Installing GitLab on Your Own Server (Part 2) – Configure NGINX Reverse Proxy

5 Replies

After installing GitLab the next step is to configure NGINX as reverse proxy.

I add a reverse proxy because the NGINX server already runs for different services and I want to bundle all my services into a single web server.

Additionally this configuration gives me the possibility to use HTTP/2.

To run GitLab behind a reverse proxy I have to disable the internal NGINX of GitLab. This is done by setting nginx['enable'] to false in /etc/gitlab/gitlab.rb:

nginx['enable'] = false

Now the NGINX can be configured to act as reverse proxy for the GitLab installation. This is my configuration file

upstream gitlab-workhorse {
    server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name git.example.net;
    server_tokens off;

    ssl on;
    ssl_certificate /etc/ssl/cert/example.pem;
    ssl_certificate_key /etc/ssl/private/example.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache shared:SSL:50m;
    ssl_dhparam /etc/ssl/cert/example.dhparam;
    ssl_prefer_server_ciphers on;

    # 1 week HSTS
    add_header Strict-Transport-Security "max-age=604800; includeSubDomains;";
    add_header X-Robots-Tag noarchive;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;

    location / {
        client_max_body_size 0;
        gzip off;

        ## https://github.com/gitlabhq/gitlabhq/issues/694
        ## Some requests take more than 30 seconds.
        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;

        proxy_http_version 1.1;

        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-Ssl     on;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_pass http://gitlab-workhorse;
    }

}

Please note that you have to change your hostname in line 8.

Next you have to change the lines 12, 13 and 18 to point to your own key (required), certificate (required) and dhparams (optional).

In line 16 you can define the TLS ciphers that you want to use for your server. You can see all supported ciphers with openssl ciphers (see NGINX documentation).

Last you should change line 22 to fit your own HSTS settings.

Now the NGINX is set up to act as reverse proxy and additionally TLS termination proxy.

Next I will set up the CI/CD part of GitLab.

Parts

References

5 thoughts on “Installing GitLab on Your Own Server (Part 2) – Configure NGINX Reverse Proxy

  1. Pingback: Installing GitLab on Your Own Server (Part 1) – Installation | Blog at sw4j.de

  2. Pingback: Installing GitLab on Your Own Server (Part 3) – Install gitlab-runner | Blog at sw4j.de

  3. Pingback: Installing GitLab on Your Own Server (Part 6) – Configure NGINX for Pages | Blog at sw4j.de

  4. Pingback: Installing GitLab on Your Own Server (Part 4) – Import GitHub Project | Blog at sw4j.de

  5. Pingback: Installing GitLab on Your Own Server (Part 5) – Configure Docker Registry | Blog at sw4j.de

Leave a Reply

Your email address will not be published. Required fields are marked *