[go: up one dir, main page]
Skip to content

Gitlab pages behind a reverse proxy on a second machine

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Hello,

I have a working gitlab deployment on machine A.
I’d like to add a gitlab pages deployment, hosted on A, but proxied by B.

These are the three main points:

  1. pages, hosted on machine A, is reverse proxied by machine B
  2. machine B has an nginx reverse proxy that applies the wildcard ssl certificate.
  3. authentication for pages is enabled

ISSUE: I have a working setup with points 1+2, which however breaks when I enable authentication (3).

ERROR: The procedure breaks when gitlab tries to set the secrets (gitlab-ctl reconfigure):

 * ruby_block[authorize pages with gitlab] action run[2022-12-27T15:22:34+00:00] WARN: Connecting to GitLab to generate new app_id and app_secret for GitLab Pages.
[2022-12-27T15:22:57+00:00] WARN: Something went wrong while executing gitlab-rails runner command to get or create the app ID and secret.
[2022-12-27T15:22:57+00:00] INFO: ruby_block[authorize pages with gitlab] called

Technical details:

  • both A and B have 2 eth interfaces, one public and one on a private network
  • A public eth serves gitlab
  • B public eth has wildcard alias for gitlab pages
  • A and B can communicate through the private interface (192.168.32.0/24, see addresses below)

relevant gitlab.rb configuration on A:

pages_external_url "https://pages.XXX"
gitlab_pages['enable'] = true
## from bug https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/4890#note_261373269           

## WHEN I ENABLE AUTHENTICATION IT BREAKS!       
gitlab_rails["pages_enabled"] =  false

##! Configure to expose GitLab Pages on external IP address, serving the HTTP                          
gitlab_pages['external_http'] = ['192.168.32.5:82']
                           
gitlab_pages['propagate_correlation_id'] = false

nginx reverse-proxy config on B

server {
	
	listen 443 ssl ;
	listen [::]:443 ssl ;
	
	server_name ~.*.pages.<omissis>;

	location / {
		proxy_pass http://192.168.32.5:82;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
    		proxy_set_header Connection "upgrade";
    		proxy_set_header Host $http_host;

    		proxy_set_header X-Real-IP $remote_addr;
    		proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    		proxy_set_header X-Forward-Proto http;
    		proxy_set_header X-Nginx-Proxy true;
    		proxy_redirect off;
		
	}
	ssl_certificate    /XXX;
        ssl_certificate_key    /XXX;
	ssl_password_file /XXX;
}

Any help appreciated.

Edited by 🤖 GitLab Bot 🤖