Gitlab Omnibus + Gitlab registry behind HAproxy guide!
First of all you have to create 2 virtual hosts with preferred OS (e.q CentOS, Ubuntu) Also you need your domain for this setup.
For our setup we will use Ubuntu servers, with version Focal 20.04.01 LTS.
All ip’s used for example you can use your own!
1 host with ip 192.168.1.100 we will use for HAproxy and gitlab-runners2 host with ip 192.168.1.101 we will use for our Gitlab Omnibus
Let’s start to prepare our server for HAproxy
sudo apt update -y and sudo apt upgrade -y
( to be sure we have all latest updates for our OS)
After all updates is installed, we need to install HAproxy package on our server.
sudo apt install haproxy -y
After successfully installation we can proceed to configure our HAproxy. The config path is /etc/haproxy/haproxy.cfg you can edit it with your preferred text editor ( vim, vi, nano)
sudo nano /etc/haproxy/haproxy.cfg
Now we should create Frontend and Backend for our HAproxy configuration. And also we will specify path to our SSL Wildcard certificate for our domain.
frontend http_in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/certificate.pem alpn h2,http/1.1
mode http
redirect scheme https if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
acl tls req.ssl_hello_type 1
acl host_registry hdr(host) -i registry.YOUR-DOMAIN.com
acl host_gitlab hdr(host) -i gitlab.YOUR-DOMAIN.com
use_backend gitlab if host_gitlab
use_backend gitlab if host_registryAnd your backend to Gitlab
backend gitlab
mode http
server gitlab 192.168.1.101:80So finally our /etc/haproxy/haproxy.cfg file must be like this
`After that your have to restart your haproxy
sudo systemctl restart haproxy
And also don’t forget to enable haproxy service, so it can automatically start if server will rebooted
sudo systemctl enable haproxy
Now we have to create our Wildcard certificate for your domain, so you can use your haproxy not only for Gitlab and Gitlab registry, but for everything you need inside your local network.
First of all we need to install Certbot on our server.
sudo apt install certbot -y if you have problem with installing certbot via apt, don’t worry about. You can use snap package by this way.
sudo snap install certbot --classic and then your have change your /etc/environment there you will see long string like this
PATH=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games”
You have to modify it and make like this
PATH=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin”
and after modifying you also need to commit changes by this command
source /etc/environment
Now we can create our Wildcard certificate via Certbot with these commands.
sudo certbot certonly --manual --preferred-challenges=dns --email YOUR-EMAIL-ADDRESS --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.YOUR-DOMAIN.comAfter this commands it will prompt you to add TXT dns records to your domain, so certbot can verify your domain ownership
As you can see it prompted you, what you have to do.
Please deploy a DNS TXT record under the name
_acme-challenge.your-domain.com with the following value:B_KT9bFN4-Ek3Nc6pVZPKjO37t-gDWakN-fg1wRAQ9YBefore continuing, verify the record is deployed.
Now you have to enter your domain management page, and add DNS records
After this little manipulation, just to be sure wait for 5 or 10 minutes, and let your DNS records to be refreshed, and after that you can press enter in your terminal, and if everything is ok you will see
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your-domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-01-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leAnd thats all you have your new Wildcard certificate for your domain and all subdomains! Note that it only for 3 months. Because letsencrypt cant give you certificate more than for 3 months. After 3 months you have run this command again and acquire a new one!
So after that you have to merge your certificate and privkey together for HAproxy! find your certificate in
cd /etc/letsencrypt/live/your-domain.com/and there you will see 4 files cert.pem chain.pem fullchain.pem privkey.pem
you have to merge them in one file that’s requirement of HAproxy, so we do
cat cert.pem chain.pem privkey.pem > certificate.pemmkdir -p /etc/haproxy/certssudo cp certificate.pem /etc/haproxy/certs/sudo systemctl restart haproxy
After all this manipulations, your HAproxy done with SSL certificate.
Now we have to setup our Gitlab Omnibus with Registry!
Login via SSH to your server ( 192.168.1.101 as we mentioned at begin)
If you want to install not latest version of Gitlab, you can choose it by this link
https://packages.gitlab.com/gitlab/gitlab-ee/ Enterprise Edition
https://packages.gitlab.com/gitlab/gitlab-ce/ Community EditionNote that we will install Gitlab Enterprise Edition. Why? Because there is no limitations in Gitlab Enterprise Edition, even you don’t purchase subscription. And if you want to buy a paid subscription, you will not need to update from Gitlab Community to Enterprise! So let’s begin installation of latest version.
curl -s https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bashThis script will add gitlab-ee repository to your OS
ubuntu@ubuntu:/$ curl -s https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
Detected operating system as Ubuntu/focal.
Checking for curl...
Detected curl...
Checking for gpg...
Detected gpg...
Running apt-get update... done.
Installing apt-transport-https... done.
Installing /etc/apt/sources.list.d/gitlab_gitlab-ee.list...done.
Importing packagecloud gpg key... done.
Running apt-get update... done.The repository is setup! You can now install packages.
Now we have to install Gitlab.
sudo apt install gitlab-ee -yAfter successful installation you will se
ubuntu@ubuntu:/$ sudo apt install gitlab-ee -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
gitlab-ee
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 971 MB of archives.
After this operation, 2,626 MB of additional disk space will be used.
Get:1 https://packages.gitlab.com/gitlab/gitlab-ee/ubuntu focal/main amd64 gitlab-ee amd64 13.9.1-ee.0 [971 MB]
Fetched 971 MB in 3min 34s (4,534 kB/s)
Selecting previously unselected package gitlab-ee.
(Reading database ... 70985 files and directories currently installed.)
Preparing to unpack .../gitlab-ee_13.9.1-ee.0_amd64.deb ...
Unpacking gitlab-ee (13.9.1-ee.0) ...
Setting up gitlab-ee (13.9.1-ee.0) ...
It looks like GitLab has not been configured yet; skipping the upgrade script.*. *.
*** ***
***** *****
.****** *******
******** ********
,,,,,,,,,***********,,,,,,,,,
,,,,,,,,,,,*********,,,,,,,,,,,
.,,,,,,,,,,,*******,,,,,,,,,,,,
,,,,,,,,,*****,,,,,,,,,.
,,,,,,,****,,,,,,
.,,,***,,,,
,*,._______ __ __ __
/ ____(_) /_/ / ____ _/ /_
/ / __/ / __/ / / __ `/ __ \
/ /_/ / / /_/ /___/ /_/ / /_/ /
\____/_/\__/_____/\__,_/_.___/Thank you for installing GitLab!
GitLab was unable to detect a valid hostname for your instance.
Please configure a URL for your GitLab instance by setting `external_url`
configuration in /etc/gitlab/gitlab.rb file.
Then, you can start your GitLab instance by running the following command:
sudo gitlab-ctl reconfigure
So now we can configure our Gitlab and Registry
Edit gitlab.rb file, it contains all Gitlab Omnibus configuration.
Note that Gitlab has it’s own NGINX inside so we have to forward our traffic from HAproxy to Gitlab server on port 80, because we have all SSL terminations on HAproxy.
sudo nano /etc/gitlab/gitlab.rb
You will see that only setting uncommented is your external url
##! https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
external_url 'http://gitlab.example.com'## Roles for multi-instance GitLab
##! The default is to have no roles enabled,
You have to modify it like this
external_url 'https://gitlab.your-domain.com'nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_set_headers'] = { "X-Forward-Port" => "443", "Host" => "gitlab.your-domain.com:80" }
nginx['proxy_set_headers'] = {
"Host" => "$http_host_with_default",
"X-Real-IP" => "$remote_addr",
"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on",
"Upgrade" => "$http_upgrade",
"Connection" => "$connection_upgrade"
}
So you have your domain by https:// and your NGINX inside gitlab forced to listen port 80
Same thing we have to do for our registry. So add this lines or uncomment them.
registry_external_url 'http://registry.your-domain.com'
registry_nginx['listen_port'] = 80
registry_nginx['listen_https'] = false
registry_nginx['proxy_set_headers'] = {
"Host" => "$http_host",
"X-Real-IP" => "$remote_addr",
"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"
}After that save and close gitlab.rb file
Now we have to reconfigure our gitlab and start it!
sudo gitlab-ctl reconfigure
Your gitlab now reconfigured and your can access it via https://gitlab.your-domain.com It will ask you to create root password and it’s DONE! You have your own Gitlab Omnibus with your own Docker registry inside your Gitlab!
Also don’t forget to activate your firewall ports !
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 22/tcp
sudo ufw enable