Enable SSL on GitLab with Docker on Synology NAS

Question

I have a working installation of GitLab via the official GitLab Package on my Synology NAS (DSM 5.2) in a Docker container.

I now like to access the Webinterface via https instead of just http. I have seen in several posts that it is possible to do with some docker magic, but did not find any detailed instructions.

Can anyone please explain how to achieve this?

It's a pity that this is not default.

Answer 1

On DSM 6.2.1

I just did the installation of this and some of the answers here helped me but i still ran into problems. So i thought to share my findings:

I wanted to use the lets-encrypt certs i already had generated inside Synology DSM.

1. Create a task scheduler (user defined script)

   cp /usr/syno/etc/certificate/system/default/privkey.pem  /volume1/docker/gitlab-ce/gitlab/certs/gitlab.key
   cp /usr/syno/etc/certificate/system/default/fullchain.pem /volume1/docker/gitlab-ce/gitlab/certs/gitlab.crt
   

   adjust to your chosen name/folder when installing gitlab (in my case "gitlab-ce")

2. Create a dhparam.pem file on any machine with open ssl

   openssl dhparam -out dhparam.pem 2048
   

   I advice not to do this on a NAS, because it will be slow (you may increase key complexity to which ever you have patients for waiting)

3. Copy the dhparam.pm to your certificats folder location inside gitlab

   /volume1/docker/gitlab-ce/gitlab/certs/
   

   adjust to your chosen name/folder when installing gitlab (in my case "gitlab-ce")

4. Stop gitlab in package center (stops all tree docker containers)

5. On the synology_gitlab container

   5.1 Add the two environment variables

   GITLAB_HTTPS=true  
   SSL_SELF_SIGNED=false
   

   5.2. Change gitlab port binding (container port) from 80 to 443

This approach will automatically at a set time (your choice in the user defined script) update you generated ssl certificate if the Synology DSM (or you manually) creates a new one. This is however not an instant update, but you can trigger it manually from the task scheduler interface. Still this approach is kind of care free for personal NAS solutions.

Answer 2

With DSM6, the changes (except generation of the cert) are now possible using the dsm docker interface:

1) Create a key/cert:

mkdir /volume1/docker/gitlab/certs
cd /volume1/docker/gitlab/certs
openssl genrsa -out gitlab.key 2048
openssl req -new -key gitlab.key -out gitlab.csr
openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt
openssl dhparam -out dhparam.pem 2048
chmod 400 gitlab.key

2) Set up gitlab docker environment:

3) Set gitlab docker port bindings:

Answer 3

The instructions Crami gave work for me with the package install (sameersbn/gitlab:7.9.3). You must:

1. Follow the command line instructions from Crami to generate the certificate:

   mkdir /volume1/docker/gitlab/certs
   cd /volume1/docker/gitlab/certs
   openssl genrsa -out gitlab.key 2048
   openssl req -new -key gitlab.key -out gitlab.csr
   openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt
   openssl dhparam -out dhparam.pem 2048
   chmod 400 gitlab.key
   

2. Stop the package in the Package Center

3. Edit the configuration file at /usr/syno/etc/packages/Docker/synology_gitlab.config. It's a JSON file rather than command line, but is easy to see what to change/add. You need to add:

   {
      "key" : "GITLAB_HTTPS",
      "value" : "true"
   },
   {
      "key" : "SSL_SELF_SIGNED",
      "value" : "true"
   },
   

   as well as the port binding from 80 instead to 443 in the same file:

   {
      "container_port" : 443,
      "host_port" : 30000,
      "type" : "tcp"
   },
   

4. Start the package in Package Center

Answer 4

You haven't indicated which gitlab image you're using:

• https://registry.hub.docker.com/search?q=gitlab

The most common container image already has instructions included with details on how to enable SSL:

• https://registry.hub.docker.com/u/sameersbn/gitlab/