How to make gitlab-ce in docker container work over https?

M

Mikhail Aksenov2018-09-12 04:18:11

Digital certificates

Mikhail Aksenov, 2018-09-12 04:18:11

There is the following configuration: https://gist.github.com/uberpwner/ce2bfc69bd8c9fe5...

If you disable the parameters responsible for https in it, everything works fine on normal http.
However, when I enable https, I get a connection timeout.

The certificate and key exist (they are generated if deleted) and the path to them is correct.
The necessary ports in the firewall are open.
The container starts up and runs with a healthy status

. Is there a way to make this work?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

mureevms, 2018-09-12
@mureevms

I'll just give the config, in fact everything is clear in it. If you have additional questions - ask.

Directory structure:

.
├── docker-compose.yml
└── volumes
    ├── gitlab
    │   ├── config
    │   │   ├── ...
    │   ├── data
    │   │   ├── ...
    │   └── logs
    │       └── ...
    └── nginx
        ├── conf.d
        │   └── gitlab.domain.com.conf
        ├── dhparam.pem
        ├── logs
        ├── nginx.conf
        └── www

docker-compose.yml:

gitlab:
  image: 'gitlab/gitlab-ce:latest'
  restart: always
  hostname: 'gitlab'
  container_name: gitlab
  environment:
    GITLAB_OMNIBUS_CONFIG: |
      external_url 'http://{{ domain_name }}'
      nginx['enable'] = false
      web_server['external_users'] = ['www-data']
      gitlab_workhorse['listen_network'] = "tcp"
      gitlab_workhorse['listen_addr'] = "0.0.0.0:8181"
      gitlab_rails['trusted_proxies'] = [ '172.17.0.1/16' ]
      gitlab_rails['gitlab_shell_ssh_port'] = 22
      gitlab_rails['time_zone'] = 'Asia/Tomsk'
      gitlab_rails['ldap_enabled'] = true
      gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
      main:
        label: 'LDAP'
        host: '{{ ldap_server }}'
        port: 389
        uid: 'sAMAccountName'
        bind_dn: 'CN={{ cn }},OU={{ ou }},DC={{ dc }},DC=com'
        password: '{{ pass }}'
        encryption: 'plain'
        active_directory: true
        allow_username_or_email_login: false
        lowercase_usernames: false
        block_auto_created_users: false
        base: 'OU={{ ou }},DC={{ dc }},DC=com'
        user_filter: '(&(objectCategory=Person)(sAMAccountName=*))'
      EOS
      gitlab_rails['backup_upload_connection'] = {
        :provider => 'Local',
        :local_root => '/mnt'
      }
      gitlab_rails['backup_upload_remote_directory'] = 'backup'
      gitlab_rails['backup_keep_time'] = 864000
  ports:
    - '22:22'
  volumes:
    - ./volumes/gitlab/config:/etc/gitlab
    - ./volumes/gitlab/logs:/var/log/gitlab
    - ./volumes/gitlab/data:/var/opt/gitlab
    - /mnt/backup:/mnt/backup

nginx:
  container_name: nginx
  image: nginx:1.15.0-alpine
  restart: always
  links:
    - gitlab:gitlab
  ports:
    - 80:80
    - 443:443
  volumes:
    - /etc/letsencrypt/:/etc/letsencrypt
    - ./volumes/nginx/logs:/var/log/nginx
    - ./volumes/nginx/conf.d:/etc/nginx/conf.d
    - ./volumes/nginx/www:/var/www
    - ./volumes/nginx/dhparam.pem:/etc/nginx/dhparam.pem
    - ./volumes/nginx/nginx.conf:/etc/nginx/nginx.conf

{{ xx }}are variables, just replace with your own values.
Pay attention to gitlab_workhorse['listen_addr']- this is the address and port that gitlab will listen to, you can leave it as it is. Port 22 is redirected from the system to the gitlab container, so I hung the system SSH daemon on a different port.

volumes/nginx/conf.d/gitlab.domain.com.conf:

upstream gitlab-endpoint {
    server gitlab:8181 fail_timeout=0;
}

server {
    listen 80;
    server_name gitlab.domain.com;

    location /.well-known {
        root /var/www/;
    }
    location / {
        return  301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name gitlab.domain.com;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_certificate /etc/letsencrypt/live/gitlab.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/gitlab.domain.com/privkey.pem;

  location / {
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_set_header        Host              $http_host;
    proxy_set_header        X-Real-IP         $remote_addr;
    proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header        X-Frame-Options   SAMEORIGIN;

    proxy_pass              http://gitlab-endpoint;
  }
    location /.well-known {
        root /var/www/;
    }
}

It ends up looking like this:

[email protected]:/docker# docker-compose ps
 Name          Command          State                    Ports                  
--------------------------------------------------------------------------------
gitlab   /assets/wrapper        Up      0.0.0.0:22->22/tcp, 443/tcp, 80/tcp     
nginx    nginx -g daemon off;   Up      0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp