Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Dockerized GitLab - Configure SSL

This tutorial is for those who wish for SSL to be enabled on the GitLab container iteself. One does not have to do this, and can simply make use of a reverse proxy, that forwards plain HTTP connections to the GitLab container. However, this method may feel simpler and more straightforward.

Related Posts

Steps

Earlier, we deployed GitLab through docker, which would have created the following 3 local directories:

  • ./gitlab/config
  • ./gitlab/logs
  • ./gitlab/data

Place SSL Certificates

The first thing we need to do, is stick our SSL certificate files within a the config directory as such:

DOMAIN="gitlab.mydomain.com"

./gitlab/config/ssl/$DOMAIN/certificate.pem
./gitlab/config/ssl/$DOMAIN/certificate.key

You will need to create the ssl and $DOMAIN directories.

Update Configuration

Now we need to tell GitLab to use the NGINX webserver, and use these certificate files.

Edit the GitLab configuration file by running:

sudo editor ./gitlab/config/gitlab.rb

The first thing we should do, is add (it won't exist yet) a line to set the external_url, which our GitLab service can be accessed on from the internet.

external_url "https://gitlab.mydomain.org:443"

Setting the port is quite important, and you will notice that there is no = sign!

Then uncomment the set of settings, to: 1. Enable the NGINX service 1. Set the client max body size to 250m 1. Redirect http connections to https. 1. Sepcify that the HTTP port that will need redirecting to HTTPs, is port 80

nginx['enable'] = true
nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80

Then, further down, un-comment the nginx['ssl_certificate'] and nginx['ssl_certificate_key'] lines, and provide values for where your certificate files are (from the first step). E.g.

nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.mydomain.com/certificate.pem"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.mydomain.com/certificate.key"

You may sish to uncomment the ssl_ciphers and ssl_protocols lines:

nginx['ssl_ciphers'] = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3"

Then make sure to un-comment the listen_addresses line:

nginx['listen_addresses'] = ['*', '[::]']

Then, you may wish to un-comment and set the next couple of settings...

##! **Docs: http://nginx.org/en/docs/http/ngx_http_gzip_module.html**
nginx['gzip_enabled'] = true

##! **Override only if you use a reverse proxy**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
nginx['listen_port'] = 443

##! **Override only if your reverse proxy internally communicates over HTTP**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
nginx['listen_https'] = true

This will: 1. ensure that gzip is enabled 1. listen on port 443 (default SSL port) 1. listen for https connections

Leave the proxy protocol line alone (commented out):

##! **Override only if you use a reverse proxy with proxy protocol enabled**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#configuring-proxy-protocol
#nginx['proxy_protocol'] = true

Restart GitLab

Now just re-deploy the container or run the following commands from inside the container:

gitlab-ctl reconfigure
gitlab-ctl restart

SSL should now be working. If you have any issues, be sure to check that your certificate paths and names are exactly in-line with your configuration settings.

Debugging

If you have any issues, the easiest thing to do is check your generated nginx configuration file at:

/var/opt/gitlab/nginx/conf/gitlab-http.conf

I find that when stuck, the best thing to do is try tweaking the settings, running the configure step:

gitlab-ctl reconfigure

... then check the nginx configuration changed in the way you desired. It should look something like below:

###################################
##         configuration         ##
###################################

## Redirects all HTTP traffic to the HTTPS host
server {
  listen *:80;
  listen [::]:80;

  server_name gitlab.mydomain.com;
  server_tokens off; ## Don't show the nginx version number, a security best practice


  location / {
    return 301 https://gitlab.mydomain.com:443$request_uri;
  }

  # health checks configuration
  include /var/opt/gitlab/nginx/conf/gitlab-health.conf;

  access_log  /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
  error_log   /var/log/gitlab/nginx/gitlab_error.log error;
}

server {
  listen *:443 ssl http2;


  listen [::]:443 ssl http2;


  server_name gitlab.mydomain.com;
  server_tokens off; ## Don't show the nginx version number, a security best practice

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
  client_max_body_size 250m;

# ... more stuff down here
Last updated: 21st February 2022
First published: 20th February 2022

This blog is created by Stuart Page

I'm a freelance web developer and technology consultant based in Surrey, UK, with over 10 years experience in web development, DevOps, Linux Administration, and IT solutions.

Need support with your infrastructure or web services?

Get in touch