0

I launched a gitlab container like this:

sudo docker run --detach --hostname MY_URL.com --publish 4433:443 --publish 8080:80 --publish 2222:22 --name gitlab --og/gitlab --volume /data/gitlab/data:/var/opt/gitlab gitlab/gitlab-ce:latest

And I have a NGINX configuration like this:

server {
  server_name MY_URL.com;
  location / {
    proxy_pass http://127.0.0.1:8080/;
    proxy_set_header Host $http_host;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwardedd_for;
    proxy_set_header X-Forwarded_Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
  }
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/MY_URL.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/MY_URL.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
  if ($host = MY_URL.com) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  listen 80;
  server_name MY_URL.com;
    return 404; # managed by Certbot
}

With this configuration, everything works fine, I can type https://MY_URL.com in the address bar of my browser and I can get access to my Gitlab.

The problem is that the link to clone in the repositories is "HTTP" and not "HTTPS". Moreover, it seems that there is a configuration somewhere telling my CI jobs to use "HTTP://MY_URL.com" (and it doesn't work because I get an HTTP basic auth error, which I wouldn't get if I used https I think). I read the documentation and I thought I just had to modify the external_url parameter:

sudo vi /data/gitlab/config/gitlab.rb

Adding external_url 'https://MY_URL.com'

sudo docker exec -it gitlab gitlab-ctl reconfigure

But after doing that I always have a "bad redirection" if I write "http://MY_URL.com" or "https://MY_URL.com". In the nginx logs, I don't have any error but only 301 in the access.log.

What am I doing wrong here? Thanks a lot in advance...

Improve this question
0

1 Answer 1

Reset to default
1

Because you are providing an external NGINX configuration that also terminates SSL, you have to apply a configuration to your GitLab instance for external proxy/load-balancer SSL termination.

Normally, when you don't provide external_url, the system host name is used and HTTPS is disabled. If you provide an external_url with an https:// scheme, this will activate HTTPS, which is not what you want since you are using an external server (NGINX) for SSL/TLS termination.

external_url "https://myhost.com"
nginx['listen_port'] = 80
nginx['listen_https'] = false

This should be all you need to get GitLab to display the correct hostname in the UI without any other behavior changes.

You'll probably also want to change the proxy headers since you already have a proxy server in front of GitLab. You'll want to configure trusted proxies as well as the real-ip header to make sure GitLab correctly logs the IP address of your users (instead of the IP of your proxy).

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks a lot, I made a drawing to understand your explanations, it's all clear now, I didn't understand the "80" port until your answer. And now I understand more how I can handle my container registry!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.