Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Gitlab behind Nginx and HTTPS -> insecure or bad gateway

I'm running Gitlab behind my Nginx.

Server 1 (reverse proxy): Nginx with HTTPS enabled and following config for /git:

location ^~ /git/ {
    proxy_pass                          http://134.103.176.101:80;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Ssl on;
}

If I dont change anything on my GitLab settings this will work but is not secure because of external http request like:

'http://www.gravatar.com/avatar/c1ca2b6e2cd20fda9d215fe429335e0e?s=120&d=identicon'. This content should also be served over HTTPS.

so if I change the gitlab config on hidden server 2 (http gitlab):

external_url 'https://myurl'
nginx['listen_https'] = false

as said in the docu. I will get a bad gateway error 502. with no page loaded.

what can I do ?


EDIT: Hacked it by setting:

gitlab_rails['gravatar_plain_url'] = 'https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'

to https... this workes but is not a clean solution. (clone url is still http://)

like image 921
Cracker0dks Avatar asked Feb 22 '16 17:02

Cracker0dks


1 Answers

I run a similar setup and I ran into this problem as well. According to the docs:

By default, when you specify an external_url starting with 'https', Nginx will no longer listen for unencrypted HTTP traffic on port 80.

I see that you are forwarding your traffic over HTTP and port 80, but telling GitLab to use an HTTPS external URL. In this case, you need set the listening port.

nginx['listen_port'] = 80   # or whatever port you're using.

Also, remember to reload the gitlab configuration after making changes to gitlab.rb. You do that with this command:

sudo gitlab-ctl reconfigure

For reference, here is how I do the redirect:

Nginx config on the reverse proxy server:

location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Ssl on;

    proxy_pass http://SERVER_2_IP:8888;
}

The GitLab config file, gitlab.rb, on the GitLab server:

external_url 'https://gitlab.domain.com'
nginx['listen_addresses'] = ['SERVER_2_IP']
nginx['listen_port'] = 8888
nginx['listen_https'] = false
like image 174
BrokenBinary Avatar answered Nov 15 '22 03:11

BrokenBinary