Configuring Gitlab-CE with reverse Nginx SSL proxy with examples with wildcard Let's encrypt certification.

July 10, 2018 1k views
Nginx CentOS

I have wildcard certification from Let's encrypt for *.example.com and example.com.
Centos 7 running omnibus gitlab-ce.
Would like to run on same server gitlab.example.com and other websites like `example.com or blog.example.com or www.example.com.
For this use case would be better to disable bundled nginx and handle it with own nginx.
However I ran into issue that no tutorial covers this comprehensively (with ssl, header, selinux, etc.). For example https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server where are two Notes I couldn't complete them a) I have not /home/git/ direcorty b) don't know how determine all those directories.

Really looking for some guide from where I can learn running multiple sites on same machine each with https (idealy just wildcard certification) on reverse proxy and integrate gitlab on same machine.

Also really handy would be which part of configuration files can be included as snippets and which not (alltough
even one large config file would suffice).

My attempts are getting me 502 bad gateway because I don't really understand the context of handling several sites.

1 Answer

Hello friend!

I should let you know that this is not going to feel like a trivial task by any means, and what you are looking to do will not be the easiest path to resolution. Much easier would be to run other websites on another server. GitLab is plenty resource intensive to justify not sharing a server with other tasks. With that said, if you want to continue, I can only give you a direction and not a step by step process. I cannot guarantee that updates will not conflict and cause any changes here to fail later.

The config file for the Nginx that is bundled with GitLab on our one-click image, which is serving the GitLab instance over http, is /var/opt/gitlab/nginx/conf/nginx.conf. Changes here may be removed later by gitlab-ctl.

If you run a different instance of the web server to do this task, you can at least reference that nginx.conf file to find the configurations (note the includes as well) that you would want to carry over to your new configurations, so that it would continue to load GitLab as desired.

Kind Regards,
Jarland

  • As you suggested I tried to reference to that file from standard nginx.conf, erased duplicate statements, syntax passed OK. But when tried systemctl start nginx, the journalctl -xe raises warning about SElinux preventing read access on nginx.conf for nginx. And honestly I don't have much clue how to work with SElinux but don't want to shut it down.
    With that said:

    1. As you suggested I can have gitlab-ce on another machine (raspian).
    2. However with only one public IP address (x.x.x.x) I need to access https to two different machines. Like https://example.com and also https://gitlab.example.com are pointing to x.x.x.x. My router needs at least port number to differentiate. And on Digital Ocean Networking Dashboard I didn't notice such capability to append port number to chosen domain..
  • I found a solution how redirect to desired location using proxy pass.
    Now my question is how determine the quality of security. Are there some solution which gives me what is missing?

Have another answer? Share your knowledge.