Commit 2010ce18f18f2ad5194787606c29b622b61bbbfa
1 parent
3d33a1cd
Exists in
7-1-stable-ee
and in
1 other branch
Improve organization of the HTTPS documentation
Showing
1 changed file
with
34 additions
and
17 deletions
Show diff stats
README.md
| @@ -206,37 +206,54 @@ Run `sudo gitlab-ctl reconfigure` for the LDAP settings to take effect. | @@ -206,37 +206,54 @@ Run `sudo gitlab-ctl reconfigure` for the LDAP settings to take effect. | ||
| 206 | 206 | ||
| 207 | ### Enable HTTPS | 207 | ### Enable HTTPS |
| 208 | 208 | ||
| 209 | -By default, omnibus-gitlab runs does not use HTTPS. If you want to enable HTTPS you can add the | ||
| 210 | -following line to `/etc/gitlab/gitlab.rb`. | 209 | +By default, omnibus-gitlab does not use HTTPS. If you want to enable |
| 210 | +HTTPS for gitlab.example.com, first place your key and certificate in | ||
| 211 | +`/etc/gitlab/ssl/gitlab.example.com.key` and | ||
| 212 | +`/etc/gitlab/ssl/gitlab.example.com.crt`, respectively. | ||
| 213 | + | ||
| 214 | +``` | ||
| 215 | +sudo mkdir -p /etc/gitlab/ssl | ||
| 216 | +sudo chmod 700 /etc/gitlab/ssl | ||
| 217 | +sudo cp gitlab.example.com.crt gitlab.example.com.key /etc/gitlab/ssl/ | ||
| 218 | +``` | ||
| 219 | + | ||
| 220 | +Next, add the following line to `/etc/gitlab/gitlab.rb` and run `sudo | ||
| 221 | +gitlab-ctl reconfigure`. | ||
| 211 | 222 | ||
| 212 | ```ruby | 223 | ```ruby |
| 213 | external_url "https://gitlab.example.com" | 224 | external_url "https://gitlab.example.com" |
| 214 | ``` | 225 | ``` |
| 215 | 226 | ||
| 216 | -Redirect `HTTP` requests to `HTTPS`. | 227 | +If you are using a firewall you may have to open port 443 to allow inbound |
| 228 | +HTTPS traffic. | ||
| 229 | + | ||
| 230 | +``` | ||
| 231 | +# UFW example (Debian, Ubuntu) | ||
| 232 | +sudo ufw allow https | ||
| 233 | + | ||
| 234 | +# lokkit example (RedHat, CentOS) | ||
| 235 | +sudo lokkit -s https | ||
| 236 | +``` | ||
| 237 | + | ||
| 238 | +#### Redirect `HTTP` requests to `HTTPS`. | ||
| 239 | + | ||
| 240 | +By default, when you specify an external_url starting with 'https', Nginx will | ||
| 241 | +no longer listen for unencrypted HTTP traffic on port 80. If you want to | ||
| 242 | +redirect all HTTP traffic to HTTPS you can use the `redirect_http_to_https` | ||
| 243 | +setting. | ||
| 217 | 244 | ||
| 218 | ```ruby | 245 | ```ruby |
| 219 | external_url "https://gitlab.example.com" | 246 | external_url "https://gitlab.example.com" |
| 220 | nginx['redirect_http_to_https'] = true | 247 | nginx['redirect_http_to_https'] = true |
| 221 | ``` | 248 | ``` |
| 222 | 249 | ||
| 223 | -Change the default port and the ssl certificate locations. | 250 | +#### Change the default port and the ssl certificate locations. |
| 251 | + | ||
| 252 | +If you need to use an HTTPS port other than the default (443), just specify it | ||
| 253 | +as part of the external_url. | ||
| 224 | 254 | ||
| 225 | ```ruby | 255 | ```ruby |
| 226 | external_url "https://gitlab.example.com:2443" | 256 | external_url "https://gitlab.example.com:2443" |
| 227 | -nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt" | ||
| 228 | -nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key" | ||
| 229 | -``` | ||
| 230 | - | ||
| 231 | -Create the default ssl certifcate directory and add the files: | ||
| 232 | - | ||
| 233 | -``` | ||
| 234 | -sudo mkdir -p /etc/gitlab/ssl && sudo chmod 700 /etc/gitlab/ssl | ||
| 235 | -sudo cp gitlab.example.com.crt gitlab.example.com.key /etc/gitlab/ssl/ | ||
| 236 | -# run lokkit to open https on the firewall | ||
| 237 | -sudo lokkit -s https | ||
| 238 | -# if you are using a non standard https port | ||
| 239 | -sudo lokkit -p 2443:tcp | ||
| 240 | ``` | 257 | ``` |
| 241 | 258 | ||
| 242 | Run `sudo gitlab-ctl reconfigure` for the change to take effect. | 259 | Run `sudo gitlab-ctl reconfigure` for the change to take effect. |