1

I have one public static IP address and several applications running on port 80 and 443 on their own virtual machines.

One of them is GitLab.

As I can't forward ports 80/443 to just one of them, I have:

  1. An Ubuntu machine receiving all 80/443 requests.
  2. nginx is installed on it and configured as proxy server based on host header so for instance scm.mydomain.com is configured to proxy_pass 192.168.50.200 which is the GitLab machine.

So far everything is working as expected.

My challenges is how to enable https support for GitLab. I know when I edit the external_url to https://.... GitLab takes care of the rest, but that's where the problem starts because now I have to forward port 443 in my proxy server not 80, and without a valid certificate that's not possible, and a valid certificate for scm.mydomain.com is already installed on the GitLab machine.

Is there a solution?

Here's my nginx config for port 80 which is working:

server {
    listen 80;
    server_name scm.mydomain.com;

    location / {
        include proxy_params;
        proxy_pass http://192.168.50.200;
    }
}
Omid Shojaee
  • 183
  • 8
  • A valid certificate can be installed on multiple machines as long as you need that. Export it from the GitLab machine and configure on nginx side. – Lex Li Oct 03 '22 at 23:32

1 Answers1

1

and without a valid certificate that's not possible

Yes it is. Just set proxy_ssl_verify to false.

server {
    listen 80;
    server_name scm.mydomain.com;

    location / {
        include proxy_params;
        proxy_pass http://192.168.50.200;
    }
}

server {
        listen 443 ssl http2;
        server_name scm.mydomain.com;;

        ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/www.example.com/privkey.pem;

        include snippets/ssldefaults.conf;
        location / {
                include snippets/proxydefaults.conf;
                proxy_ssl_verify off;
                proxy_pass  https://192.168.50.200/ ;
        }
    }
symcbean
  • 21,009
  • 1
  • 31
  • 52
  • What's the point of having an SSL certificate if you're not going to verify it? Normally when proxying, we terminate SSL at the proxy, and address gitlab with HTTP -- so `proxy_pass http://192.168.50.200/`, and in the Gitlab config force HTTP only. – Auspex Feb 08 '23 at 15:10
  • Its quite a common deployment pattern. Even if the physical network is trusted, doing so avoids having to reconfigure the origin server (assuming that is even possible). And "trusting" an unencrypted network is rarely a good idea but provisioning/maintaining a valid certiicate is an unnecessary overhead. If there's no cost to using TLS it makes more sense to do so. – symcbean Feb 08 '23 at 21:50
  • I just configured the way @Auspex suggests. It works :-) Only takes to disable HTTPS on GitLab by setting `nginx['listen_port'] = 80` and `nginx['listen_https'] = false`. As per [docs](https://docs.gitlab.com/omnibus/settings/ssl/index.html#configure-a-reverse-proxy-or-load-balancer-ssl-termination). Then you can `proxy_pass` to HTTP port normally. – teejay Jun 06 '23 at 23:16