Logos of GitLab and Plesk

Install GitLab 11 on Ubuntu 16.04 LTS with Plesk 17 Onyx and HTTPS / SSL

After fiddling around for two days with installing packages, adjusting configs and restarting services, I finally got GitLab to work on my Virtual Server with Plesk Onyx and SSL encryption. For anyone having the same idea, here is how I did it step by step.

  1. In Plesk create a new domain or subdomain, e.g. gitlab.example.com.
  2. Secure the domain with Let’s Encrypt as described here https://docs.plesk.com/en-US/onyx/administrator-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/getting-free-ssltls-certificate-from-lets-encrypt.77233/.
  3. Log into your server via SSH.
  4. Install Omnibus GitLab as described here https://about.gitlab.com/installation/#ubuntu.
    1. Install dependencies.
      sudo apt-get update
sudo apt-get install -y curl openssh-server ca-certificates postfix
    2. Add the GitLab package repository.
      curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
    3. Install the GitLab package.
      Replace gitlab.example.com with your FQDN and make sure the URL starts with https.
      sudo EXTERNAL_URL="https://gitlab.example.com" apt-get install gitlab-ee
  5. Disable the bundled web-server as described here https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server. The Plesk Apache will take care of that.
    1. Edit the /etc/gitlab/gitlab.rb config file.
      Disable nginx.
      nginx['enable'] = false
      Add the Plesk user. Replace plesk_user with the username for the webspace of the domain.
      web_server['external_users'] = ['www-data', 'plesk_user']
      Adjust the group. Found that information here https://www.jonasjuffinger.com/2017/03/26/gitlab-with-plesk-and-lets-encrypt/.
      web_server['group'] = 'psacln'
    2. We can skip the trusted proxies, but we need to do the optional step because we are using Apache as web-server.
      gitlab_workhorse['listen_network'] = "tcp"
gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"
    3. Apply the changes to /etc/gitlab/gitlab.rb.
      sudo gitlab-ctl reconfigure
    4. Apply the web server configs in Plesk. Go to Apache & nginx Settings of the domain. We will use the contents of the file gitlab-omnibus-ssl-apache24.conf and adjust them to our needs.
      Additional directives for HTTP. Replace YOUR_SERVER_FQDN with your domain name (without https://).
      # This configuration has been tested on GitLab 8.2
# Note this config assumes unicorn is listening on default port 8080 and
# gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to
# listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following:
#
# gitlab_workhorse['listen_network'] = "tcp"
# gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"
#
#Module dependencies
# mod_rewrite
# mod_ssl
# mod_proxy
# mod_proxy_http
# mod_headers

# This section is only needed if you want to redirect http traffic to https.
# You can live without it but clients will have to type in https:// to reach gitlab.

ServerName YOUR_SERVER_FQDN
ServerSignature Off

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
      Next up for HTTPS we will need the file names of the Let’s Encrypt files we created earlier. The file names are obfuscated by Plesk, but you can find out which is the right one by having a look at the last Apache or nginx config files of your domain as described here https://talk.plesk.com/threads/ssl-certificate-files-location.336076/.
      cat /var/www/vhosts/system/YOUR_SERVER_FQDN/conf/last_nginx.conf
cat /var/www/vhosts/system/YOUR_SERVER_FQDN/conf/last_httpd.conf
      Look for ssl_certificate and ssl_client_certificate in last_nginx.conf or SSLCertificateFile and SSLCACertificateFile in last_httpd.conf. Copy the obfuscated file names.
      Additional directives for HTTPS. Replace YOUR_SERVER_FQDN with your domain name (6 times). Also replace YOUR_CERTIFICATE_FILE and YOUR_CA_CERTIFICATE_FILE with the file names we just found out.
      SSLEngine on
#strong encryption ciphers only
#see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off
#SSLCertificateFile /opt/psa/var/certificates/YOUR_CERTIFICATE_FILE
#SSLCertificateKeyFile /opt/psa/var/certificates/YOUR_CERTIFICATE_FILE
#SSLCACertificateFile /opt/psa/var/certificates/YOUR_CA_CERTIFICATE_FILE

ServerName YOUR_SERVER_FQDN
ServerSignature Off

ProxyPreserveHost On

# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode

# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted

#Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:8181
ProxyPassReverse http://YOUR_SERVER_FQDN/

# Apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on

#Forward all requests to gitlab-workhorse except existing files like error documents
      #and except the Let's Encrypt challenge
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
      RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/[0-9a-zA-Z_-]+$ [NC]
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]

RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on

# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public

#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html

# It is assumed that the log directory is in /var/log/httpd.
# For Debian distributions you might want to change this to
# /var/log/apache2.
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/YOUR_SERVER_FQDN_error.log
CustomLog /var/log/apache2/YOUR_SERVER_FQDN_forwarded.log common_forwarded
CustomLog /var/log/apache2/YOUR_SERVER_FQDN_access.log combined env=!dontlog
CustomLog /var/log/apache2/YOUR_SERVER_FQDN.log combine

That’s it! If we are lucky your new GitLab should be available and accessible through your new domain! Otherwise go through the default troubleshooting before doing enything else.

Troubleshooting

  • Have a look at the error logs.
  • Reconfigure GitLab. 
    sudo gitlab-ctl reconfigure
  • Restart GitLab. 
    sudo gitlab-ctl restart
  • Restart the server.

Side note

In my case the nginx service is disabled in Plesk and Apache is the only web-server running. I was encountering errors because of the Smart static files processing checkbox being enabled and nginx was not installed by default anyway so I disabled the service.

Disclaimer

The steps above worked for me and my system and I am happy to share them with you. However I am not a professional Administrator and I won’t take responsibility for any issues you may encounter by following these instructions. Be careful and use it at your own risk.

Feel free to contact me if there are errors in the instructions, steps missing or when you have ideas on how to improve it.

Published by

Chris

Christian Kauppert is CTO & Head of XR Engineering at MSM.digital AR / VR Labs. Before he worked as a freelance Unity developer and VFX compositor for over 9 years. He uses this blog to show and write about selected works. Occasionally Chris also writes about issues and solutions he stumbles upon while developing interactive experiences and XR applications.

13 thoughts on “Install GitLab 11 on Ubuntu 16.04 LTS with Plesk 17 Onyx and HTTPS / SSL”

  1. Hello,
    I am trying to install gitlab on a Virtual Private Server with plesk.

    I followed your tutorial but it didn’t work…
    There is always a an error while I try to reconfigure. The error is always different but often it fails trying to start services, each time a different one.

    It never starts all services, there is allways some services down.

    Did you have any problem with gitlab services (gitaly, sidekiq, unicorn…)? Did they started properly without issues?

    Reply

    1. Hi Santi,

      I am sorry to hear that the tutorial did not work for you. I had to fiddle around with the setup myself a lot until I found a working solution. That is why I made the tutorial!

      Unfortunately (or fortunately :D) I did not have any issues you are describing. I can not remember any problems with the reconfiguration or services of GitLab. I can only give some general advice here. Have you checked the minimum requirements of the server hardware? I had to upgrade my Virtual Server because it did not have enough RAM. Maybe this could be a reason when not all services are starting up.

      Cheers and good luck!
      Chris

      Reply

      1. Thanks a lot for your response. I managed to get it working through Docker. It works quite well so I don’t think it’s an issue with resources.
        I will keep it this way for now. Maybe I will try again later.
        Anyway, your tutorial is very helpful and I learnt a lot with it 🙂

        Reply

  2. Thanks for your tutorial! I followed the description and everything worked so far. But when I want to open gitlab in my browser, I always get the 500 error page from gitlab. Do you have any idea why?

    Reply

      1. Awesome! Thanks for coming back and posting the solution!

        For others encountering similar problems: I would have recommended to check if the server provides enough RAM and to check the nginx settings. Both Plesk and GitLab have an nginx service and running both at the same time will probably cause issues. As I stated in the side note I disabled the Plesk nginx.

        Thanks again for your reply! Have fun with your own GitLab!

        Reply

  3. Hey Thanks for your tutorial, I#ve encountered a few issues here:

    1. The Require all granted in https conf throws the following error:
    AH00526: Syntax error on line 24 of /var/www/vhosts/system/xxxx/conf/vhost_ssl.conf: Require not allowed here

    2. ProxyPassReverse throws the following error for both cases:

    AH00526: Syntax error on line 27 of /var/www/vhosts/system/xxxx/conf/vhost_ssl.conf: ProxyPassReverse needs a path when not defined in a location

    And 3.
    the page i can open with my URL looks plain without css and i only get the password reset page nothing else.

    hope you can help here

    Reply

    1. addition:

      the css and javascript files aren’t loaded. with the following error in browser console:

      MIME type mismatch (X-Content-Type-Options: nosniff)

      Reply

        1. Hi Marvin,

          You solved it so fast I couldn’t even look at the issue! I’m glad you found a solution. Thanks for getting back here and for posting what worked for you! Hopefully others can profit from that now, too.

          Cheers,
          Chris

          Reply

  4. Hey there 🙂
    So I got everything set up, but the Gitlab won’t send any emails. I’ve tried it with the SMTP settings as well, but sadly nothing works out.

    Any idea, how I could make it work?

    Reply

    1. Hi Keenora,

      Thank you for your message. I’m glad you got the main part of the tutorial working!

      Unfortunately I don’t know how to solve the issue with the mails right away, but can you check the logs for any possible errors regarding this issue? Once we have a specific error message it’s probably easy to find a solution.

      Feel free to post the error message here or even the solution if you find one.

      Cheers,
      Chris

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *