33

I installed Gitlab CE on a dedicated Ubuntu 14.04 server edition with Omnibus package.

Now I would want to install three other virtual hosts next to gitlab.

Two are node.js web applications launched by a non-root user running on two distinct ports > 1024, the third is a PHP web application that need a web server to be launched from.

There are:

  • a private bower registry running on 8081 (node.js)
  • a private npm registry running on 8082 (node.js)
  • a private composer registry (PHP)

But Omnibus listen 80 and doesn't seem to use neither Apache2 or Nginx, thus I can't use them to serve my PHP app and reverse-proxy my two other node apps.

What serving mechanics Gitlab Omnibus uses to listen 80 ? How should I create the three other virtual hosts to be able to provide the following vHosts ?

  • gitlab.mycompany.com (:80) -- already in use
  • bower.mycompany.com (:80)
  • npm.mycompany.com (:80)
  • packagist.mycompany.com (:80)
Rémi Becheras
  • 14,902
  • 14
  • 51
  • 81

2 Answers2

27

About these

But Omnibus listen 80 and doesn't seem to use neither Apache2 or Nginx [, thus ...].

and @stdob comment :

Did omnibus not use nginx as a web server ??? –

Wich I responded

I guess not because nginx package isn't installed in the system ...

In facts

From Gitlab official docs :

By default, omnibus-gitlab installs GitLab with bundled Nginx.

So yes!

Omnibus package actually uses Nginx !

but it was bundled, explaining why it doesn't require to be installed as dependency from the host OS.

Thus YES! Nginx can, and should be used to serve my PHP app and reverse-proxy my two other node apps.

Then now

Omnibus-gitlab allows webserver access through user gitlab-www which resides in the group with the same name. To allow an external webserver access to GitLab, external webserver user needs to be added gitlab-www group.

To use another web server like Apache or an existing Nginx installation you will have to do the following steps:

Disable bundled Nginx by specifying in /etc/gitlab/gitlab.rb

nginx['enable'] = false
# For GitLab CI, use the following:
ci_nginx['enable'] = false

Check the username of the non-bundled web-server user. By default, omnibus-gitlab has no default setting for external webserver user. You have to specify the external webserver user username in the configuration! Let's say for example that webserver user is www-data. In /etc/gitlab/gitlab.rb set

web_server['external_users'] = ['www-data']

This setting is an array so you can specify more than one user to be added to gitlab-www group.

Run sudo gitlab-ctl reconfigure for the change to take effect.

Setting the NGINX listen address or addresses

By default NGINX will accept incoming connections on all local IPv4 addresses. You can change the list of addresses in /etc/gitlab/gitlab.rb.

nginx['listen_addresses'] = ["0.0.0.0", "[::]"] # listen on all IPv4 and IPv6 addresses

For GitLab CI, use the ci_nginx['listen_addresses'] setting.

Setting the NGINX listen port

By default NGINX will listen on the port specified in external_url or implicitly use the right port (80 for HTTP, 443 for HTTPS). If you are running GitLab behind a reverse proxy, you may want to override the listen port to something else. For example, to use port 8080:

nginx['listen_port'] = 8080

Similarly, for GitLab CI:

ci_nginx['listen_port'] = 8081

Supporting proxied SSL

By default NGINX will auto-detect whether to use SSL if external_url contains https://. If you are running GitLab behind a reverse proxy, you may wish to keep the external_url as an HTTPS address but communicate with the GitLab NGINX internally over HTTP. To do this, you can disable HTTPS using the listen_https option:

nginx['listen_https'] = false

Similarly, for GitLab CI:

ci_nginx['listen_https'] = false

Note that you may need to configure your reverse proxy to forward certain headers (e.g. Host, X-Forwarded-Ssl, X-Forwarded-For, X-Forwarded-Port) to GitLab.

You may see improper redirections or errors (e.g. "422 Unprocessable Entity", "Can't verify CSRF token authenticity") if you forget this step. For more information, see:

To go further you can follow the official docs at https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#using-a-non-bundled-web-server

Configuring our gitlab virtual host

Installing Phusion Passenger

We need to install ruby (gitlab run in omnibus with a bundled ruby) globally in the OS

$ sudo apt-get update 
$ sudo apt-get install ruby
$ sudo gem install passenger

Recompile nginx with the passenger module

Instead of Apache2 for example, nginx isn't able to be plugged with binary modules on-the-fly. It must be recompiled for each new plugin you want to add.

Phusion passenger developer team worked hard to provide saying, "a bundled nginx version of passenger" : nginx bins compiled with passenger plugin.

So, lets use it:

requirement: we need to open our TCP port 11371 (the APT key port).

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 561F9B9CAC40B2F7
$ sudo apt-get install apt-transport-https ca-certificates
creating passenger.list 
$ sudo nano /etc/apt/sources.list.d/passenger.list

with these lignes

# Ubuntu 14.04
deb https://oss-binaries.phusionpassenger.com/apt/passenger trusty main

use the right repo for your ubuntu version. For Ubuntu 15.04 for example: deb https://oss-binaries.phusionpassenger.com/apt/passenger vivid main

Edit permissions: 

$ sudo chown root: /etc/apt/sources.list.d/passenger.list
$ sudo chmod 600 /etc/apt/sources.list.d/passenger.list

Updating package list:

$ sudo apt-get update

Allowing it as unattended-upgrades

$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Find or create this config block on top of the file:

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {

  // you may have some instructions here

};

Add the following:

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {

  // you may have some instructions here

  // To check "Origin:" and "Suite:", you could use e.g.:
  // grep "Origin\|Suite" /var/lib/apt/lists/oss-binaries.phusionpassenger.com*
    "Phusion:stable";

};

Now (re)install nginx-extra and passenger:

$ sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak_"$(date +%Y-%m-%d_%H:%M)"
$ sudo apt-get install nginx-extras passenger

configure it

Uncomment the passenger_root and passenger_ruby directives in the /etc/nginx/nginx.conf file:

$ sudo nano /etc/nginx/nginx.conf

... to obtain something like:

##
# Phusion Passenger config
##
# Uncomment it if you installed passenger or passenger-enterprise
##

passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
passenger_ruby /usr/bin/passenger_free_ruby;

create the nginx site configuration (the virtual host conf)

$ nano /etc/nginx/sites-available/gitlab.conf

server {
  listen *:80;
  server_name gitlab.mycompany.com;
  server_tokens off;
  root /opt/gitlab/embedded/service/gitlab-rails/public;

  client_max_body_size 250m;
  access_log  /var/log/gitlab/nginx/gitlab_access.log;
  error_log   /var/log/gitlab/nginx/gitlab_error.log;

  # Ensure Passenger uses the bundled Ruby version
  passenger_ruby /opt/gitlab/embedded/bin/ruby;

  # Correct the $PATH variable to included packaged executables
  passenger_env_var PATH "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/usr/local/bin:/usr/bin:/bin";

  # Make sure Passenger runs as the correct user and group to
  # prevent permission issues
  passenger_user git;
  passenger_group git;

  # Enable Passenger & keep at least one instance running at all times
  passenger_enabled on;
  passenger_min_instances 1;

  error_page 502 /502.html;
}

Now we can enable it:

$ sudo ln -s /etc/nginx/sites-available/gitlab.cong /etc/nginx/sites-enabled/

There is no a2ensite equivalent coming natively with nginx, so we use ln, but if you want, there is a project on github: nginx_ensite: nginx_ensite and nginx_dissite for quick virtual host enabling and disabling

This is a shell (Bash) script that replicates for nginx the Debian a2ensite and a2dissite for enabling and disabling sites as virtual hosts in Apache 2.2/2.4.

It' done :-). Finally, restart nginx

$ sudo service nginx restart

With this new configuration, you are able to run other virtual hosts next to gitlab to serve what you want

Just create new configs in /etc/nginx/sites-available.

In my case, I made running and serving this way on the same host :

For example, to serve npm.mycompany.com :

Create a directory for logs:

$ sudo mkdir -p /var/log/private-npm/nginx/

And fill a new vhost config file:

$ sudo nano /etc/nginx/sites-available/npm.conf

With this config

server {
  listen *:80;
  server_name npm.mycompany.com

  client_max_body_size 5m;
  access_log  /var/log/private-npm/nginx/npm_access.log;
  error_log   /var/log/private-npm/nginx/npm_error.log;

  location / {
    proxy_pass http://localhost:8082;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
}

Then enable it and restart it:

$ sudo ln -s /etc/nginx/sites-available/npm.conf /etc/nginx/sites-enabled/
$ sudo service nginx restart
Community
  • 1
  • 1
Rémi Becheras
  • 14,902
  • 14
  • 51
  • 81
  • I cannot restart gitlab bundle nginx using this commang `sudo service nginx restart`. – einverne Oct 04 '15 at 12:20
  • You shoud create a new question post on stackoverflow and explain your issue in details. Have you got an error message ? etc ... Then share the permalink here I will help you with pleasure. – Rémi Becheras Oct 05 '15 at 09:41
  • I have created a question [here](http://stackoverflow.com/questions/32969612/how-can-i-restart-bundle-nginx-in-gitlab-separately) . – einverne Oct 06 '15 at 12:11
  • Thank you too, @TheF! So... you could upvote the question too, it will help to earn more visibility ;-) – Rémi Becheras Aug 17 '16 at 10:03
  • @RémiBecheras A very good tutorial. Saved my life :P. Indeed very good step by step instructions. Thanks a lot. I just want to add. People trying to install passenger with ruby version less than 2.2.2, they need to trick the bundler by `em install rack -v=1.6.4` and then `gem install passenger -v=5.0.10 --conservative`. – Harry Bomrah Aug 21 '16 at 12:20
  • @RémiBecheras btw I am experiencing one problem. When i git clone, it clones empty repository. Any idea? – Harry Bomrah Aug 21 '16 at 14:33
  • 1
    See dgoo2308's answer for a much better answer. This solution explains in a lot of unnecessary words (what's got passenger to do with creating other nginx vhosts) how to disable the bundled nginx and install your own - which you would then have to manage, update and configure yourself. – AndreKR Nov 12 '16 at 10:34
  • Heads up, one thing that wasn't mentioned -- if your nginx won't start (and passes `nginx -t` test), the error logs will show the old gitlab nginx is still running on port 80! If you reinstall an existing Nginx installation, use the reconfigure command [again] to disable gitlab's nginx – dylanh724 Jun 29 '17 at 07:58
  • @RémiBecheras **Recompile nginx with the passenger module** should run on nginx server or gitlab server in my case nginx server is sitting on different vhost. – microchip78 Sep 20 '18 at 23:10
  • This solution is much harder and "hackier" than the alternative proposed by @Danny - just insert the custom vHost definitions into the bundled nginx – Nick Andriopoulos Oct 10 '18 at 15:07
  • FYI this solution is to use an alternate server to resolve hosting vhosts next to gitlab https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server, where i think the op was asking how to add vhosts to gitlab, using what it has, to host other sites https://docs.gitlab.com/omnibus/settings/nginx.html#inserting-custom-settings-into-the-nginx-config (see @danny answer below for elaboration on the latter). – blamb Jan 07 '20 at 21:00
27

As I would not like to change the nginx server for gitlab (with some other integrations), the safest way would be below solution.

also as per

Gitlab:Ningx =>Inserting custom settings into the NGINX config

edit the /etc/gitlab/gitlab.rb of your gitlab:

nano /etc/gitlab/gitlab.rb

and sroll to nginx['custom_nginx_config'] and modify as below make sure to uncomment

# Example: include a directory to scan for additional config files
nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/*.conf;"

create the new config dir:

mkdir -p /etc/nginx/conf.d/
nano /etc/nginx/conf.d/new_app.conf

and add content to your new config

# my new app config : /etc/nginx/conf.d/new_app.conf
# set location of new app 
upstream new_app {
  server localhost:1234; # wherever it might be
}
# set the new app server
server {
  listen *:80;
  server_name new_app.mycompany.com;
  server_tokens off;
  access_log  /var/log/new_app_access.log;
  error_log   /var/log/new_app_error.log;
  proxy_set_header Host      $host;
  proxy_set_header X-Real-IP $remote_addr;
  location / { proxy_pass  http://new_app; }
}

and reconfigure gitlab to get the new settings inserted

gitlab-ctl reconfigure

to restart nginx

gitlab-ctl restart nginx

to check nginx error log:

tail -f /var/log/gitlab/nginx/error.log
Danny
  • 1,603
  • 1
  • 15
  • 25
  • Nice instructions. I would add however two things that need fixing. The server and proxy_pass lines need a trailing ';' and the proxy_pass line must be in a location context. Like : upstream app { server localhost:8080; } server { listen *:80; server_name app.domain.com; server_tokens off; access_log /var/log/app_access.log; error_log /var/log/app_error.log; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; location / { proxy_pass http://app; } } – Mathieu L. Dec 12 '16 at 18:04
  • Please note - the proxy_pass directive belongs to a location directive – DocJones Mar 17 '17 at 13:02
  • You could better use the latest `master` branch: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md – Melroy van den Berg Jul 02 '17 at 23:30
  • @Danny Great answer. Is there a way to add Let's Encrypt for such domain on the Gitlab Nginx? In this example, for 'new_app.mycompany.com'? – Slavik Aug 21 '18 at 06:50
  • 1
    @Slavik run `sudo certbot --nginx` and do it that way. Thanks to @Danny too because this saved me a real headache – Matt Fletcher Feb 20 '19 at 13:40
  • @MattFletcher running `sudo certbot --nginx` returns `The requested nginx plugin does not appear to be installed`. Is there a way to solve this issue? – Milan Markovic Sep 04 '19 at 10:21
  • oh i just realized... plugin just needs to be installed, since gitlab is using manual method. I was concerned not to break anything by installing it (or that it was already installed, just not initializing), but everything works ok! – Milan Markovic Sep 04 '19 at 16:33