Hey folks, I have one last very difficult config that I am working on as the title suggests. My goal is to offer GitLab-CE as an option for myself and clients to use instead of plain, vanilla git. While I have successfully installed GitLab in Debian 10.5 (Buster) using this tutorial. https://www.howtoforge.com/tutorial/how-to-install-gitlab-on-debian-8/#add-the-gitlab-repository I now have two challenges: Challenge #1.) How do I properly configure ISPConfig as a proxy for GitLab via the GUI as they both require port 8080? Challenge #2.) As GitLab has its own root folder, how can I automatically sync/clone the gitlab / git repositories so that either option is available for users? Regarding Challenge #1.) I have done the following steps a.) Created a new subdomain with its own root folder via the ISPConfig Domains interface, which points to: developer.example.com NOTES: i.) I did not assign a client as this seems to create permissions issues ii.) I enabled ruby iii.) NO SSL for Test Server, (will) Enable SSL for Prod Server b.) Apache Directives: Test Server Code: ProxyPreserveHost On ProxyRequests Off SSLProxyEngine off SSLEngine of SSLHonorCipherOrder off <Location /> RequestHeader unset Accept-Encoding RequestHeader set Host "developer.example.com" RequestHeader add X-Forwarded-Ssl off RequestHeader set X-Forwarded-Proto "http" Order allow,deny Allow from all </Location> Prod Server Code: ProxyPreserveHost On ProxyRequests Off SSLProxyEngine on SSLEngine on SSLHonorCipherOrder on <Location /> RequestHeader unset Accept-Encoding RequestHeader set Host "developer.example.com" RequestHeader add X-Forwarded-Ssl on RequestHeader set X-Forwarded-Proto "https" Order allow,deny Allow from all </Location> Though I couldn't find any documentation in the manual, I went ahead and checked the option: "Enable PROXY Protocol", under Domains -> Options as shown below I am guessing that it is a GUI version the," a2enmod proxy_http " command. c.) I made sure to whitelist the gitlab url and my development IP in modsec d.) I installed the necessary GitLab repositories, installed GitLab itself, & configure GitLab using: Code: #curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | bash #apt-get -y install gitlab-ce # nano /etc/gitlab/gitlab.rb NOTE: I used these values to get GitLab to work with Apache: web_server['external_users'] = ['www-data'] web_server['username'] = 'apache' web_server['group'] = 'apache' nginx['enable'] = false external_url 'http://developer.example.com' #gitlab-ctl reconfigure #systemctl restart apache2 #gitlab-ctl start Everything installs without error, but when I visit http://developer.example.com I only get the default ISPConfig index.html page. Any tips on what I am missing? As for Challenge #2 Syncing git & and gitlab repositories, I haven't taken a swipe at that task yet.
Ispconfig doesn't require that port, it is just the default, and easy to change. I have never setup gitlab, but it wouldn't surprise me if that were the case there as well. I would probably just avoid the conflict and not try to configure a proxy for specific paths, etc. I may misunderstand your question, but it's up to the users themselves to keep an external got repository in sync with gitlab. Eg. When changes are pushed to ispconfig, I pull them to my own to to stay in sync; or I push commits for changes I make back to gitlab.
Thanks for the reply.. Actually, forget about Challenge #2, mirroring the GitLab / Git repositories is a lot easier than I thought: https://docs.gitlab.com/ee/user/project/repository/repository_mirroring.html With regards to your suggestion of changing the ports of either IPSConfig or GitLab as to avoid the conflict, let's say that I changed the GitLab port for example's sake. I should still be able to mange the gitlab url / vhost / ssl through the ispconfig gui (minus the proxy directives), correct?
I would think so, but again have no experience with gitlab; @Croydon could probably confirm or comment otherwise.
Might you be able to bring this thread to @Croydon's attention... I'd like to keep the discussion here in case he shares some knowledge that could be useful to other GitLab / ISPConfig users... thx.
You can proxy any http/https traffic with apache and nginx. So yes, you can basically put any other HTTP(s) server behind a proxy configuration of an ISPConfig vhost. Personally, I won't install Gitlab on an ISPConfig server. Gitlab needs quite some resources anyway, so giving GitLab its own virtual server is a cleaner and better choice in my opinion.
Thanks for the feedback. I have already noticed the increased resource usage on virtualbox, but I will proceed with the installation as I have unique use case that justifies the additional costs. @till You are saying that I "can" put GitLab behind a ISPConfig vhost, meanwhile @Jesse Norell has advised that I run GitLab adjacent to ISPConfig and avoid the port collision all together. @till Specifically, my question that you quoted, is.... "If, I choose to run GitLab adjacently as @Jesse Norell suggested (on a different port than 8080)... would I still be able to manage the gitlab url / vhost / ssl through the ispconfig gui (minus the proxy directives).... Or is it necessary for my to run GitLab behind an ISPConfig vhost proxy as to be able to apply the SSL and other settings via ISPConfig GUI?
You always have to avoid port collisions (means same IP/port combination), no matter if you use a proxy or not to make the service available on a second port beside the port it already listens to. Using a proxy is not a replacement for the original port of another software. It just allows you to e.g. run Gitlab on port 1234 and then make it available also on port 443 which apache already occupies by using a name virtual host with a proxy directive inside. What Jesse suggested is that you just let every software have its own separate port without making it available on a second port. As I mentioned earlier, I won't run Gitlab the way you do now and I don't run my Gitlab instance in that way. So I can't tell you how much work it is and if it's possible to rewrite an ISPConfig vhost in the way that it can be used for GitLab without using a proxy. Look at the ispconfig vhost file of websites, at the Gitlab docs and at the Apache docs to see which changes are needed and if you can configure that by using apache directives field in ISPConfig.
So in a nutshell, change the GitLab port, and use ISPConfig as a proxy because LE listens on port 443. Got it... This lands me right back at my original post in this thread, which no one can answer, because no one on the team has ever configured ISPConfig as proxy for GitLab previously, except maybe, @Croydon... Understood. Thanks for the feedback.
I am just impressed with myself, that I, a relative ISPConfig novice, could present an ISPConfig configuration scenario capable of stumping the entire ISPConfig team. Not to worry though, I've already read in other forums how others have accomplished the same feat that I am attempting now (hence where I got the idea). When I figure it out, if time allows, I will post a solution back here for others to use as well. Thanks for the feedback.
Hey Fellas, Quick question, can someone explain the above function? I haven't been able to find anything in the manual about its exact effects. thx
It enables the PROXY protocol for the site, which is needed if you have a proxy in front of the server talking the PROXY protocol. Eg. say you install haproxy as a load balancer in front of a cluster of servers (https://www.haproxy.com/blog/haproxy/proxy-protocol/). It is not needed for the ISPConfig server itself to function as a reverse proxy.
