Before you start
First you need to make sure that:
– Your LAMP is up and running
– You have a working DNS for the domain you want to use for gitlab
– You have certbot already installed
Part I – gitlab
Prepare the system for the gitlab install
apt-get update && apt-get upgrade
Install dependencies. Choose “internet site” and press enter.
apt-get install -y curl openssh-server ca-certificates postfix
Add the gitlab repositories
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
Now define the desired URL and install
EXTERNAL_URL="https://git.example.com" apt-get install gitlab-ee
Now, stop gitlab so we can disable nginx. Also, restart apache.
gitlab-ctl stop && service apache2 restart
Let’s edit the config
vim /etc/gitlab/gitlab.rb
Make sure that your external_url is right. Then make sure the workhorse has valid settings for apache.
external_url 'https://git.example.com' ... web_server['external_users'] = ['www-data'] ... nginx['enable'] = false ... gitlab_workhorse['listen_network'] = "tcp" gitlab_workhorse['listen_addr'] = "127.0.0.1:8181" ... letsencrypt['contact_emails'] = ['email@example.com']
Then..
gitlab-ctl reconfigure && gitlab-ctl restart
Part II – apache
Now to apache. Let’s create the vhost. Type vim /etc/apache2/sites-available/git.example.com.conf and add your vhost. This is the one I used, adapted from gitlab recipes (https://gitlab.com/gitlab-org/gitlab-recipes/blob/master/web-server/apache/gitlab-ssl-apache24.conf)
<VirtualHost *:80> ServerName git.example.com ServerSignature Off RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L] </VirtualHost> <VirtualHost *:443> # ################ # These are some SSL definitions, that are commented until we run certbot. # After that, they can be uncommented. # See ciphers(1) http://www.openssl.org/docs/apps/ciphers.html # # ################ uncomment the below after running certbot # SSLEngine on # SSLProtocol all -SSLv2 # SSLHonorCipherOrder on # SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" # Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" # SSLCompression Off # ################# uncomment the above after running certbot ServerName git.example.com ServerSignature Off ProxyPreserveHost On # Ensure that encoded slashes are not decoded but left in their encoded state. # http://doc.gitlab.com/ce/api/projects.html#get-single-project AllowEncodedSlashes NoDecode <Location /> # New authorization commands for apache 2.4 and up # http://httpd.apache.org/docs/2.4/upgrading.html#access Require all granted #Allow forwarding to gitlab-workhorse ProxyPassReverse http://127.0.0.1:8181 ProxyPassReverse http://git.example.com/ </Location> # Apache equivalent of nginx try files # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab RewriteEngine on #Forward all requests to gitlab-workhorse except existing files like error documents RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] RewriteCond %{REQUEST_URI} ^/uploads/.* RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE] RequestHeader set X_FORWARDED_PROTO 'https' RequestHeader set X-Forwarded-Ssl on # needed for downloading attachments DocumentRoot /home/git/gitlab/public #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. ErrorDocument 404 /404.html ErrorDocument 422 /422.html ErrorDocument 500 /500.html ErrorDocument 502 /502.html ErrorDocument 503 /503.html # It is assumed that the log directory is in /var/log/httpd. # For Debian distributions you might want to change this to # /var/log/apache2. LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded ErrorLog /var/log/apache2/git.example.com_error.log CustomLog /var/log/apache2/git.example.com_forwarded.log common_forwarded CustomLog /var/log/apache2/git.example.com_access.log combined env=!dontlog CustomLog /var/log/apache2/git.example.com.log combined </VirtualHost>
Enable the apache modules, if you haven’t already.
a2enmod rewrite ssl proxy proxy_http headers
Enable the vhost.
a2ensite git.example.com
Now restart apache.
service apache2 restart
Run certbot to get a certificate. It should update your vhost.
certbot
And a final optional (but recommended) action: type vim /etc/apache2/sites-available/git.example.com.conf and uncomment the SSL features in the vhost, now that letsencrypt finished updating it. Restart apache once again.
SSLEngine on SSLProtocol all -SSLv2 SSLHonorCipherOrder on SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" SSLCompression Off
All done. Visit https://git.example.com, generate your root password, then login.