After fiddling around for two days with installing packages, adjusting configs and restarting services, I finally got GitLab to work on my Virtual Server with Plesk Onyx and SSL encryption. For anyone having the same idea, here is how I did it step by step.
- In Plesk create a new domain or subdomain, e.g. gitlab.example.com.
- Secure the domain with Let’s Encrypt as described here https://docs.plesk.com/en-US/onyx/administrator-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/getting-free-ssltls-certificate-from-lets-encrypt.77233/.
- Log into your server via SSH.
- Install Omnibus GitLab as described here https://about.gitlab.com/installation/#ubuntu.
- Install dependencies.
sudo apt-get update sudo apt-get install -y curl openssh-server ca-certificates postfix
- Add the GitLab package repository.
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
- Install the GitLab package.
Replace gitlab.example.com with your FQDN and make sure the URL starts with https.sudo EXTERNAL_URL="https://gitlab.example.com" apt-get install gitlab-ee
- Install dependencies.
- Disable the bundled web-server as described here https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server. The Plesk Apache will take care of that.
- Edit the /etc/gitlab/gitlab.rb config file.
Disable nginx.nginx['enable'] = false
Add the Plesk user. Replace plesk_user with the username for the webspace of the domain.web_server['external_users'] = ['www-data', 'plesk_user']
Adjust the group. Found that information here https://www.jonasjuffinger.com/2017/03/26/gitlab-with-plesk-and-lets-encrypt/.web_server['group'] = 'psacln'
- We can skip the trusted proxies, but we need to do the optional step because we are using Apache as web-server.
gitlab_workhorse['listen_network'] = "tcp" gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"
- Apply the changes to /etc/gitlab/gitlab.rb.
sudo gitlab-ctl reconfigure
- Apply the web server configs in Plesk. Go to Apache & nginx Settings of the domain. We will use the contents of the file gitlab-omnibus-ssl-apache24.conf and adjust them to our needs.
Additional directives for HTTP. Replace YOUR_SERVER_FQDN with your domain name (without https://).# This configuration has been tested on GitLab 8.2 # Note this config assumes unicorn is listening on default port 8080 and # gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to # listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following: # # gitlab_workhorse['listen_network'] = "tcp" # gitlab_workhorse['listen_addr'] = "127.0.0.1:8181" # #Module dependencies # mod_rewrite # mod_ssl # mod_proxy # mod_proxy_http # mod_headers # This section is only needed if you want to redirect http traffic to https. # You can live without it but clients will have to type in https:// to reach gitlab. ServerName YOUR_SERVER_FQDN ServerSignature Off RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
Next up for HTTPS we will need the file names of the Let’s Encrypt files we created earlier. The file names are obfuscated by Plesk, but you can find out which is the right one by having a look at the last Apache or nginx config files of your domain as described here https://talk.plesk.com/threads/ssl-certificate-files-location.336076/.cat /var/www/vhosts/system/YOUR_SERVER_FQDN/conf/last_nginx.conf cat /var/www/vhosts/system/YOUR_SERVER_FQDN/conf/last_httpd.conf
Look for ssl_certificate and ssl_client_certificate in last_nginx.conf or SSLCertificateFile and SSLCACertificateFile in last_httpd.conf. Copy the obfuscated file names.
Additional directives for HTTPS. Replace YOUR_SERVER_FQDN with your domain name (6 times). Also replace YOUR_CERTIFICATE_FILE and YOUR_CA_CERTIFICATE_FILE with the file names we just found out.SSLEngine on #strong encryption ciphers only #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html SSLProtocol all -SSLv2 SSLHonorCipherOrder on SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" SSLCompression Off #SSLCertificateFile /opt/psa/var/certificates/YOUR_CERTIFICATE_FILE #SSLCertificateKeyFile /opt/psa/var/certificates/YOUR_CERTIFICATE_FILE #SSLCACertificateFile /opt/psa/var/certificates/YOUR_CA_CERTIFICATE_FILE ServerName YOUR_SERVER_FQDN ServerSignature Off ProxyPreserveHost On # Ensure that encoded slashes are not decoded but left in their encoded state. # http://doc.gitlab.com/ce/api/projects.html#get-single-project AllowEncodedSlashes NoDecode # New authorization commands for apache 2.4 and up # http://httpd.apache.org/docs/2.4/upgrading.html#access Require all granted #Allow forwarding to gitlab-workhorse ProxyPassReverse http://127.0.0.1:8181 ProxyPassReverse http://YOUR_SERVER_FQDN/ # Apache equivalent of nginx try files # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab RewriteEngine on #Forward all requests to gitlab-workhorse except existing files like error documents
#and except the Let's Encrypt challenge RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/[0-9a-zA-Z_-]+$ [NC] RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE] RequestHeader set X_FORWARDED_PROTO 'https' RequestHeader set X-Forwarded-Ssl on # needed for downloading attachments DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. ErrorDocument 404 /404.html ErrorDocument 422 /422.html ErrorDocument 500 /500.html ErrorDocument 502 /502.html ErrorDocument 503 /503.html # It is assumed that the log directory is in /var/log/httpd. # For Debian distributions you might want to change this to # /var/log/apache2. LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded ErrorLog /var/log/apache2/YOUR_SERVER_FQDN_error.log CustomLog /var/log/apache2/YOUR_SERVER_FQDN_forwarded.log common_forwarded CustomLog /var/log/apache2/YOUR_SERVER_FQDN_access.log combined env=!dontlog CustomLog /var/log/apache2/YOUR_SERVER_FQDN.log combine
- Edit the /etc/gitlab/gitlab.rb config file.
That’s it! If we are lucky your new GitLab should be available and accessible through your new domain! Otherwise go through the default troubleshooting before doing enything else.
Troubleshooting
- Have a look at the error logs.
- Reconfigure GitLab.
sudo gitlab-ctl reconfigure
- Restart GitLab.
sudo gitlab-ctl restart
- Restart the server.
Side note
In my case the nginx service is disabled in Plesk and Apache is the only web-server running. I was encountering errors because of the Smart static files processing checkbox being enabled and nginx was not installed by default anyway so I disabled the service.
Disclaimer
The steps above worked for me and my system and I am happy to share them with you. However I am not a professional Administrator and I won’t take responsibility for any issues you may encounter by following these instructions. Be careful and use it at your own risk.
Feel free to contact me if there are errors in the instructions, steps missing or when you have ideas on how to improve it.
Hello,
I am trying to install gitlab on a Virtual Private Server with plesk.
I followed your tutorial but it didn’t work…
There is always a an error while I try to reconfigure. The error is always different but often it fails trying to start services, each time a different one.
It never starts all services, there is allways some services down.
Did you have any problem with gitlab services (gitaly, sidekiq, unicorn…)? Did they started properly without issues?
Hi Santi,
I am sorry to hear that the tutorial did not work for you. I had to fiddle around with the setup myself a lot until I found a working solution. That is why I made the tutorial!
Unfortunately (or fortunately :D) I did not have any issues you are describing. I can not remember any problems with the reconfiguration or services of GitLab. I can only give some general advice here. Have you checked the minimum requirements of the server hardware? I had to upgrade my Virtual Server because it did not have enough RAM. Maybe this could be a reason when not all services are starting up.
Cheers and good luck!
Chris
Thanks a lot for your response. I managed to get it working through Docker. It works quite well so I don’t think it’s an issue with resources.
I will keep it this way for now. Maybe I will try again later.
Anyway, your tutorial is very helpful and I learnt a lot with it 🙂
Thanks! I am happy you found a way to get it working! 🙂
Thanks for your tutorial! I followed the description and everything worked so far. But when I want to open gitlab in my browser, I always get the 500 error page from gitlab. Do you have any idea why?
I fixed the problem: I had to enable the proxy_http Apache module in Plesk.
Awesome! Thanks for coming back and posting the solution!
For others encountering similar problems: I would have recommended to check if the server provides enough RAM and to check the nginx settings. Both Plesk and GitLab have an nginx service and running both at the same time will probably cause issues. As I stated in the side note I disabled the Plesk nginx.
Thanks again for your reply! Have fun with your own GitLab!
Hey Thanks for your tutorial, I#ve encountered a few issues here:
1. The Require all granted in https conf throws the following error:
AH00526: Syntax error on line 24 of /var/www/vhosts/system/xxxx/conf/vhost_ssl.conf: Require not allowed here
2. ProxyPassReverse throws the following error for both cases:
AH00526: Syntax error on line 27 of /var/www/vhosts/system/xxxx/conf/vhost_ssl.conf: ProxyPassReverse needs a path when not defined in a location
And 3.
the page i can open with my URL looks plain without css and i only get the password reset page nothing else.
hope you can help here
addition:
the css and javascript files aren’t loaded. with the following error in browser console:
MIME type mismatch (X-Content-Type-Options: nosniff)
Nevermind.
https://www.jonasjuffinger.com/2017/03/26/gitlab-with-plesk-and-lets-encrypt/
this https / http conf worked for me! will just leave it here.
thanks for everyting
Hi Marvin,
You solved it so fast I couldn’t even look at the issue! I’m glad you found a solution. Thanks for getting back here and for posting what worked for you! Hopefully others can profit from that now, too.
Cheers,
Chris
Hey there 🙂
So I got everything set up, but the Gitlab won’t send any emails. I’ve tried it with the SMTP settings as well, but sadly nothing works out.
Any idea, how I could make it work?
Hi Keenora,
Thank you for your message. I’m glad you got the main part of the tutorial working!
Unfortunately I don’t know how to solve the issue with the mails right away, but can you check the logs for any possible errors regarding this issue? Once we have a specific error message it’s probably easy to find a solution.
Feel free to post the error message here or even the solution if you find one.
Cheers,
Chris