6

After searching for hours for a solution to Gitlab running behind an Apache Reverse Proxy. To be clear I can connect to the Gitlab Instance and I also can do every basic function like pushing, cloning code, and so on.

My Problem is that every image I post in an Issue always has http://127.0.0.1:8090/.../ as the URL. I tried changing the external_url this always resulted in Gitlab responding with a 502. Any other settings I changed and tried had either no effect or resulted in 500s or 503s. I decided to ask any of you for a hint.

My current Configuration is: /etc/gitlab/gitlab.rb

 external_url 'http://127.0.0.1:8090'
 gitlab_rails['time_zone'] = 'Europe/Berlin'

 gitlab_rails['smtp_enable'] = true
 gitlab_rails['smtp_address'] = "mail.server.de"
 gitlab_rails['smtp_port'] = 465
 gitlab_rails['smtp_user_name'] = "[email protected]"
 gitlab_rails['smtp_password'] = "password"
 gitlab_rails['smtp_domain'] = "mail.server.de"
 gitlab_rails['smtp_authentication'] = "login"
 gitlab_rails['smtp_enable_starttls_auto'] = false
 gitlab_rails['smtp_tls'] = true
 gitlab_rails['smtp_pool'] = false

 gitlab_rails['smtp_openssl_verify_mode'] = 'none'

 gitlab_rails['gitlab_email_enabled'] = true

 gitlab_rails['gitlab_email_from'] = '[email protected]'
 gitlab_rails['gitlab_email_display_name'] = 'NoReply Server'
 gitlab_rails['gitlab_email_reply_to'] = '[email protected]'

 gitlab_rails['gitlab_default_theme'] = 2

 letsencrypt['enable'] = false

/etc/apache2/sites-available/gitlab.conf

<VirtualHost *:443>
    ServerName gitlab.server.de
    
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass /.well-known/acme-challenge !
    ProxyPass / http://127.0.0.1:8090/ retry=0
    ProxyPassReverse / http://127.0.0.1:8090/
    
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/gitlab.server.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/gitlab.server.de/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Can you guys help me with that? Thanks in advance.

Improve this question
2
  • You definitely need to change your external_url since that's how Gitlab works. Reverse proxy only affects how its accessed. Wrap your ProxyPass inside <Location /> tags and see if that does the trick. Commented Feb 20, 2022 at 1:06
  • external_url should be the hostname/port used to reach the Apache proxy. e.g. https://gitlab.server.de Commented Feb 20, 2022 at 2:31

1 Answer 1

Reset to default
9

Set your external_url to the URL users use to reach your GitLab server. e.g. gitlab.server.de according to your Apache config.

Additionally, you'll want to fix the proxy headers to deal with the protocol change if you're not using mutual TLS.

Most importantly, you'll need to explicitly configure GitLab's internal nginx to listen on the port you've specified in your proxy/proxypass config and not use https.

So, something like this:

external_url "https://gitlab.server.de"

# set listen port explicitly, required when using non-default port
# and port is not specified in external_url
nginx['listen_port'] = 8090

# disable https listener, since Apache is setup for SSL/TLS termination
nginx['listen_https'] = false


# technically optional, set proxy headers
nginx['proxy_set_headers'] = {
    "X-Forwarded-Proto" => "http",
    "X-Forwarded-Port" => "80"
}

It's also important to note that GitLab itself should be able to reach itself using its external_url. In other words, your Apache server should (1) be resolvable by DNS on the host and (2) be allowed to be reached from GitLab.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you very much. I was literally searching for hours for a solution, but it worked with your help. Thanks again and have a nice day.
It's necessary to change nginx['listen_port'] = 80 even if you use the default port, because otherwise Gitlab will not listen for HTTP traffic if the external URL starts with https.
That one setting did it for me. Thank you sergiuser!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.