client max body size to 250m 1. Redirect http connections to https. 1. Sepcify that the HTTP port that will need redirecting to HTTPs, is port 80
nginx['enable'] = true
nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
Then, further down, un-comment the nginx['ssl_certificate']
and nginx['ssl_certificate_key']
lines, and provide values for where your certificate files are (from the first step). E.g.
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.mydomain.com/certificate.pem"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.mydomain.com/certificate.key"
You may sish to uncomment the ssl_ciphers and ssl_protocols lines:
nginx['ssl_ciphers'] = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3"
Then make sure to un-comment the listen_addresses
line:
nginx['listen_addresses'] = ['*', '[::]']
Then, you may wish to un-comment and set the next couple of settings...
##! **Docs: http://nginx.org/en/docs/http/ngx_http_gzip_module.html**
nginx['gzip_enabled'] = true
##! **Override only if you use a reverse proxy**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
nginx['listen_port'] = 443
##! **Override only if your reverse proxy internally communicates over HTTP**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
nginx['listen_https'] = true
This will: 1. ensure that gzip is enabled 1. listen on port 443 (default SSL port) 1. listen for https connections
Leave the proxy protocol line alone (commented out):
##! **Override only if you use a reverse proxy with proxy protocol enabled**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#configuring-proxy-protocol
#nginx['proxy_protocol'] = true
Restart GitLab
Now just re-deploy the container or run the following commands from inside the container:
gitlab-ctl reconfigure
gitlab-ctl restart
SSL should now be working. If you have any issues, be sure to check that your certificate paths and names are exactly in-line with your configuration settings.
Debugging
If you have any issues, the easiest thing to do is check your generated nginx configuration file at:
/var/opt/gitlab/nginx/conf/gitlab-http.conf
I find that when stuck, the best thing to do is try tweaking the settings, running the configure step:
gitlab-ctl reconfigure
... then check the nginx configuration changed in the way you desired. It should look something like below:
###################################
## configuration ##
###################################
## Redirects all HTTP traffic to the HTTPS host
server {
listen *:80;
listen [::]:80;
server_name gitlab.mydomain.com;
server_tokens off; ## Don't show the nginx version number, a security best practice
location / {
return 301 https://gitlab.mydomain.com:443$request_uri;
}
# health checks configuration
include /var/opt/gitlab/nginx/conf/gitlab-health.conf;
access_log /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_error.log error;
}
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name gitlab.mydomain.com;
server_tokens off; ## Don't show the nginx version number, a security best practice
## Increase this if you want to upload large attachments
## Or if you want to accept large git objects over http
client_max_body_size 250m;
# ... more stuff down here
First published: 20th February 2022