In the recent work, there is a problem: How to provide a https Gitlab in reversed proxy environment ?

The environment is

It's hard for me since I am a noob for server settings XD. After a long discussion and test with Terry Chu, there are two possible solution to let that gitlab has https.

Solution 1

client --- (https, let's encrypt) ---- Caddy ---- (http) ------------------- gitlab

Solution 2

client --- (https, let's encrypt) ---- Caddy ---- (https, self-signed) ---- gitlab

If the gitlab https site is only connected through browser, solution 1 is enoguh. But it's not a proper solution when the gitlab is golang's repo server (e.g. go get -u gitlab.example.com/xxx/xxx) If you have the need, you have to use the solution 2.

You can see the gist (https://gist.github.com/yen3/097a2a1fdcefe2833473ccfed6445675) to get more details.

Memo - Create self-asigned key

  • Ref: https://github.com/sameersbn/docker-gitlab#ssl
  • Command memo
openssl genrsa -out gitlab.key 2048
openssl req -new -key gitlab.key -out gitlab.csr
openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt
openssl dhparam -out dhparam.pem 2048
mkdir -p ./data/gitlab/certs
cp gitlab.key gitlab.crt dhparam.pem ./data/gitlab/certs/

Solution 1 - backup

If you still has interesting in soluion 1, the following settings are notes.

  • Caddyfile
https://gitlab.example.com {
    proxy / localhost:10080 {
        fail_timeout 0s
        transparent
        header_upstream X-Forwarded-Ssl on
    }
    tls {
        dns gandiv5
    }
}
  • Dockerfile - Add NGINX_X_FORWARDED_PROTO=http in gitlab's environment variables.