Installing GitLab on Debian 9 with SSL and custom apache vhost

dth

Before you start

First you need to make sure that:
– Your LAMP is up and running
– You have a working DNS for the domain you want to use for gitlab
– You have certbot already installed

Part I – gitlab

Prepare the system for the gitlab install

apt-get update && apt-get upgrade

Install dependencies. Choose “internet site” and press enter.

apt-get install -y curl openssh-server ca-certificates postfix

Add the gitlab repositories

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash

Now define the desired URL and install

EXTERNAL_URL="https://git.example.com" apt-get install gitlab-ee

Now, stop gitlab so we can disable nginx. Also, restart apache.

gitlab-ctl stop && service apache2 restart

Let’s edit the config

 vim /etc/gitlab/gitlab.rb

Make sure that your external_url is right. Then make sure the workhorse has valid settings for apache.

external_url 'https://git.example.com'
...
web_server['external_users'] = ['www-data']
...
nginx['enable'] = false
...
gitlab_workhorse['listen_network'] = "tcp"
gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"
...
letsencrypt['contact_emails'] = ['email@example.com']

Then..

gitlab-ctl reconfigure && gitlab-ctl restart

Part II – apache

Now to apache. Let’s create the vhost. Type vim /etc/apache2/sites-available/git.example.com.conf and add your vhost. This is the one I used, adapted from gitlab recipes (https://gitlab.com/gitlab-org/gitlab-recipes/blob/master/web-server/apache/gitlab-ssl-apache24.conf)

<VirtualHost *:80>
  ServerName git.example.com
  ServerSignature Off

  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>

<VirtualHost *:443>
  # ################ 
  # These are some SSL definitions, that are commented until we run certbot.
  # After that, they can be uncommented.
  # See ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
  #
  # ################ uncomment the below after running certbot
  # SSLEngine on
  # SSLProtocol all -SSLv2
  # SSLHonorCipherOrder on
  # SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
  # Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
  # SSLCompression Off
  # ################# uncomment the above after running certbot

  ServerName git.example.com
  ServerSignature Off

  ProxyPreserveHost On

  # Ensure that encoded slashes are not decoded but left in their encoded state.
  # http://doc.gitlab.com/ce/api/projects.html#get-single-project
  AllowEncodedSlashes NoDecode

  <Location />
    # New authorization commands for apache 2.4 and up
    # http://httpd.apache.org/docs/2.4/upgrading.html#access
    Require all granted

    #Allow forwarding to gitlab-workhorse
    ProxyPassReverse http://127.0.0.1:8181
    ProxyPassReverse http://git.example.com/
  </Location>

  # Apache equivalent of nginx try files
  # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
  # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
  RewriteEngine on

  #Forward all requests to gitlab-workhorse except existing files like error documents
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
  RewriteCond %{REQUEST_URI} ^/uploads/.*
  RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]

  RequestHeader set X_FORWARDED_PROTO 'https'
  RequestHeader set X-Forwarded-Ssl on

  # needed for downloading attachments
  DocumentRoot /home/git/gitlab/public

  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
  ErrorDocument 404 /404.html
  ErrorDocument 422 /422.html
  ErrorDocument 500 /500.html
  ErrorDocument 502 /502.html
  ErrorDocument 503 /503.html

  # It is assumed that the log directory is in /var/log/httpd.
  # For Debian distributions you might want to change this to
  # /var/log/apache2.
  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
  ErrorLog /var/log/apache2/git.example.com_error.log
  CustomLog /var/log/apache2/git.example.com_forwarded.log common_forwarded
  CustomLog /var/log/apache2/git.example.com_access.log combined env=!dontlog
  CustomLog /var/log/apache2/git.example.com.log combined
</VirtualHost>

Enable the apache modules, if you haven’t already.

a2enmod rewrite ssl proxy proxy_http headers

Enable the vhost.

a2ensite git.example.com

Now restart apache.

service apache2 restart

Run certbot to get a certificate. It should update your vhost.

certbot

And a final optional (but recommended) action: type vim /etc/apache2/sites-available/git.example.com.conf and uncomment the SSL features in the vhost, now that letsencrypt finished updating it. Restart apache once again.

SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off

All done. Visit https://git.example.com, generate your root password, then login.

Leave a Reply

Your email address will not be published. Required fields are marked *

Loading Facebook Comments ...
Loading Disqus Comments ...