use nginx as http proxy and an external nginx for https
I have in my gitlab.rb
nginx['listen_port'] = 80 # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
nginx['listen_https'] = false # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
nginx['proxy_set_headers'] = {
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"
}I have an external nginx https proxy with this configuration :
server {
listen 443 ssl http2;
server_name git.mydomain.com;
server_tokens off;
root /dev/null;
## Increase this if you want to upload large attachments
## Or if you want to accept large git objects over http
client_max_body_size 0;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
## include domain ssl config
ssl on;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/ssl/certs/wildcard.mydomain.com.chained.crt;
ssl_certificate_key /etc/ssl/private/wildcard.mydomain.com.key;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:10m;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits or better
ssl_dhparam /etc/ssl/dhparam-2048.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
## OCSP Stapling ---
## fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/certs/GandiStandardSSLCA2.pem;
## Redirect all request
location / {
gzip off;
## set upstream
set $upstream git.service.consul;
## include upstream config
proxy_pass http://$upstream;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 900;
proxy_send_timeout 900;
}
access_log /var/log/nginx/git_access.log;
error_log /var/log/nginx/git_error.log;
}The proxy on port 443 isn't working so I need to test the nginx:80 (gitlab-ce) and nginx:443 (my public proxy)
I have tried to do curl the gitlab-ce http:80 nginx server but I have the following error :
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocolIs there a way to tell gitlab-ce I need to access using http ?