A guide to configure GitLab using HTTPS under apache reverse proxy

Published by moxlotus on

It has been a while since my last blog entry, I have just spent a few hours migrating some web applications from my old server to the new server. While migrating the web applications, I realized that among all the applications, gitlab is the only one which is still using http. So I have decided to spend some time to upgrade the protocol from http to https. As the process is not really that smooth sailing, I have decided to document down the configurations that needs to be changed. This is a guide that follows my previously written article hosting gitlab using reverse proxy.

So first thing that you will need to edit is the gitlab.rb from /etc/gitlab
In the old guide, we were using

gitlab_git_http_server['listen_network'] = "tcp"
gitlab_git_http_server['listen_addr'] = "localhost:7000"

Since version 10, gitlab_git_http_server has been replaced by gitlab_workhorse. Official reference
You may want to change the above configure to the one below if you are using version 10 and above.

gitlab_workhorse['listen_network'] = "tcp"
gitlab_workhorse['listen_addr'] = "localhost:7000"

Next, update your external_url to use https at the front

 
external_url 'http://yourdomain.com'
external_url 'https://yourdomain.com'

Now we need to inform gitlab about by running


sudo gitlab-ctl reconfigure

If you ever run into the error user www-data is being used by process xxx(which is the process id of apache), you simply need stop your apache first. After running the above command, you may start up your apache.

Lastly we will need to set up vhost. Below is the configuration that I am using.


<IfModule mod_ssl.c>
<VirtualHost *:443>
    ProxyPreserveHost On
    ProxyPass "/" "http://127.0.0.1:8111/"
    ProxyPassReverse "/" "http://127.0.0.1:8111/"
    ServerName yourdomain.com
    SSLCertificateFile /path/to/your/ssl/cert
    SSLCertificateKeyFile /path/to/your/ssl/privatekey
    Include /etc/letsencrypt/options-ssl-apache.conf
    
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off 
    SSLProxyCheckPeerExpire off
    
    Header edit Location ^http://yourdomain.com/ https://yourdomain.com/
    RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
</IfModule>

As I am using Let’s Encrypt(LE) for the SSL cert, that is why you will see Include /etc/letsencrypt/options-ssl-apache.conf which was inserted by LE.

Now restart your apache and enjoy your gitlab using https.

Share it with others
Categories: Tools

Leave a Reply

Your email address will not be published. Required fields are marked *