Configuring SSL and Gitlab through an Apache Reverse Proxy

I’ve recently started to use Gitlab as an alternative to a Github paid account for projects I don’t wish to make public. I wanted to install Gitlab on a server which is used for a few other applications which all use Apache, while Gitlab is really easy to install it installs nginx by default and expects to run on port 80. Normally in this situation I would configure Nginx to point to a non standard port, proxy through apache on the same server and terminate the SSL at apache, however there are some quirks in Gitlab which make this difficult; in this post I’ll describe how to proxy Gitlab through apache using SSL.

The Problem

While Gitlab can be manually installed to work with apache this makes upgrades / changes difficult, it comes with a very nice Chef based installer but it assumes it’s the only thing installed, if a simple HTTPS proxy is configured (terminating the SLL at Apache) then Gitlab will still mix in some non SSL URLs as it thinks it’s still using an unencrypted connection, while not a huge risk this is untidy and annoyed me.

The Solution

The solution is to configure Gitlab to use SSL too and enable an SSL proxy in Apache, this involves defining options in two files:

gitlab.rb

external_url 'https://<url>:4443'
nginx['ssl_certificate'] = "/etc/ssl/localcerts/<certname>.crt"
nginx['ssl_certificate_key'] = "/etc/ssl/localcerts/<keyname>.key"

*After which don’t forget to run

 sudo gitlab-ctl reconfigure 

to push the changes into the nginx config*

Apache vhost

<VirtualHost <ip>:443>

        ServerName <server url>
        SSLEngine on
        SSLCertificateFile /etc/ssl/localcerts/<certname>.crt
        SSLCertificateKeyFile /etc/ssl/localcerts/<keyname>.key
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

	SSLProxyEngine on
    ProxyRequests Off
    ProxyPass / https://<url>:4443/
    ProxyPassReverse / https://<url>/

    Header edit Location ^http://<url>/ https://<url>/
	RequestHeader set X-Forwarded-Proto "https"

</VirtualHost>