Configuring SSL and Gitlab through an Apache Reverse Proxy
18 Jul 2014I’ve recently started to use Gitlab as an alternative to a Github paid account for projects I don’t wish to make public. I wanted to install Gitlab on a server which is used for a few other applications which all use Apache, while Gitlab is really easy to install it installs nginx by default and expects to run on port 80. Normally in this situation I would configure Nginx to point to a non standard port, proxy through apache on the same server and terminate the SSL at apache, however there are some quirks in Gitlab which make this difficult; in this post I’ll describe how to proxy Gitlab through apache using SSL.
The Problem
While Gitlab can be manually installed to work with apache this makes upgrades / changes difficult, it comes with a very nice Chef based installer but it assumes it’s the only thing installed, if a simple HTTPS proxy is configured (terminating the SLL at Apache) then Gitlab will still mix in some non SSL URLs as it thinks it’s still using an unencrypted connection, while not a huge risk this is untidy and annoyed me.
The Solution
The solution is to configure Gitlab to use SSL too and enable an SSL proxy in Apache, this involves defining options in two files:
gitlab.rb
external_url 'https://<url>:4443'
nginx['ssl_certificate'] = "/etc/ssl/localcerts/<certname>.crt"
nginx['ssl_certificate_key'] = "/etc/ssl/localcerts/<keyname>.key"*After which don’t forget to run
sudo gitlab-ctl reconfigure to push the changes into the nginx config*
Apache vhost
<VirtualHost <ip>:443>
ServerName <server url>
SSLEngine on
SSLCertificateFile /etc/ssl/localcerts/<certname>.crt
SSLCertificateKeyFile /etc/ssl/localcerts/<keyname>.key
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine on
ProxyRequests Off
ProxyPass / https://<url>:4443/
ProxyPassReverse / https://<url>/
Header edit Location ^http://<url>/ https://<url>/
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>