Skip to content

Add Puma config support for SSL

Stan Hu requested to merge sh-add-puma-ssl-support into master

What does this MR do?

To encrypt communication between Workhorse and Puma, some environments may want to enable encryption on Puma.

Sample config:

puma['ssl_listen'] = "127.0.0.1"
puma['ssl_port'] = 9111
puma['ssl_certificate'] = '/path/to/readable-certs/internal.example.crt'
puma['ssl_certificate_key'] = '/path/to/readable-certs/gitlab.example.key'

Note that the Puma user (git) MUST have permission to read the certificate and keys. /etc/gitlab/ssl is normally not readable by this user. Unlike NGINX, Puma does not initially run as the root user and then fork workers with a less privileged user.

If a certificate or key cannot be loaded, Puma currently does not fail to start. Instead, it binds to the SSL port and rejects the client with an obscure no shared cipher error. https://github.com/puma/puma/pull/2848 would make this a hard failure.

Related issues

Part of gitlab#353013 (closed)

Testing locally

  1. Install mkcert (https://github.com/FiloSottile/mkcert/releases).
  2. Run mkcert -install to install the local CA.
  3. Run:
cd /var/opt/gitlab/gitlab-rails/etc
mkcert -cert-file puma.localhost.pem -key-file puma.localhost-key.pem puma.localhost 127.0.0.1 ::1 # Puma doesn't handle + in filenames correctly
chown git:git puma.localhost*
  1. In /etc/gitlab/gitlab.rb:
puma['ssl_listen'] = "127.0.0.1"
puma['ssl_port'] = 9111
puma['ssl_certificate'] = '/var/opt/gitlab/gitlab-rails/etc/puma.localhost.pem'
puma['ssl_certificate_key'] = '/var/opt/gitlab/gitlab-rails/etc/puma.localhost-key.pem'
puma['listen'] = "" # Disable HTTP
  1. Run gitlab-ctl reconfigure

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks
  • trigger-package has a green pipeline running against latest commit

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for the GitLab Chart opened
Edited by Stan Hu

Merge request reports