Gitlab and Nginx Setup

Setup Gitlab with Nginx and Let’s Encrypt

In this post we will go through the setup of a Gitlab instance on Fedora 26. Adding some security using Let’s Encrypt certificates and disable the builtin nginx of gitlab and use our own so we can host some websites alongside the gitlab instance

Intro

Having decided the following infrastructure - Gitlab for version control - Gitlab runners for build environment - Buildroot to create the toolchain and images - Ubuntu for our buildmachine which will connect through a gitlab ssh runner instance (Setup using reverse ssh since they are not in the same network).

We start the setup process:

Gitlab

Install gitlab dependancies and setup firewall for HTTPS

sudo yum install -y curl policycoreutils-python openssh-server
sudo systemctl enable sshd
sudo systemctl start sshd
sudo firewall-cmd --permanent --add-service=https
sudo systemctl reload firewalld

Retrieve and install gitlab

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | sudo bash

sudo EXTERNAL_URL="https://gitlab.openpixelsystems.org" yum install -y gitlab-ee

Let’s encrypt

sudo dnf install certbot

# Generate Let's Encrypt Certs
sudo certbot certonly --standalone -d gitlab.openpixelsystems.org -d openpixelsystems.org -d www.openpixelsystems.org

Gitlab continued

cd /etc/gitlab/ssl/
ln -s /etc/letsencrypt/live/<domain>/privkey.pem <domain>.key
ln -s /etc/letsencrypt/live/<domain>/fullchain.pem <domain>.crt

Only thing left is to let Gitlab reconfigure itself and restart the gitlab instance

gitlab-ctl reconfigure
gitlab-ctl restart

Now your gitlab should be pretty mutch up and running

Nginx

Since we not only want to run a Gitlab server on our VPS but also some websites. I don’t want Gitlab to be responsible for the webserver. So we’re going to setup an nginx instance and configure multiple domains.

Install Nginx:

sudo dnf install nginx

Setup nginx default website. Edit /etc/nginx/nginx.conf

The first part of the of the config contains the configuration for HTTP. Currently this only just redirects to the HTTPS version of the website. This happend using the “return 301

server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        return 301 https://$host$request_uri;

        ## This is not used due to the redirect above
        root         /var/www/html/;

        #
        ## Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        #
        location / {
        }

        #
        error_page 404 /404.html;
            location = /40x.html {
        }

        #
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
}

Second part contains the HTTPS setup. The webserver uses the same certificates that we created of the gitlab instance using Let’s encrypt.

   server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;

        ##
        root         /var/www/html;

        ## Setup Let's encrypt certs
        ssl_certificate "/etc/letsencrypt/live/<domain>/fullchain.pem";
        ssl_certificate_key "/etc/letsencrypt/live/<domain>/privkey.pem";
        #ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

Once this is setup we can restart the nginx server and our webserver should be online.

sudo systemctl restart nginx

Our final step is to setup an URL for our gitlab instance in nginx. We do this by creating a new config in /etc/nginx/conf.d/gitlab.conf

# GitLab
##
## Modified from nginx http version
## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

# Setup connection to Gitlab using unix sockets
upstream gitlab-workhorse {
        server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}

# Redirect http to https
server {
        listen 80;
        server_name gitlab.<domain>.org; ## Replace this with something like gitlab.example.com
        server_tokens off; ## Don't show the nginx version number, a security best practice
        return 301 https://$http_host$request_uri;

        access_log  /var/log/nginx/gitlab_access.log;
        error_log   /var/log/nginx/gitlab_error.log;
}

## HTTPS host
server {
        listen 443 ssl;
        server_name gitlab.openpixelsystems.org; ## Replace this with something like gitlab.example.com
        server_tokens off; ## Don't show the nginx version number, a security best practice
        root /opt/gitlab/embedded/service/gitlab-rails/public;

        ## Strong SSL Security
        ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
        ssl on;
        ssl_certificate /etc/letsencrypt/live/<domain>.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/<domain>.org/privkey.pem;

        # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;

        ## Individual nginx logs for this GitLab vhost
        access_log  /var/log/nginx/gitlab_access.log;
        error_log   /var/log/nginx/gitlab_error.log;

        location / {
                client_max_body_size 0;
                gzip off;

                ## https://github.com/gitlabhq/gitlabhq/issues/694
                ## Some requests take more than 30 seconds.
                proxy_read_timeout      300;
                proxy_connect_timeout   300;
                proxy_redirect          off;

                proxy_http_version 1.1;

                proxy_set_header    Host                $http_host;
                proxy_set_header    X-Real-IP           $remote_addr;
                proxy_set_header    X-Forwarded-Ssl     on;
                proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
                proxy_set_header    X-Forwarded-Proto   $scheme;
                proxy_pass http://gitlab-workhorse;
        }