search

sameersbn / docker-gitlab

Dockerized GitLab
http://www.damagehead.com/docker-gitlab/
MIT License
7.87k stars 2.14k forks source link

Cannot Access GITLab Website Over HTTPS #1900

Closed hc128168 closed 5 years ago

hc128168 commented 5 years ago

Here is my docker-composer.xml on my Synology DS1019+ NAS:

version: '2'

services:
  redis:
    restart: always
    image: sameersbn/redis:4.0.9-1
    command:
    - --loglevel warning
    volumes:
    - /volume1/docker/team/gitlab/redis:/var/lib/redis

  postgresql:
    restart: always
    image: sameersbn/postgresql:10
    volumes:
    - /volume1/docker/team/gitlab/postgresql:/var/lib/postgresql
    environment:
    - DB_USER=[db user]
    - DB_PASS=[db pass]
    - DB_NAME=team_git_db
    - DB_EXTENSION=pg_trgm

  gitlab:
    restart: always
    image: sameersbn/gitlab:11.9.5
    depends_on:
    - redis
    - postgresql
    ports:
    - "10080:80"
    - "10022:22"
    volumes:
    - /volume1/docker/team/gitlab/gitlab/config:/etc/gitlab
    - /volume1/docker/team/gitlab/gitlab/logs:/var/log/gitlab
    - /volume1/docker/team/gitlab/gitlab/data:/home/git/data
    - /volume1/docker/team/gitlab/gitlab/opt:/var/opt/gitlab
    environment:
    - DEBUG=false

    - DB_ADAPTER=postgresql
    - DB_HOST=postgresql
    - DB_PORT=5432
    - DB_USER=[db user]
    - DB_PASS=[db pass]
    - DB_NAME=team_git_db

    - REDIS_HOST=redis
    - REDIS_PORT=6379

    - TZ=Asia/Tokyo
    - GITLAB_TIMEZONE=Tokyo

    - GITLAB_HTTPS=true
    - SSL_SELF_SIGNED=true

    - GITLAB_HOST=[my host]
    - GITLAB_PORT=10080
    - GITLAB_SSH_PORT=10022
    - GITLAB_RELATIVE_URL_ROOT=
    - GITLAB_SECRETS_DB_KEY_BASE=[some key]
    - GITLAB_SECRETS_SECRET_KEY_BASE=[some other key]
    - GITLAB_SECRETS_OTP_KEY_BASE=[some...key]

    - GITLAB_ROOT_PASSWORD=[gitlab root pass]
    - GITLAB_ROOT_EMAIL=gitlabroot@example.com

    - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true
    - GITLAB_NOTIFY_PUSHER=false

    - GITLAB_EMAIL=noreply@example.com
    - GITLAB_EMAIL_REPLY_TO=noreply@example.com
    - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com

    - GITLAB_BACKUP_SCHEDULE=daily
    - GITLAB_BACKUP_TIME=01:00

    - SMTP_ENABLED=true
    - SMTP_DOMAIN=[my host]
    - SMTP_HOST=[my host]
    - SMTP_PORT=587
    - SMTP_USER=gitlabmail@[my host]
    - SMTP_PASS=[smtp pass]
    - SMTP_STARTTLS=true
    - SMTP_AUTHENTICATION=login

    - IMAP_ENABLED=false
    - IMAP_HOST=imap.gmail.com
    - IMAP_PORT=993
    - IMAP_USER=mailer@example.com
    - IMAP_PASS=password
    - IMAP_SSL=true
    - IMAP_STARTTLS=false

    - OAUTH_ENABLED=false
    - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=
    - OAUTH_ALLOW_SSO=
    - OAUTH_BLOCK_AUTO_CREATED_USERS=true
    - OAUTH_AUTO_LINK_LDAP_USER=false
    - OAUTH_AUTO_LINK_SAML_USER=false
    - OAUTH_EXTERNAL_PROVIDERS=

    - OAUTH_CAS3_LABEL=cas3
    - OAUTH_CAS3_SERVER=
    - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false
    - OAUTH_CAS3_LOGIN_URL=/cas/login
    - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate
    - OAUTH_CAS3_LOGOUT_URL=/cas/logout

    - OAUTH_GOOGLE_API_KEY=
    - OAUTH_GOOGLE_APP_SECRET=
    - OAUTH_GOOGLE_RESTRICT_DOMAIN=

    - OAUTH_FACEBOOK_API_KEY=
    - OAUTH_FACEBOOK_APP_SECRET=

    - OAUTH_TWITTER_API_KEY=
    - OAUTH_TWITTER_APP_SECRET=

    - OAUTH_GITHUB_API_KEY=
    - OAUTH_GITHUB_APP_SECRET=
    - OAUTH_GITHUB_URL=
    - OAUTH_GITHUB_VERIFY_SSL=

    - OAUTH_GITLAB_API_KEY=
    - OAUTH_GITLAB_APP_SECRET=

    - OAUTH_BITBUCKET_API_KEY=
    - OAUTH_BITBUCKET_APP_SECRET=

    - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=
    - OAUTH_SAML_IDP_CERT_FINGERPRINT=
    - OAUTH_SAML_IDP_SSO_TARGET_URL=
    - OAUTH_SAML_ISSUER=
    - OAUTH_SAML_LABEL="Our SAML Provider"
    - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    - OAUTH_SAML_GROUPS_ATTRIBUTE=
    - OAUTH_SAML_EXTERNAL_GROUPS=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=

    - OAUTH_CROWD_SERVER_URL=
    - OAUTH_CROWD_APP_NAME=
    - OAUTH_CROWD_APP_PASSWORD=

    - OAUTH_AUTH0_CLIENT_ID=
    - OAUTH_AUTH0_CLIENT_SECRET=
    - OAUTH_AUTH0_DOMAIN=

    - OAUTH_AZURE_API_KEY=
    - OAUTH_AZURE_API_SECRET=
    - OAUTH_AZURE_TENANT_ID=

(I initially messed it up few times before I ended up with the version above)

I added Letsencrypt's certificate via DSM, and marked as default. I could go to my DSM's page over HTTPS. Then I copied them over:

cat privkey.pem > /volume1/docker/team/gitlab/gitlab/data/certs/gitlab.key
cat cert.pem fullchain.pem > /volume1/docker/team/gitlab/gitlab/data/certs/gitlab.crt
cp cert.pem /volume1/docker/team/gitlab/gitlab/data/certs

And also openssl dhparam -out dhparam.pem 2048 on my desktop and copied over.

And then I did sudo docker-compose down and then sudo docker-compose up -d. But it didn't work. My chrome browser gave me ERR_SSL_PROTOCOL_ERROR.

Then, I tried wget -v https://[my domain]:10080 and it gave me:

--2019-04-13 22:35:15--  https://[my domain]:10080/
Resolving [my domain] ([my domain])... [my ip]
Connecting to [my domain] ([my domain])|[my ip]|:10080... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

Curl gave slightly more info:

$ curl -Lv https://[my domain]:10080
* About to connect() to [my domain] port 10080 (#0)
*   Trying [my ip]...
* Connected to [my domain] ([my ip]) port 10080 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.

It looks like GITLab isn't responding with HTTPS. It certainly reached nginx as I tailed gitlab/logs/nginx/gitlab_access.log and I saw my request:

172.18.0.1 - - [13/Apr/2019:14:46:51 +0000] "\x16\x03\x01\x00\xC8\x01\x00\x00\xC4\x03\x03k,\xBC\xA2\xDA/\xD2e\xDF\x97\x1B\xDE\xAChx\xBE\xD0\x098\x9E\xDBx)\xBB\x00\xDC\x8E\x98N\x169(\x00\x00\x1C\x8A\x8A\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 166 "-" "-"

Accessing via HTTP is fine once GITLAB_HTTPS is set to false.

Tho, one thing I noticed is that inside the container, I don't see SSL_KEY_PATH, SSL_CA_CERTIFICATES_PATH nor SSL_DHPARAM_PATH in env:

# printenv | grep SSL
OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false
SSL_SELF_SIGNED=true
IMAP_SSL=true
OAUTH_GITHUB_VERIFY_SSL=

But I assume it is okay to miss those env variables because I see the cert/key configured in /etc/nginx/sites-enabled/gitlab:

server {
  listen 0.0.0.0:443 ssl http2;
  listen [::]:443 ipv6only=on ssl http2 default_server;
  server_name [my domain]; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice

  ssl on;
  ssl_certificate /home/git/data/certs/gitlab.crt;
  ssl_certificate_key /home/git/data/certs/gitlab.key;
  ssl_verify_client off;

I feel maybe I messed up the initial setup few times and so it is in a weird state. How can I restart from scratch? (Sorry I am not familiar with Docker...and so stupid question here).

Or any idea what goes wrong?

Thanks in advance.

hc128168 commented 5 years ago

I figured because there is only 1 port to specify in GITLab env, but NGNIX will try to bounce HTTP request to a port with SSL -- 443. Hence, the best way to get around it is to map 10443 to 443 and then NGNIX will bounce to the same port -- then no need to port forward 2 ports. Safer.