search

sameersbn / docker-gitlab

Dockerized GitLab
http://www.damagehead.com/docker-gitlab/
MIT License
7.9k stars 2.14k forks source link

how can i have both http and https ? #716

Open mhf-ir opened 8 years ago

mhf-ir commented 8 years ago

How can i have both HTTP and HTTPS / force user using gitlab as HTTPS and can get rawdata of public projects as HTTP content ?

This is my gtlab with loadbalacner:

docker run --restart=always --name gitlab -d --link gitlab-postgresql:postgresql --link gitlab-redis:redisio --publish 10022:22 --publish 10081:80 \
  --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_HOST=git.example.com' --env 'GITLAB_PORT=10443' --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \
  --env 'GITLAB_SECRETS_DB_KEY_BASE=123123123' --env 'GITLAB_EMAIL_DISPLAY_NAME=Main Git Repository' \
  --env 'SMTP_USER=a11111@gmail.com' --env 'SMTP_PASS=1111' --env 'GITLAB_TIMEZONE=Europe/Berlin' \
  --env 'DB_NAME=gitlabhq_production' --env 'DB_USER=gitlab' --env 'GITLAB_ROOT_PASSWORD=123123123' \
  --env 'DB_PASS=234234234' \
  --volume $(pwd)/storage/data:/home/git/data sameersbn/gitlab:8.8.2
docker run --restart=always --name nginx-loadbalancer -d \
  --volume $(pwd)/config:/config \
  --publish 10443:443 --publish 10080:80 nginx-loadbalancer entrypoint

But during get data from raw content switch to https port. how can i solve this issue ?

solidnerd commented 8 years ago

If I understand you correctly you want to force that every data is sent via https. This depends on you nginx configuration from the nginx-loadbalancer.

server {
        listen 443 ssl;
        listen [::]:443 ssl;

        server_name <YourDomain>;
        access_log <YourLogPath>

        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 24h;
        ssl_buffer_size 1400;
        ssl_session_tickets off;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers AESGCM:HIGH:AES256+EECDH:AES256+EDH:!aNULL;
        ssl_prefer_server_ciphers on;

        ssl_certificate <YourDomainCertificate>;
        ssl_certificate_key<YourDomainCertificatePrivateKey>;;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.4.4 8.8.8.8 valid=300s;
        resolver_timeout 10s;

        add_header Strict-Transport-Security max-age=63072000;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;

    location / {
            proxy_pass http://git.example.com;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP       $remote_addr;
            proxy_set_header X-Forwarded-Ssl on;
  }

}
server {
        listen 80;
        listen [::]:80;
        server_name <YourDomain>;
        return 301 https://$server_name$request_uri;  # enforce https
}

This forces the client to use only https connection.

mhf-ir commented 8 years ago

This is redirect entire request to https.

my mean is normal users and developers sign in to gitlab panel force use https. also i have some clients (applications and bots) need to get raw content of my public repositories via http [no redirect them to https].

sameersbn commented 8 years ago

@mhf-ir The nginx configuration of the image will redirect http connections to https when GITLAB_HTTPS=true.

If you want the gitlab server to be accessible over http as well as https:

  1. Set GITLAB_HTTPS=false. This will disable the internal http -> https redirections and the clone urls will be of http:// form.
  2. Configure SSL termination at the load-balancer and don't perform any http->https redirections at the load-balancer.

With these changes, you should be able to clone repos with plain http as well as with https. But note that if a user accesses the Web UI over the http protocol, they will not be redirected to the more secure https protocol.

FWIW, here is my nginx load-balancer configuration that I used for testing:

upstream gitlab {
  server 172.17.0.1:10080 fail_timeout=0;
}

# let gitlab deal with the redirection
server {
  listen 80;
  server_name git.example.com;
  server_tokens off;

  access_log off;

  root /dev/null;
  client_max_body_size 0;

  location / {
    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_redirect off;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Frame-Options SAMEORIGIN;
    proxy_pass http://gitlab;
  }
}

server {
  listen 443 ssl spdy;
  server_name git.example.com;
  server_tokens off;

  root /dev/null;
  client_max_body_size 0;

  ssl on;
  ssl_certificate /etc/nginx/ssl/git.example.com.crt;
  ssl_certificate_key /etc/nginx/ssl/git.example.com.key;
  ssl_verify_client off;

  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;

  location / {
    ## If you use https make sure you disable gzip compression
    ## to be safe against BREACH attack.
    gzip off;

    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_redirect off;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Frame-Options SAMEORIGIN;
    proxy_pass http://gitlab;
  }
}
stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had any activity for the last 60 days. It will be closed if no further activity occurs during the next 7 days. Thank you for your contributions.