A guide to configure GitLab using HTTPS under apache reverse proxy
It has been a while since my last blog entry, I have just spent a few hours migrating some web applications from my old server to the new server. While migrating the web applications, I realized that among all the applications, gitlab is the only one which is still using http. So I have decided to spend some time to upgrade the protocol from http to https. As the process is not really that smooth sailing, I have decided to document down the configurations that needs to be changed. This is a guide that follows my previously written article hosting gitlab using reverse proxy.
So first thing that you will need to edit is the gitlab.rb from /etc/gitlab
In the old guide, we were using
gitlab_git_http_server['listen_network'] = "tcp" gitlab_git_http_server['listen_addr'] = "localhost:7000"
Since version 10, gitlab_git_http_server has been replaced by gitlab_workhorse. Official reference
You may want to change the above configure to the one below if you are using version 10 and above.
gitlab_workhorse['listen_network'] = "tcp" gitlab_workhorse['listen_addr'] = "localhost:7000"
Next, update your external_url to use https at the front
external_url 'http://yourdomain.com'external_url 'https://yourdomain.com'
Now we need to inform gitlab about by running
sudo gitlab-ctl reconfigure
If you ever run into the error user www-data is being used by process xxx(which is the process id of apache), you simply need stop your apache first. After running the above command, you may start up your apache.
Lastly we will need to set up vhost. Below is the configuration that I am using.
<IfModule mod_ssl.c> <VirtualHost *:443> ProxyPreserveHost On ProxyPass "/" "http://127.0.0.1:8111/" ProxyPassReverse "/" "http://127.0.0.1:8111/" ServerName yourdomain.com SSLCertificateFile /path/to/your/ssl/cert SSLCertificateKeyFile /path/to/your/ssl/privatekey Include /etc/letsencrypt/options-ssl-apache.conf SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off Header edit Location ^http://yourdomain.com/ https://yourdomain.com/ RequestHeader set X-Forwarded-Proto "https" </VirtualHost> </IfModule>
As I am using Let’s Encrypt(LE) for the SSL cert, that is why you will see Include /etc/letsencrypt/options-ssl-apache.conf which was inserted by LE.
Now restart your apache and enjoy your gitlab using https.