HowTo: Using Gitlab behind Apache2 + SSL (https)

To use Gitlab behind Apache2 as reverse proxy, just follow this little how-to. In our example we used Debian Jessie, but it should also work with other distributions like Ubuntu. Don’t forget to replace the placeholders with your own values!

Installing Gitlab

First you need to install Gitlab. Just follow the introductions on official page.

Reconfigure Gitlab

We need to run Gitlab as local webserver on a free port (e.g. 8888). Just add following lines to /etc/gitlab/gitlab.rb:

external_url 'https://{example.tld}'
nginx['listen_address'] = 'localhost'
nginx['listen_port'] = 8888
nginx['listen_https'] = false

Then rerun the reconfigure script:

gitlab-ctl reconfigure

Configuring Apache2

We need a pre-configured Apache2 installation, which supports ssl and listens to port 443 (default https-port). If you don’t have any clue, just search on web.

Creating site-configuration files

Configuration file for http

First we need to redirect all http requests to https. Just create a configuration file in following directory: /etc/apache2/sites-availabe/{example.tld}.conf

<VirtualHost {yourip}:80>
    ServerName {example.tld}
    ServerAdmin {mail@example.tld}

    ErrorLog /var/log/apache2/{example.tld}/error.log

    Redirect 301 / https://{example.tld}/
</VirtualHost>

Now just enable the new created site:

a2ensite {example.tld}
Configuration file for https

Now the main file which set a reverse proxy to the local Gitlab instance. Create a file in following directory: /etc/apache2/sites-availabe/{example.tld}_ssl.conf

<VirtualHost {yourip}:443>
    ServerName {example.tld}
    ServerAdmin {mail@example.tld}

    ErrorLog /var/log/apache2/{example.tld}/error.log

    RequestHeader set Host "{example.tld}"
    RequestHeader add X-Forwarded-Ssl on
    RequestHeader set X-Forwarded-For %<span class="pl-s1"><span class="pl-pse">{</span>REMOTE_ADDR<span class="pl-pse">}</span></span>e
    RequestHeader set X-Forwarded-Proto "https"

    ProxyPreserveHost On
    ProxyPass / http://localhost:8888/
    ProxyPassReverse / http://localhost:8888/

    SSLEngine On
    SSLCertificateFile /etc/gitlab/ssl/{example.tld}.pem
    SSLCertificateChainFile /etc/gitlab/ssl/{example.tld}.pem
</VirtualHost>

Now just enable the new created site:

a2ensite {example.tld}_ssl

And also the needed headers module:

a2enmod headers
Adding Certificate

Don’t forget to add your certificate to the defined directory. In this example add your cert to: /etc/gitlab/ssl/{example.tld}.pem. The certificate should have the decrypted private key, public key and the intermediate certificate. If you don’t know how to create a .pem file or to get a certificate, just search in web.

Finally we just reload our Apache2 service (service restart is also possible):

service apache2 reload

You can also run Gitlab without ssl support. Because it’s not recommend, I’ll not show. If you know what you’re doing, it should be very easy for you to configure a reverse proxy without ssl (https).