Commit 2010ce18f18f2ad5194787606c29b622b61bbbfa
1 parent
3d33a1cd
Exists in
7-1-stable-ee
and in
1 other branch
Improve organization of the HTTPS documentation
Showing
1 changed file
with
34 additions
and
17 deletions
 
Show diff stats
README.md
| ... | ... | @@ -206,37 +206,54 @@ Run `sudo gitlab-ctl reconfigure` for the LDAP settings to take effect. | 
| 206 | 206 | |
| 207 | 207 | ### Enable HTTPS | 
| 208 | 208 | |
| 209 | -By default, omnibus-gitlab runs does not use HTTPS. If you want to enable HTTPS you can add the | |
| 210 | -following line to `/etc/gitlab/gitlab.rb`. | |
| 209 | +By default, omnibus-gitlab does not use HTTPS. If you want to enable | |
| 210 | +HTTPS for gitlab.example.com, first place your key and certificate in | |
| 211 | +`/etc/gitlab/ssl/gitlab.example.com.key` and | |
| 212 | +`/etc/gitlab/ssl/gitlab.example.com.crt`, respectively. | |
| 213 | + | |
| 214 | +``` | |
| 215 | +sudo mkdir -p /etc/gitlab/ssl | |
| 216 | +sudo chmod 700 /etc/gitlab/ssl | |
| 217 | +sudo cp gitlab.example.com.crt gitlab.example.com.key /etc/gitlab/ssl/ | |
| 218 | +``` | |
| 219 | + | |
| 220 | +Next, add the following line to `/etc/gitlab/gitlab.rb` and run `sudo | |
| 221 | +gitlab-ctl reconfigure`. | |
| 211 | 222 | |
| 212 | 223 | ```ruby | 
| 213 | 224 | external_url "https://gitlab.example.com" | 
| 214 | 225 | ``` | 
| 215 | 226 | |
| 216 | -Redirect `HTTP` requests to `HTTPS`. | |
| 227 | +If you are using a firewall you may have to open port 443 to allow inbound | |
| 228 | +HTTPS traffic. | |
| 229 | + | |
| 230 | +``` | |
| 231 | +# UFW example (Debian, Ubuntu) | |
| 232 | +sudo ufw allow https | |
| 233 | + | |
| 234 | +# lokkit example (RedHat, CentOS) | |
| 235 | +sudo lokkit -s https | |
| 236 | +``` | |
| 237 | + | |
| 238 | +#### Redirect `HTTP` requests to `HTTPS`. | |
| 239 | + | |
| 240 | +By default, when you specify an external_url starting with 'https', Nginx will | |
| 241 | +no longer listen for unencrypted HTTP traffic on port 80. If you want to | |
| 242 | +redirect all HTTP traffic to HTTPS you can use the `redirect_http_to_https` | |
| 243 | +setting. | |
| 217 | 244 | |
| 218 | 245 | ```ruby | 
| 219 | 246 | external_url "https://gitlab.example.com" | 
| 220 | 247 | nginx['redirect_http_to_https'] = true | 
| 221 | 248 | ``` | 
| 222 | 249 | |
| 223 | -Change the default port and the ssl certificate locations. | |
| 250 | +#### Change the default port and the ssl certificate locations. | |
| 251 | + | |
| 252 | +If you need to use an HTTPS port other than the default (443), just specify it | |
| 253 | +as part of the external_url. | |
| 224 | 254 | |
| 225 | 255 | ```ruby | 
| 226 | 256 | external_url "https://gitlab.example.com:2443" | 
| 227 | -nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt" | |
| 228 | -nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key" | |
| 229 | -``` | |
| 230 | - | |
| 231 | -Create the default ssl certifcate directory and add the files: | |
| 232 | - | |
| 233 | -``` | |
| 234 | -sudo mkdir -p /etc/gitlab/ssl && sudo chmod 700 /etc/gitlab/ssl | |
| 235 | -sudo cp gitlab.example.com.crt gitlab.example.com.key /etc/gitlab/ssl/ | |
| 236 | -# run lokkit to open https on the firewall | |
| 237 | -sudo lokkit -s https | |
| 238 | -# if you are using a non standard https port | |
| 239 | -sudo lokkit -p 2443:tcp | |
| 240 | 257 | ``` | 
| 241 | 258 | |
| 242 | 259 | Run `sudo gitlab-ctl reconfigure` for the change to take effect. | ... | ... |