How to setup https on gitlab instantApp


#1

Hi there,

How can I setup https on my gitlab server created using own scaleway image?.

Thanks a lot!


#2

Hello @cristomanuel,

sometimes Google is your friend :wink: – https://about.gitlab.com/2016/04/11/tutorial-securing-your-gitlab-pages-with-tls-and-letsencrypt/ https://www.digitalocean.com/community/tutorials/how-to-secure-gitlab-with-let-s-encrypt-on-ubuntu-16-04

Soon,

Eldin :smile:

P.S.: You need to use https://github.com/certbot/certbot


#3

Hi @eldin!,

Thanks a lot!. since Gitlab can be deployed on a scaleway sever with a few mouse clicks, I launched the question in order to know if there was a simple solution through scaleway. (ie, give me your certificate and wait…)

On the other hand, there is not an only way to install GitLab. ie if I need install SSL on Apache I would not need to google xDD but scaleway installs gitLab out of the box.

Thanks again


#4

Same for me! I want to install SSL for https connection and i can’t find nothing about nginx or apache in /etc/…
Someone got a solution?


#5

I’ve got the same issue. I reported it on the project repo. It looks like the same packaging system is used on Digital Ocean, and the instructions for that say that all you need to do is set:

nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.example.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.example.com.key"
nginx['redirect_http_to_https'] = true

in your gitlab.rb file and then run gitlab-ctl reconfigure, however, that just doesn’t work for me. It doesn’t redirect, doesn’t listen on port 443, doesn’t add any SSL config to nginx at all, so as it stands the gitlab image appears to be completely useless, unfortunately.

I use acme.sh with DNS validation (to avoid needing to mess with the horribly complicated and non-standard nginx config in the image) to obtain certificates from letsencrypt, and that part worked fine.


#6

I tracked down this guide from the official gitlab docs and managed to get it to work. What’s most annoying is that I’m not entirely sure what I changed that made it work! I had a few instances of the reconfigure script changing my settings back, in particular setting the main URL to be the reverse lookup, which is some long generic scaleway name instead of the name I had set.


#7

The problem with premade images is you have little control over the configuration. Any odd, idiosyncratic or just plain incorrect configuration done by the image creator will be inherited by your instance. In this case, I can point out the following issues (or at least what I perceive to be issues) with this image:

  • Single-use. The nginx configuration is embedded with the gitlab service, rather than using a modular approach. So you can’t easily add more web services to the VM and have them survive even if you decide to remove gitlab. For those interested, you’ll find the nginx config in /var/opt/gitlab/nginx/conf/
  • Putting a web service that requires logins behind HTTP and HTTP only. This means anyone on my local network can sniff my password.
  • Not sure what’s causing it, but my instance runs pretty unstable. Getting 502’s for prolonged periods, which then somehow automagically correct themselves. I’m running on a VC1S.
  • The mails don’t get sent out. I actually brought down the exim instance and installed maildump on port 25, and I saw nothing whatsoever come in when requesting a password reset.
  • Not keeping the documentation up-to-date. The login step differs from what’s listed in the docs in step 3. Not a big stumbling block since gitlab’s instructions are pretty straightforward, just mentioning for completeness.

I think I’ll just trash that server and set up my own, so I know where every piece goes and I can be certain it won’t trash my customised settings when I update my packages.

[EDIT] Apparently, postgres and nginx are included with gitlab in the Debian packages, so I can’t pin this on the image creator. I just set up my own environment, and I see the same nonsense there.


#8

Since gitlab 10.7 there is a much easier way to enable https via let’s encrypt on the gitlab instance. Just edit external_url in /etc/gitlab/gitlab.rb (replace http with https) and run gitlab-ctl reconfigure. It worked for me, head /opt/gitlab/version-manifest.txt shows version gitlab-ce 10.7.3