Gitlab behind reverse proxy

Gitlab behind reverse proxy DEFAULT

GitLab behind Reverse Proxy does not work

Hi,

When Gitlab ce nginx server is listening to http (80) but is behind a reverse proxy server which is listening to https (443), it does not not work and no issue is found about that.

–HTTPS—> reverse proxy (sources..fr) —HTTP—> gitlab server (.interne..fr)

When there’s no reverse proxy and gitlab server is listening to http, it’s working.

With reverse proxy https is behind, the user’s connection box is displayed but when an user tries to connect, it happens 404 gitlab error!

Please help us !
regards,

/etc/gitlab/gitlab.rb

default installation but with this config :

external_url ‘https://sources..fr’
nginx[‘listen_port’] = 80
nginx[‘listen_https’] = false
gitlab_rails[‘trusted_proxies’] = [‘192.168.x.xx’,‘192.168.x.xy’]
nginx[‘proxy_set_headers’] = {
“Host” => “sources..fr”,
“X-Forwarded-Proto” => “https”,
“X-Forwarded-Ssl” => “on”
}

System information

System:
Current User: git
Using RVM: no
Ruby Version: 2.7.2p137
Gem Version: 3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.3
Redis Version: 6.0.10
Git Version: 2.29.0
Sidekiq Version:5.2.9
Go Version: unknown

GitLab information
Version: 13.10.0
Revision: 5eafdaf7b07
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.5
URL: https://sources..fr
HTTP Clone URL: https://sources..fr/some-group/some-project.git
SSH Clone URL: [email protected]:some-group/some-project.git
Using LDAP: yes
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version: 13.17.0
Repository storage paths:

  • default: /var/opt/gitlab/git-data/repositories
    GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
    Git: /opt/gitlab/embedded/bin/git

/var/log/gitlab/nginx/gitlab_access.log

192.168.7.243 - - [26/Apr/2021:18:31:14 +0200] “GET /users/sign_in HTTP/1.1” 302 106 “” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36” -
192.168.7.243 - - [26/Apr/2021:18:31:15 +0200] “GET /users/ HTTP/1.1” 404 28614 “” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36” -

/var/log/gitlab/gitlab-rails/production.log

[ActiveJob] Enqueued ActionMailer::MailDeliveryJob (Job ID: ff2d0722-c92f-4c0e-aa6c-89ed739f8acb) to Sidekiq(mailers) with arguments: “Notify”, “unknown_sign_in_email”, “deliver_now”, {:args=>[#<GlobalID:0x00007f1d45e785b0 @uri=#<URI::GID gid://gitlab/User/1>>, “127.0.0.1”, Mon, 26 Apr 2021 15:36:51 UTC +00:00]}
Completed 302 Found in 268ms (ActiveRecord: 78.9ms | Elasticsearch: 0.0ms | Allocations: 39298)
[ActiveJob] [ActionMailer::MailDeliveryJob] [ff2d0722-c92f-4c0e-aa6c-89ed739f8acb] Performing ActionMailer::MailDeliveryJob (Job ID: ff2d0722-c92f-4c0e-aa6c-89ed739f8acb) from Sidekiq(mailers) enqueued at 2021-04-26T15:36:51Z with arguments: “Notify”, “unknown_sign_in_email”, “deliver_now”, {:args=>[#<GlobalID:0x00007f77c1ec3138 @uri=#<URI::GID gid://gitlab/User/1>>, “127.0.0.1”, Mon, 26 Apr 2021 15:36:51 UTC +00:00]}
Started GET “/users/” for 127.0.0.1 at 2021-04-26 17:36:51 +0200
Processing by ApplicationController#route_not_found as HTML
Parameters: {“unmatched_route"=>"users”}

Sours: https://forum.gitlab.com/t/gitlab-behind-reverse-proxy-does-not-work/52158

Proxy in Reverse: Nginx < Gitlab + JIRA + Jenkins

As you go about your daily business, moving JIRA tickets around and pushing code to Gitlab, most of you don't think about how it all works behind the scenes. It takes a bit of DevOps magic to make it all operate smoothly. As part of our internal development efforts, I was tasked with getting our source control, project management and continuous integration/delivery infrastructure off the ground. We chose, respectively, Gitlab, JIRA, and Jenkins. While this is a fairly standard setup and tutorials abound, we still ran into some niggling little issues, due to the simple fact that no two setups are truly the same.

This, then, is our contribution to the topic. It assumes three things:

1) You're running this on Linux: not a hard requirement, but all the file paths listed here pertain to Linux

2) You've installed everything necessary: we believe you can apt-get / yum / wget / curl just fine on your own

3) You've obtained an SSL certificate from Let's Encrypt or some other vendor: can't have encrypted, secure traffic without it

The scenario: We started with installing Gitlab Omnibus. You get Gitlab and are spared of installing and configuring a bunch of other stuff that comes in the package, including a web server to, well, serve Gitlab to users. But then we installed JIRA and realized – people can only reach it if they go to the IP: port for JIRA, as it comes with its own application server. We need a way to provide a uniform interface towards the user – we need a reverse proxy. We also want to access these services over a secure connection, but we don't want to configure each service individually. In other words, we need SSL termination.

This brings us to Nginx, which is typically used for both these roles. The idea is to present users with nice-looking URLs such as https://example.com/gitlab. 

The front-facing Nginx then passes on (proxies) these requests to the actual servers running in the background, but terminates the SSL (well, TLS, but let's not pick nits) encryption before talking to them.

This means there are quite a few things to do: Add the proxied routes and the certificate to Nginx, disable SSL in Gitlab, JIRA and Jenkins, ask them to listen only to requests from the localhost as we don't want them to be reachable from the outside except via Nginx, and add any necessary configuration to make them work behind a reverse proxy. 

Let's start with the Nginx side of things. We'll use "example.com" as the example domain (substitute as needed). Open your nginx.conf file (typically, it's in /etc/nginx), and first redirect HTTP to HTTPS in one server block:

server {
        server_name example.com
        listen 80;
        return 301 https://$host$request_uri;
      }

Now add the certificate information in another block:

server {
       listen       443 ssl http2 default_server;
       listen       [::]:443 ssl http2 default_server;
       server_name  example.com
       root         /usr/share/nginx/html;       ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
       ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";       ssl_session_cache shared:SSL:1m;
       ssl_session_timeout  10m;       ssl_protocols TLSv1.2 TLSv1.3;
       ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES1$;
       ssl_prefer_server_ciphers on;
}

The ssl_certificate and ssl_certificate_key are paths to your certificate and private key, which will be different for your setup. As a sidenote, if you've used certbot to register with Let's Encrypt and you used the --Nginx parameter (available via plugin), certbot will automatically modify your nginx.conf with the correct values (the options below ssl_certificate_key will be included through files rather than explicitly).

Now we can add the routes for Jenkins, JIRA and Gitlab (locations, as Nginx calls them) to the second server block. The crucial part is the proxy_pass option, which routes to the ports on localhost. You can set these to any port value; 8081, 8084, and 10987 are just some examples. Naturally, these must coincide with the ports in the configuration files for each service. Since all the routes are fairly similar, first we'll get the two nearly identical ones out of the way:

server {        location /jenkins {            proxy_pass http://127.0.0.1:8081;            proxy_set_header Host $host:$server_port;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_read_timeout 90;
            proxy_http_version 1.1;
            proxy_request_buffering off;
        }        location /jira {            proxy_pass http://127.0.0.1:8084;            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            client_max_body_size 500M;
         }
}

Gitlab is a little different:

server {location /gitlab {           proxy_pass http://127.0.0.1:10987;           proxy_set_header Host $http_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;           proxy_set_header X-Forwarded-Proto https;
           proxy_set_header X-Forwarded-Protocol https;
           proxy_set_header X-Url-Scheme https;
           proxy_set_header X-Forwarded-Ssl on;           proxy_read_timeout 90;
           client_max_body_size 0;
           gzip off;
           proxy_http_version 1.1;
      }
}

The most important difference is the third block, the SSL options. Gitlab Omnibus comes with its own Nginx server, and the SSL options must be properly handled on both sides.

Don't forget to run Nginx -t to test the configuration file for errors before starting the server. 

Let's proceed to configuring Jenkins. Open the configuration file, located either in /etc/default/jenkins (Debian) or /etc/sysconfig/jenkins (CentOS), and set the following options:

JENKINS_PORT="8081"
JENKINS_LISTEN_ADDRESS="127.0.0.1"
JENKINS_ARGS="--prefix=/jenkins"

This sets Jenkins up to listen on port 8081, take only requests coming from the localhost, and listen on the prefix /jenkins.

Now let's take a look at JIRA

If you've installed the binary from Atlassian, your JIRA installation is in /opt/atlassian/jira, and you need the /conf/server.xml file. Comment out the other connectors, and add this one:

connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
keystorePass="changeit" keystoreType="JKS" maxHttpHeaderSize="8192"
maxSpareThreads="75"
maxThreads="150" minSpareThreads="25" port="8084"
protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="example.com"
proxyPort="443" redirectPort="8443" relaxedPathChars="[]|"
relaxedQueryChars="[]|{}^\`"<>"
scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="true"/>

The salient attributes are port, proxyName and relaxedQueryChars. The first two are self-explanatory, and you'll input your own values. The last one you can copy as-is - JIRA tends to complain if you don't include it.

We're finally onto Gitlab

The gitlab.rb configuration file should be located in /etc/gitlab/:

external_url "https://example.com/gitlab"gitlab_rails['gitlab_shell_ssh_port'] = 22nginx['listen_addresses'] = ['127.0.0.1']
nginx['listen_port'] = 10987
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
"X-Forwarded-Ssl" => "on",
}

The gitlab_shell_ssh_port needs to be changed to mirror the one defined in sshd.conf. It's not a good practice to leave the default value, which you'd quickly learn upon checking the logs and seeing thousands of login attempts.

The rest of the options concern Gitlab's internal Nginx instance. The first two are again self-explanatory, and the last two are crucial for making it work with SSL.

There will always be little things and changes that you need to make to tailor these tools to your own purposes, but these instructions should set you well on your way towards a basic setup. Hurdles are an inevitable part of life. SSL can be finicky. Some setups appear strange at first – two instances of Nginx can lead to all sorts of confusing situations. XML configuration files will drive you to wonder why (oh why) people still use XML for configuration. The best thing you can do is to jot these down for future reference – and who knows, maybe a blog post down the line.

Sours: https://serengetitech.com/tech/proxy-in-reverse-nginx-gitlab-jira-jenkins/
  1. Navy dlpt
  2. Wandavision poster darcy
  3. Ch pro pedals
  4. Car rambler classic

Gitlab showing 404 while running behind nginx reverse proxy, all within a docker network

As the title says, I'm trying to serve Gitlab through an nginx reverse proxy, with both programs being run in separate docker containers connected through a docker network. A picture as an example:

nginx runs with this docker command:

for gitlab:

Internally (to docker networks) nginx is known as and gitlab is known as . I have confirmed I can ping each container from inside the other, using their container names.

As it is now, it almost works. When I go to on my linux host I get a 404 error page from gitlab, but no login screen.

the 404 screen. Custom, so I know gitlab is running and picked up the configuration

I'm obviously missing something but I'm not sure what it is. It's hard for me to tell if it's an NGinx configuration issue or a Gitlab configuration issue.

Log output when I hit

:

:

asked Jan 7 '20 at 21:38

Sours: https://serverfault.com/questions/998021/gitlab-showing-404-while-running-behind-nginx-reverse-proxy-all-within-a-docker
Instalando GitLab usando Docker.

Erutan409/gitlab.rb

# These are fragments of the configuration that will need to be updated# ---## GitLab URL##! URL on which GitLab will be reachable.##! For more details on configuring external_url see:##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlabexternal_url'https://gitlab.your-fqdn.com'#external_url 'http://gitlab.internal.lan'# ---### Trusted proxies###! Customize if you have GitLab behind a reverse proxy which is running on a###! different machine.###! **Add the IP address for your reverse proxy to the list, otherwise users###! will appear signed in from that address.**gitlab_rails['trusted_proxies']=['10.100.0.0/15']# ---################################################################################## GitLab NGINX##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html################################################################################# nginx['enable'] = true# nginx['client_max_body_size'] = '250m'# nginx['redirect_http_to_https'] = false# nginx['redirect_http_to_https_port'] = 80##! Most root CA's are included by default# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"##! enable/disable 2-way SSL client authentication# nginx['ssl_verify_client'] = "off"##! if ssl_verify_client on, verification depth in the client certificates chain# nginx['ssl_verify_depth'] = "1"# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"# nginx['ssl_prefer_server_ciphers'] = "on"##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html##! https://cipherli.st/**# nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html**# nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m"##! **Default according to https://nginx.org/en/docs/http/ngx_http_ssl_module.html**# nginx['ssl_session_timeout'] = "5m"# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem# nginx['listen_addresses'] = ['*', '[::]']##! **Defaults to forcing web browsers to always communicate using only HTTPS**##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-http-strict-transport-security# nginx['hsts_max_age'] = 31536000# nginx['hsts_include_subdomains'] = false##! **Docs: http://nginx.org/en/docs/http/ngx_http_gzip_module.html**# nginx['gzip_enabled'] = true##! **Override only if you use a reverse proxy**##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-portnginx['listen_port']=80##! **Override only if your reverse proxy internally communicates over HTTP**##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-sslnginx['listen_https']=false# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"# nginx['proxy_read_timeout'] = 3600# nginx['proxy_connect_timeout'] = 300nginx['proxy_set_headers']={"Host"=>"$http_host_with_default",#"X-Real-IP" => "$remote_addr","X-Forwarded-For"=>"$proxy_add_x_forwarded_for","X-Forwarded-Proto"=>"https","X-Forwarded-Ssl"=>"on",#"Upgrade" => "$http_upgrade",#"Connection" => "$connection_upgrade"}# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'# nginx['proxy_cache'] = 'gitlab'# nginx['http2_enabled'] = truenginx['real_ip_trusted_addresses']=['10.100.0.0/15']nginx['real_ip_header']='X-Real-IP'nginx['real_ip_recursive']='on'# nginx['custom_error_pages'] = {# '404' => {# 'title' => 'Example title',# 'header' => 'Example header',# 'message' => 'Example message'# }# }### Advanced settings# nginx['dir'] = "/var/opt/gitlab/nginx"# nginx['log_directory'] = "/var/log/gitlab/nginx"# nginx['worker_processes'] = 4# nginx['worker_connections'] = 10240# nginx['log_format'] = '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'# nginx['sendfile'] = 'on'# nginx['tcp_nopush'] = 'on'# nginx['tcp_nodelay'] = 'on'# nginx['gzip'] = "on"# nginx['gzip_http_version'] = "1.0"# nginx['gzip_comp_level'] = "2"# nginx['gzip_proxied'] = "any"# nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]# nginx['keepalive_timeout'] = 65# nginx['cache_max_size'] = '5000m'# nginx['server_names_hash_bucket_size'] = 64### Nginx status# nginx['status'] = {# "enable" => true,# "listen_addresses" => ["127.0.0.1"],# "fqdn" => "dev.example.com",# "port" => 9999,# "options" => {# "stub_status" => "on", # Turn on stats# "server_tokens" => "off", # Don't show the version of NGINX# "access_log" => "off", # Disable logs for stats# "allow" => "127.0.0.1", # Only allow access from localhost# "deny" => "all" # Deny access to anyone else# }# }
Sours: https://gist.github.com/Erutan409/86d3ddd7f26d4d9cacb8011e4bd14b96

Reverse gitlab proxy behind

Gitlab behind a reverse proxy

I am using GitLab for private projects. GitLab is run using the Docker image provided by GitLab. I can access my instance from outside via a reverse proxy (Apache).

The setup is simple:

  • GitLab Docker container is running on NUC and listens on port 7080 for HTTP connections
  • NUC is connected via OpenVPN to the server on AWS
  • Apache as a reverse proxy listening on port 443 for HTTPS
  • Apache terminates SSL: incoming requests are HTTPS, but forwarded as HTTP to GitLab
  • Apache forwards incoming requests to GitLab on Docker

Standard setup of GitLab in Docker with Apache as reverse proxy will give access to GitLab without problems. Start GitLab container, configure Apache, done. You can access GitLab from the internet, create repositories, clone, push, etc.

While the setup will work out of the box, you need to carry out additional configuration for GitLab to really make it work with SSL terminating. What is not working correctly is:

  • The external URL is not configured, so the URL in the repository clone dialog is not using HTTPS.
  • You cannot upload attachments in the Wiki
  • You cannot add pictures in the Wiki via copy & paste from the clipboard
  • Uploading files / images may work in the issues dialog, but not in the wiki, as the wiki is using different upload service.

Attaching an image from clipboard fails.

Problem

My external URL is https://gitlab.itsfullofstars.de. Setting this value as external URL in gitlab.rb. You configure GitLab by setting the parameters in the file gitlab.rb and then reconfigure GitLab.

## GitLab URL ##! URL on which GitLab will be reachable. external_url 'https://gitlab.itsfullofstars.de'

Run reconfigure to enable the configuration.

gitlab-ctl reconfigure

Accessing gitlab.itsfullofstars.de:

This will set all parameters in all involved components of GitLab based on the values set in gitlab.rb. You can see the new value by looking at the automatically generated configuration file for the internal web server.

## GitLab settings gitlab: ## Web server settings (note: host is the FQDN, do not include http://) host: gitlab.itsfullofstars.de port: 443 https: true

The problem is: GitLab thinks it is running standalone, with direct access to the internet. There is not a specific parameter to inform that the requests are coming from a reverse proxy with SSL termination. Setting the values in gitlab.rb will result in an erroneous configuration:

  • SSL for internal GitLab web server (nginx) is enabled
  • Nginx is not listening on port 80, only on 443
  • My Apache reverse proxy is configured to connect to nginx port 80. Hence the Service Unavailable error.

Port 80 is not working any longer. Accessing GitLab directly via 192.168.x.x:7443 on HTTPS port (Docker mapping 7443 to 443).

Access will work. GitLab tries to get a new TLS certificate during the reconfiguration process, but fails, therefore the self signed certificate.

Attaching an image won’t work

Because of the external_url value, GitLab will redirect to gitlab.itsfullofstars.de. As the reverse proxy is not able to connect, it’s a 503 error.

Configuring the external GitLab URLs results in:

  • An incorrect HTTPS configuration due to wrong certificate
  • Adjustment of Apache reverse proxy: no longer SSL termination

I do not want to take of managing GitLabs internal TLS certificate. I want to access it via HTTP only and use Apache for SSL termination.

Solution

The solution is to configure the external URL and to let the internal nginx run on port 80 and no HTTPS.

Gitlab.rb

Configure a value for external_url.

vim config/gitlab.rbexternal_url 'https://gitlab.itsfullofstars.de' nginx['listen_port'] = 80 nginx['listen_https'] = false gitlab-ctl reconfigure

GitLab HTTP server

Check the configuration for the internal GitLab web server. The server should be gitlab.itsfullofstars, the port 80 and protocol HTTP.

more data/gitlab-rails/etc/gitlab.yml## GitLab settings gitlab: ## Web server settings (note: host is the FQDN, do not include http://) host: gitlab.itsfullofstars.de port: 80 https: false

Optional: Restart

Running reconfigure restarts the services, but if you want to be sure, restart GitLab.

gitlab-ctl restart

Apache configuration

My Apache configuration. Maybe not all parameters are needed, but it works.

<VirtualHost *:443> ServerName gitlab.itsfullofstars.de ProxyPreserveHost On ProxyRequests Off SSLProxyEngine on SSLEngine on SSLHonorCipherOrder on <Location /> RequestHeader unset Accept-Encoding RequestHeader set Host "gitlab.itsfullofstars.de" RequestHeader add X-Forwarded-Ssl on RequestHeader set X-Forwarded-Proto "https" ProxyPass http://nuc:7080/ ProxyPassReverse http://nuc:7080/ Order allow,deny Allow from all </Location> </VirtualHost>

Result

After executing the above steps, your configuration should be:

An external request is now for server gitlab.itsfullofstars.de. Apache does SSL termination, and nginx is accepting the request without either blocking it or trying to redirect to HTTPS.

Attaching an image to GitLab Wiki by pasting it from the clipboard


Links

Some resources I found while solving the issue for myself.

https://gitlab.com/gitlab-org/gitlab-ce/issues/27583

https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl

https://gitlab.com/gitlab-org/gitlab-ce/issues/52243

Sours: https://www.itsfullofstars.de/2019/06/gitlab-behind-a-reverse-proxy/
Using gitlab behind Apache proxy all generated urls are wrong (7 Solutions!!)

Setup Let's Encrypt for a Gitlab instance behind a Nginx reverse proxy

My company has a server dedicated to hosting the following services:

  • Gitlab
  • Gitlab-runner (one instance)
  • Nginx (used as a reverse-proxy)

We are using docker and docker-compose.

Our Sysadmin is gone, and did not leave any documentation, notes or anything to understand his work. I (junior python dev) am trying temporarily take over and resolve urgent issues.

This setup seems to be using self-signed certificate, and it seems that the certificate was manually renewed. That means that we have to ask people using our ticket system to change their Chrome/FF settings to accept , which we can't. It also create issues for people wanting to checkout public repos through https.

I am trying to switch to a Let's Encrypt configuration, with auto-renewal.

My issue is that I have no idea how to do that. I have tried to follow these instructions, but it doesn't seem to change anything, which makes sense because.

  • Looking at our current (simplified) config files provided below, does the current setup even make sense?
  • "Who" should be taking care of SSL? Gitlab or Nginx?
  • How can I switch this config to using Let's Encrypt.

I hope those questions are not too broad, but, not really being a sysadmin or devops person, I'm a bit overwhelmed by the situation, so any beginner-friendly resource is also very welcome.

/srv/docker-compose/docker-compose.yml

/srv/reverseproxy/config/nginx.conf

asked Feb 2 at 15:56

MunshineMunshine

33211 silver badge1111 bronze badges

Sours: https://stackoverflow.com/questions/66013167/setup-lets-encrypt-for-a-gitlab-instance-behind-a-nginx-reverse-proxy

You will also like:

titom73/gitlab.rb

## GitLab configuration settings##! This file is generated during initial installation and **is not** modified##! during upgrades.##! Check out the latest version of this file to know about the different##! settings that can be configured by this file, which may be found at:##! https://gitlab.com/gitlab-org/omnibus-gitlab/raw/master/files/gitlab-config-template/gitlab.rb.template## GitLab URL##! URL on which GitLab will be reachable.##! For more details on configuring external_url see:##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab# external_url 'GENERATED_EXTERNAL_URL'## Roles for multi-instance GitLab##! The default is to have no roles enabled, which results in GitLab running as an all-in-one instance.##! Options:##! redis_sentinel_role redis_master_role redis_slave_role geo_primary_role geo_secondary_role##! For more deatils on each role, see:##! https://docs.gitlab.com/omnibus/roles/README.html#roles##!# roles ['redis_sentinel_role', 'redis_master_role']## Legend##! The following notations at the beginning of each line may be used to##! differentiate between components of this file and to easily select them using##! a regex.##! ## Titles, subtitles etc##! ##! More information - Description, Docs, Links, Issues etc.##! Configuration settings have a single # followed by a single space at the##! beginning; Remove them to enable the setting.##! **Configuration settings below are optional.**##! **The values currently assigned are only examples and ARE NOT the default##! values.**################################################################################################################################################################## Configuration Settings for GitLab CE and EE #################################################################################################################################################################################################################################################### gitlab.yml configuration##! Docs: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md################################################################################# gitlab_rails['gitlab_ssh_host'] = 'ssh.host_example.com'# gitlab_rails['time_zone'] = 'UTC'### Email Settings# gitlab_rails['gitlab_email_enabled'] = true# gitlab_rails['gitlab_email_from'] = '[email protected]'# gitlab_rails['gitlab_email_display_name'] = 'Example'# gitlab_rails['gitlab_email_reply_to'] = '[email protected]'# gitlab_rails['gitlab_email_subject_suffix'] = ''### GitLab user privileges# gitlab_rails['gitlab_default_can_create_group'] = true# gitlab_rails['gitlab_username_changing_enabled'] = true### Default Theme# gitlab_rails['gitlab_default_theme'] = 2### Default project feature settings# gitlab_rails['gitlab_default_projects_features_issues'] = true# gitlab_rails['gitlab_default_projects_features_merge_requests'] = true# gitlab_rails['gitlab_default_projects_features_wiki'] = true# gitlab_rails['gitlab_default_projects_features_snippets'] = true# gitlab_rails['gitlab_default_projects_features_builds'] = true# gitlab_rails['gitlab_default_projects_features_container_registry'] = true### Automatic issue closing###! See https://docs.gitlab.com/ce/customization/issue_closing.html for more###! information about this pattern.# gitlab_rails['gitlab_issue_closing_pattern'] = "((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing)|[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)"### Download location###! When a user clicks e.g. 'Download zip' on a project, a temporary zip file###! is created in the following directory.# gitlab_rails['gitlab_repository_downloads_path'] = 'tmp/repositories'### Gravatar Settings# gitlab_rails['gravatar_plain_url'] = 'http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'# gitlab_rails['gravatar_ssl_url'] = 'https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'### Auxiliary jobs###! Periodically executed jobs, to self-heal Gitlab, do external###! synchronizations, etc.###! Docs: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job###! https://docs.gitlab.com/ce/ci/yaml/README.html#artifacts:expire_in# gitlab_rails['stuck_ci_jobs_worker_cron'] = "0 0 * * *"# gitlab_rails['expire_build_artifacts_worker_cron'] = "50 * * * *"# gitlab_rails['pipeline_schedule_worker_cron'] = "41 * * * *"# gitlab_rails['repository_check_worker_cron'] = "20 * * * *"# gitlab_rails['admin_email_worker_cron'] = "0 0 * * 0"# gitlab_rails['repository_archive_cache_worker_cron'] = "0 * * * *"# gitlab_rails['pages_domain_verification_cron_worker'] = "*/15 * * * *"### Webhook Settings###! Number of seconds to wait for HTTP response after sending webhook HTTP POST###! request (default: 10)# gitlab_rails['webhook_timeout'] = 10### Trusted proxies###! Customize if you have GitLab behind a reverse proxy which is running on a###! different machine.###! **Add the IP address for your reverse proxy to the list, otherwise users###! will appear signed in from that address.**# gitlab_rails['trusted_proxies'] = []### Monitoring settings###! IP whitelist controlling access to monitoring endpoints# gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8']###! Time between sampling of unicorn socket metrics, in seconds# gitlab_rails['monitoring_unicorn_sampler_interval'] = 10### Reply by email###! Allow users to comment on issues and merge requests by replying to###! notification emails.###! Docs: https://docs.gitlab.com/ce/administration/reply_by_email.html# gitlab_rails['incoming_email_enabled'] = true#### Incoming Email Address####! The email address including the `%{key}` placeholder that will be replaced####! to reference the item being replied to.####! **The placeholder can be omitted but if present, it must appear in the####! "user" part of the address (before the `@`).**# gitlab_rails['incoming_email_address'] = "gitlab-incoming+%{key}@gmail.com"#### Email account username####! **With third party providers, this is usually the full email address.**####! **With self-hosted email servers, this is usually the user part of the####! email address.**# gitlab_rails['incoming_email_email'] = "[email protected]"#### Email account password# gitlab_rails['incoming_email_password'] = "[REDACTED]"#### IMAP Settings# gitlab_rails['incoming_email_host'] = "imap.gmail.com"# gitlab_rails['incoming_email_port'] = 993# gitlab_rails['incoming_email_ssl'] = true# gitlab_rails['incoming_email_start_tls'] = false#### Incoming Mailbox Settings####! The mailbox where incoming mail will end up. Usually "inbox".# gitlab_rails['incoming_email_mailbox_name'] = "inbox"####! The IDLE command timeout.# gitlab_rails['incoming_email_idle_timeout'] = 60### Job Artifacts# gitlab_rails['artifacts_enabled'] = true# gitlab_rails['artifacts_path'] = "/var/opt/gitlab/gitlab-rails/shared/artifacts"# gitlab_rails['artifacts_object_store_enabled'] = false # EE only# gitlab_rails['artifacts_object_store_background_upload'] = true# gitlab_rails['artifacts_object_store_remote_directory'] = "artifacts"# gitlab_rails['artifacts_object_store_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',# # # The below options configure an S3 compatible host instead of AWS# # 'host' => 's3.amazonaws.com',# # 'endpoint' => nil,# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'# }### Git LFS# gitlab_rails['lfs_enabled'] = true# gitlab_rails['lfs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/lfs-objects"# gitlab_rails['lfs_object_store_enabled'] = false # EE only# gitlab_rails['lfs_object_store_background_upload'] = true# gitlab_rails['lfs_object_store_remote_directory'] = "lfs-objects"# gitlab_rails['lfs_object_store_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',# # # The below options configure an S3 compatible host instead of AWS# # 'host' => 's3.amazonaws.com',# # 'endpoint' => nil,# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'# }### Usage Statistics# gitlab_rails['usage_ping_enabled'] = true### GitLab Mattermost###! These settings are void if Mattermost is installed on the same omnibus###! install# gitlab_rails['mattermost_host'] = "https://mattermost.example.com"### LDAP Settings###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html###! **Be careful not to break the indentation in the ldap_servers block. It is###! in yaml format and the spaces must be retained. Using tabs will not work.**# gitlab_rails['ldap_enabled'] = false###! **remember to close this block with 'EOS' below**# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'# main: # 'main' is the GitLab 'provider ID' of this LDAP server# label: 'LDAP'# host: '_your_ldap_server'# port: 389# uid: 'sAMAccountName'# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'# password: '_the_password_of_the_bind_user'# encryption: 'plain' # "start_tls" or "simple_tls" or "plain"# verify_certificates: true# active_directory: true# allow_username_or_email_login: false# lowercase_usernames: false# block_auto_created_users: false# base: ''# user_filter: ''# ## EE only# group_base: ''# admin_group: ''# sync_ssh_keys: false## secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server# label: 'LDAP'# host: '_your_ldap_server'# port: 389# uid: 'sAMAccountName'# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'# password: '_the_password_of_the_bind_user'# encryption: 'plain' # "start_tls" or "simple_tls" or "plain"# verify_certificates: true# active_directory: true# allow_username_or_email_login: false# lowercase_usernames: false# block_auto_created_users: false# base: ''# user_filter: ''# ## EE only# group_base: ''# admin_group: ''# sync_ssh_keys: false# EOS### OmniAuth Settings###! Docs: https://docs.gitlab.com/ce/integration/omniauth.htmlgitlab_rails['omniauth_enabled']=false# gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'# gitlab_rails['omniauth_block_auto_created_users'] = true# gitlab_rails['omniauth_auto_link_ldap_user'] = false# gitlab_rails['omniauth_auto_link_saml_user'] = false# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']gitlab_rails['omniauth_providers']=[{"name"=>"gitlab","app_id"=>"a9754bb57fb8a9a5ed6d28709acdf0808ec89e69f452468dd78efd6ad7ed9a66","app_secret"=>"da7fca18c9b21059900c46137e8c3a1b4137d5e2f4b0ca4f5771a3741665272d","args"=>{"scope"=>"api"}}]### Backup Settings###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html# gitlab_rails['manage_backup_path'] = true# gitlab_rails['backup_path'] = "/var/opt/gitlab/backups"###! Docs: https://docs.gitlab.com/ce/raketasks/backup_restore.html#backup-archive-permissions# gitlab_rails['backup_archive_permissions'] = 0644# gitlab_rails['backup_pg_schema'] = 'public'###! The duration in seconds to keep backups before they are allowed to be deleted# gitlab_rails['backup_keep_time'] = 604800# gitlab_rails['backup_upload_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AKIAKIAKI',# 'aws_secret_access_key' => 'secret123'# }# gitlab_rails['backup_upload_remote_directory'] = 'my.s3.bucket'# gitlab_rails['backup_multipart_chunk_size'] = 104857600###! **Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for###! backups**# gitlab_rails['backup_encryption'] = 'AES256'###! **Specifies Amazon S3 storage class to use for backups. Valid values###! include 'STANDARD', 'STANDARD_IA', 'GLACIER', and###! 'REDUCED_REDUNDANCY'**# gitlab_rails['backup_storage_class'] = 'STANDARD'### For setting up different data storing directory###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#storing-git-data-in-an-alternative-directory###! **If you want to use a single non-default directory to store git data use a###! path that doesn't contain symlinks.**# git_data_dirs({# "default" => {# "path" => "/mnt/nfs-01/git-data"# }# })### Gitaly settings# gitlab_rails['gitaly_token'] = 'secret token'### For storing GitLab application uploads, eg. LFS objects, build artifacts###! Docs: https://docs.gitlab.com/ce/development/shared_files.html# gitlab_rails['shared_path'] = '/var/opt/gitlab/gitlab-rails/shared'### Wait for file system to be mounted###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#only-start-omnibus-gitlab-services-after-a-given-filesystem-is-mounted# high_availability['mountpoint'] = ["/var/opt/gitlab/git-data", "/var/opt/gitlab/gitlab-rails/shared"]### GitLab Shell settings for GitLab# gitlab_rails['gitlab_shell_ssh_port'] = 22# gitlab_rails['gitlab_shell_git_timeout'] = 800### Extra customization# gitlab_rails['extra_google_analytics_id'] = '_your_tracking_id'# gitlab_rails['extra_piwik_url'] = '_your_piwik_url'# gitlab_rails['extra_piwik_site_id'] = '_your_piwik_site_id'##! Docs: https://docs.gitlab.com/omnibus/settings/environment-variables.html# gitlab_rails['env'] = {# 'BUNDLE_GEMFILE' => "/opt/gitlab/embedded/service/gitlab-rails/Gemfile",# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin"# }# gitlab_rails['rack_attack_git_basic_auth'] = {# 'enabled' => true,# 'ip_whitelist' => ["127.0.0.1"],# 'maxretry' => 10,# 'findtime' => 60,# 'bantime' => 3600# }# gitlab_rails['rack_attack_protected_paths'] = [# '/users/password',# '/users/sign_in',# '/api/#{API::API.version}/session.json',# '/api/#{API::API.version}/session',# '/users',# '/users/confirmation',# '/unsubscribes/',# '/import/github/personal_access_token'# ]###! **We do not recommend changing these directories.**# gitlab_rails['dir'] = "/var/opt/gitlab/gitlab-rails"# gitlab_rails['log_directory'] = "/var/log/gitlab/gitlab-rails"### GitLab application settings# gitlab_rails['uploads_directory'] = "/var/opt/gitlab/gitlab-rails/uploads"# gitlab_rails['rate_limit_requests_per_period'] = 10# gitlab_rails['rate_limit_period'] = 60#### Change the initial default admin password and shared runner registraion tokens.####! **Only applicable on initial setup, changing these settings after database####! is created and seeded won't yield any change.**# gitlab_rails['initial_root_password'] = "password"# gitlab_rails['initial_shared_runners_registration_token'] = "token"#### Enable or disable automatic database migrations# gitlab_rails['auto_migrate'] = true#### This is advanced feature used by large gitlab deployments where loading#### whole RAILS env takes a lot of time.# gitlab_rails['rake_cache_clear'] = true### GitLab database settings###! Docs: https://docs.gitlab.com/omnibus/settings/database.html###! **Only needed if you use an external database.**# gitlab_rails['db_adapter'] = "postgresql"# gitlab_rails['db_encoding'] = "unicode"# gitlab_rails['db_collation'] = nil# gitlab_rails['db_database'] = "gitlabhq_production"# gitlab_rails['db_pool'] = 10# gitlab_rails['db_username'] = "gitlab"# gitlab_rails['db_password'] = nil# gitlab_rails['db_host'] = nil# gitlab_rails['db_port'] = 5432# gitlab_rails['db_socket'] = nil# gitlab_rails['db_sslmode'] = nil# gitlab_rails['db_sslrootcert'] = nil# gitlab_rails['db_prepared_statements'] = false# gitlab_rails['db_statements_limit'] = 1000### GitLab Redis settings###! Connect to your own Redis instance###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html#### Redis TCP connection# gitlab_rails['redis_host'] = "127.0.0.1"# gitlab_rails['redis_port'] = 6379# gitlab_rails['redis_password'] = nil# gitlab_rails['redis_database'] = 0#### Redis local UNIX socket (will be disabled if TCP method is used)# gitlab_rails['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"#### Sentinel support####! To have Sentinel working, you must enable Redis TCP connection support####! above and define a few Sentinel hosts below (to get a reliable setup####! at least 3 hosts).####! **You don't need to list every sentinel host, but the ones not listed will####! not be used in a fail-over situation to query for the new master.**# gitlab_rails['redis_sentinels'] = [# {'host' => '127.0.0.1', 'port' => 26379},# ]#### Separate instances support###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html#running-with-multiple-redis-instances# gitlab_rails['redis_cache_instance'] = nil# gitlab_rails['redis_cache_sentinels'] = nil# gitlab_rails['redis_queues_instance'] = nil# gitlab_rails['redis_queues_sentinels'] = nil# gitlab_rails['redis_shared_state_instance'] = nil# gitlab_rails['redis_shared_sentinels'] = nil### GitLab email server settings###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html###! **Use smtp instead of sendmail/postfix.**# gitlab_rails['smtp_enable'] = true# gitlab_rails['smtp_address'] = "smtp.server"# gitlab_rails['smtp_port'] = 465# gitlab_rails['smtp_user_name'] = "smtp user"# gitlab_rails['smtp_password'] = "smtp password"# gitlab_rails['smtp_domain'] = "example.com"# gitlab_rails['smtp_authentication'] = "login"# gitlab_rails['smtp_enable_starttls_auto'] = true# gitlab_rails['smtp_tls'] = false###! **Can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'**###! Docs: http://api.rubyonrails.org/classes/ActionMailer/Base.html# gitlab_rails['smtp_openssl_verify_mode'] = 'none'# gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"# gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"################################################################################## Container Registry settings##! Docs: https://docs.gitlab.com/ce/administration/container_registry.html################################################################################# registry_external_url 'https://registry.gitlab.example.com'### Settings used by GitLab application# gitlab_rails['registry_enabled'] = true# gitlab_rails['registry_host'] = "registry.gitlab.example.com"# gitlab_rails['registry_port'] = "5005"# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"###! **Do not change the following 3 settings unless you know what you are###! doing**# gitlab_rails['registry_api_url'] = "http://localhost:5000"# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"### Settings used by Registry application# registry['enable'] = true# registry['username'] = "registry"# registry['group'] = "registry"# registry['uid'] = nil# registry['gid'] = nil# registry['dir'] = "/var/opt/gitlab/registry"# registry['registry_http_addr'] = "localhost:5000"# registry['debug_addr'] = "localhost:5001"# registry['log_directory'] = "/var/log/gitlab/registry"# registry['env_directory'] = "/opt/gitlab/etc/registry/env"# registry['env'] = {}# registry['log_level'] = "info"# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"# registry['storage_delete_enabled'] = true### Registry backend storage###! Docs: https://docs.gitlab.com/ce/administration/container_registry.html#container-registry-storage-driver# registry['storage'] = {# 's3' => {# 'accesskey' => 'AKIAKIAKI',# 'secretkey' => 'secret123',# 'bucket' => 'gitlab-registry-bucket-AKIAKIAKI'# }# }### Registry notifications endpoints# registry['notifications'] = [# {# 'name' => 'test_endpoint',# 'url' => 'https://gitlab.example.com/notify2',# 'timeout' => '500ms',# 'threshold' => 5,# 'backoff' => '1s',# 'headers' => {# "Authorization" => ["AUTHORIZATION_EXAMPLE_TOKEN"]# }# }# ]### Default registry notifications# registry['default_notifications_timeout'] = "500ms"# registry['default_notifications_threshold'] = 5# registry['default_notifications_backoff'] = "1s"# registry['default_notifications_headers'] = {}################################################################################## GitLab Workhorse##! Docs: https://gitlab.com/gitlab-org/gitlab-workhorse/blob/master/README.md################################################################################# gitlab_workhorse['enable'] = true# gitlab_workhorse['ha'] = false# gitlab_workhorse['listen_network'] = "unix"# gitlab_workhorse['listen_umask'] = 000# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/socket"# gitlab_workhorse['auth_backend'] = "http://localhost:8080"##! the empty string is the default in gitlab-workhorse option parser# gitlab_workhorse['auth_socket'] = "''"##! put an empty string on the command line# gitlab_workhorse['pprof_listen_addr'] = "''"# gitlab_workhorse['prometheus_listen_addr'] = "localhost:9229"# gitlab_workhorse['dir'] = "/var/opt/gitlab/gitlab-workhorse"# gitlab_workhorse['log_directory'] = "/var/log/gitlab/gitlab-workhorse"# gitlab_workhorse['proxy_headers_timeout'] = "1m0s"##! limit number of concurrent API requests, defaults to 0 which is unlimited# gitlab_workhorse['api_limit'] = 0##! limit number of API requests allowed to be queued, defaults to 0 which##! disables queuing# gitlab_workhorse['api_queue_limit'] = 0##! duration after which we timeout requests if they sit too long in the queue# gitlab_workhorse['api_queue_duration'] = "30s"##! Long polling duration for job requesting for runners# gitlab_workhorse['api_ci_long_polling_duration'] = "60s"# gitlab_workhorse['env'] = {# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin"# }################################################################################## GitLab User Settings##! Modify default git user.##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#changing-the-name-of-the-git-user-group################################################################################# user['username'] = "git"# user['group'] = "git"# user['uid'] = nil# user['gid'] = nil##! The shell for the git user# user['shell'] = "/bin/sh"##! The home directory for the git user# user['home'] = "/var/opt/gitlab"# user['git_user_name'] = "GitLab"# user['git_user_email'] = "[email protected]#{node['fqdn']}"################################################################################## GitLab Unicorn##! Tweak unicorn settings.##! Docs: https://docs.gitlab.com/omnibus/settings/unicorn.html################################################################################# unicorn['worker_timeout'] = 60###! Minimum worker_processes is 2 at this moment###! See https://gitlab.com/gitlab-org/gitlab-ce/issues/18771# unicorn['worker_processes'] = 2### Advanced settings# unicorn['listen'] = '127.0.0.1'# unicorn['port'] = 8080# unicorn['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'# unicorn['pidfile'] = '/opt/gitlab/var/unicorn/unicorn.pid'# unicorn['tcp_nopush'] = true# unicorn['backlog_socket'] = 1024###! **Make sure somaxconn is equal or higher then backlog_socket**# unicorn['somaxconn'] = 1024###! **We do not recommend changing this setting**# unicorn['log_directory'] = "/var/log/gitlab/unicorn"### **Only change these settings if you understand well what they mean**###! Docs: https://about.gitlab.com/2015/06/05/how-gitlab-uses-unicorn-and-unicorn-worker-killer/###! https://github.com/kzk/unicorn-worker-killer# unicorn['worker_memory_limit_min'] = "400 * 1 << 20"# unicorn['worker_memory_limit_max'] = "650 * 1 << 20"################################################################################## GitLab Sidekiq################################################################################
Sours: https://gist.github.com/titom73/1adf72e8ae28889ca13dee2d09d8ef8f


490 491 492 493 494