GitLab: Docker container + HTTPS + SSH + reverse proxy

I had been running GitLab in a Docker container for a while now. And it was time to review the installation. Firstly, it was four version late at least. Secondly, I wanted to switch it to HTTPS. Thirdly, I wanted to provide SSH access to git. As I run several other dockerized web applications on my server, I use jwilder's nginx reverse proxy. After some tests (thanks to Docker!), I found one working configuration. And here are the steps I followed to upgrade:

• stop current nginx-proxy container
• backup the data volume I had created to store nginx vhost information. Just in case...
• create a host directory, where to store certificate for HTTPS. Let's call it <containerCerts>
• create and run the new container:

docker run -d -p 80:80 -p 443:443 --name="<containerName>" \
  -v <previousContainerDirectory>:/etc/nginx/vhost.d:ro \
  -v <containerCerts>:/etc/nginx/certs \
  -v /var/run/docker.sock:/tmp/docker.sock:ro \
  jwilder/nginx-proxy:0.5.0

• check that all web applications are still reachable
• stop current running GitLab container
• backup the three data volumes. Just in case...
• create and start the new GitLab container:

docker run --detach \
    --hostname <FQDNForTheContainer> \
    --env VIRTUAL_HOST=<FQDNForTheContainer> \
    --publish <availablePortOnHost>:80 --publish <anotherAvailablePortOnHost>:22 \
    --name <gitLabContainerName> \
    --restart always \
    --volume <previousContainerConfigDirectory>:/etc/gitlab \
    --volume <previousContainerLogsDirectory>:/var/log/gitlab \
    --volume <previousContainerLogDirectory>:/var/opt/gitlab \
    gitlab/gitlab-ce:8.15.1-ce.0

• wait for http://<FQDNForTheContainer> to be available
• modify <previousContainerConfigDiretory>/gitlab.rb so to contain:

# Note the protocol: https.
external_url 'https://gitlab.systev.com'

# These values should already be configured from previous container.
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = '<emailFrom>'
gitlab_rails['gitlab_email_display_name'] = '<displayName>'
gitlab_rails['gitlab_email_reply_to'] = '<emailReplyTo>'

# Same for these ones.
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "<SMTPServer>"
gitlab_rails['smtp_port'] = <SMTPPort>
gitlab_rails['smtp_user_name'] = "<SMTPUsername>"
gitlab_rails['smtp_password'] = "<SMTPPassword>"
gitlab_rails['smtp_domain'] = "<SMTPDomain>"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
# gitlab_rails['smtp_tls'] = false                                              
gitlab_rails['smtp_openssl_verify_mode'] = 'none'

# For HTTPS handling in association with the reverse proxy. Users connect to 
# the reverse proxy using HTTPS. The reverse proxy connects to GitLab using HTTP.
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
  "X-Forwarded-Proto" => "https",
  "X-Forwarded-Ssl" => "on"
}

• reconfigure GitLab:

docker exec -it <gitLabContainerName> /bin/bash
gitlab-ctl reconfigure
exit

• create a self-signed certificate (I don't have real certificates for now):

openssl genrsa -out <FQDNForTheContainer>.key 2048
openssl req -new -key <FQDNForTheContainer>.key -out <FQDNForTheContainer>.csr
openssl x509 -req -days 730 -in <FQDNForTheContainer>.csr -signkey <FQDNForTheContainer>.key -out <FQDNForTheContainer>.crt

• copy key and crt files to <containerCerts> directory
• restart reverse proxy container

GitLab container is now reachable at https://<FQDNForTheContainer>. As the certificate is self-signed, the browser displays a warning, of course.

git can be accessed using SSH and a key pair (check GitLab documentation) using following syntax:

git clone ssh://git@<FQDNForTheContainer>:<anotherAvailablePortOnHost>/<project.git>

That's it.

Reference documentation

• jwilder/nginx-proxy documentation - SSL support
• omnibus-gitlab documentation - supporting proxied SSL