Logos of GitLab and Plesk

Install GitLab 11 on Ubuntu 16.04 LTS with Plesk 17 Onyx and HTTPS / SSL

After fiddling around for two days with installing packages, adjusting configs and restarting services, I finally got GitLab to work on my Virtual Server with Plesk Onyx and SSL encryption. For anyone having the same idea, here is how I did it step by step.

  1. In Plesk create a new domain or subdomain, e.g. gitlab.example.com.
  2. Secure the domain with Let’s Encrypt as described here https://docs.plesk.com/en-US/onyx/administrator-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/getting-free-ssltls-certificate-from-lets-encrypt.77233/.
  3. Log into your server via SSH.
  4. Install Omnibus GitLab as described here https://about.gitlab.com/installation/#ubuntu.
    1. Install dependencies.
      sudo apt-get update
      sudo apt-get install -y curl openssh-server ca-certificates postfix
    2. Add the GitLab package repository.
      curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
    3. Install the GitLab package.
      Replace gitlab.example.com with your FQDN and make sure the URL starts with https.
      sudo EXTERNAL_URL="https://gitlab.example.com" apt-get install gitlab-ee
  5. Disable the bundled web-server as described here https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server. The Plesk Apache will take care of that.
    1. Edit the /etc/gitlab/gitlab.rb config file.
      Disable nginx.
      nginx['enable'] = false
      Add the Plesk user. Replace plesk_user with the username for the webspace of the domain.
      web_server['external_users'] = ['www-data', 'plesk_user']
      Adjust the group. Found that information here https://www.jonasjuffinger.com/2017/03/26/gitlab-with-plesk-and-lets-encrypt/.
      web_server['group'] = 'psacln'
    2. We can skip the trusted proxies, but we need to do the optional step because we are using Apache as web-server.
      gitlab_workhorse['listen_network'] = "tcp"
      gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"
    3. Apply the changes to /etc/gitlab/gitlab.rb.
      sudo gitlab-ctl reconfigure
    4. Apply the web server configs in Plesk. Go to Apache & nginx Settings of the domain. We will use the contents of the file gitlab-omnibus-ssl-apache24.conf and adjust them to our needs.
      Additional directives for HTTP. Replace YOUR_SERVER_FQDN with your domain name (without https://).
      # This configuration has been tested on GitLab 8.2
      # Note this config assumes unicorn is listening on default port 8080 and
      # gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to
      # listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following:
      #
      # gitlab_workhorse['listen_network'] = "tcp"
      # gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"
      #
      #Module dependencies
      # mod_rewrite
      # mod_ssl
      # mod_proxy
      # mod_proxy_http
      # mod_headers
      
      # This section is only needed if you want to redirect http traffic to https.
      # You can live without it but clients will have to type in https:// to reach gitlab.
      
      ServerName YOUR_SERVER_FQDN
      ServerSignature Off
      
      RewriteEngine on
      RewriteCond %{HTTPS} !=on
      RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
      Next up for HTTPS we will need the file names of the Let’s Encrypt files we created earlier. The file names are obfuscated by Plesk, but you can find out which is the right one by having a look at the last Apache or nginx config files of your domain as described here https://talk.plesk.com/threads/ssl-certificate-files-location.336076/.
      cat /var/www/vhosts/system/YOUR_SERVER_FQDN/conf/last_nginx.conf
      cat /var/www/vhosts/system/YOUR_SERVER_FQDN/conf/last_httpd.conf
      Look for ssl_certificate and ssl_client_certificate in last_nginx.conf or SSLCertificateFile and SSLCACertificateFile in last_httpd.conf. Copy the obfuscated file names.
      Additional directives for HTTPS. Replace YOUR_SERVER_FQDN with your domain name (6 times). Also replace YOUR_CERTIFICATE_FILE and YOUR_CA_CERTIFICATE_FILE with the file names we just found out.
      SSLEngine on
      #strong encryption ciphers only
      #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
      SSLProtocol all -SSLv2
      SSLHonorCipherOrder on
      SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
      Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
      SSLCompression Off
      #SSLCertificateFile /opt/psa/var/certificates/YOUR_CERTIFICATE_FILE
      #SSLCertificateKeyFile /opt/psa/var/certificates/YOUR_CERTIFICATE_FILE
      #SSLCACertificateFile /opt/psa/var/certificates/YOUR_CA_CERTIFICATE_FILE
      
      ServerName YOUR_SERVER_FQDN
      ServerSignature Off
      
      ProxyPreserveHost On
      
      # Ensure that encoded slashes are not decoded but left in their encoded state.
      # http://doc.gitlab.com/ce/api/projects.html#get-single-project
      AllowEncodedSlashes NoDecode
      
      # New authorization commands for apache 2.4 and up
      # http://httpd.apache.org/docs/2.4/upgrading.html#access
      Require all granted
      
      #Allow forwarding to gitlab-workhorse
      ProxyPassReverse http://127.0.0.1:8181
      ProxyPassReverse http://YOUR_SERVER_FQDN/
      
      # Apache equivalent of nginx try files
      # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
      # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
      RewriteEngine on
      
      #Forward all requests to gitlab-workhorse except existing files like error documents
      #and except the Let's Encrypt challenge RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] RewriteCond %{REQUEST_URI} ^/uploads/.*
      RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/[0-9a-zA-Z_-]+$ [NC] RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE] RequestHeader set X_FORWARDED_PROTO 'https' RequestHeader set X-Forwarded-Ssl on # needed for downloading attachments DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. ErrorDocument 404 /404.html ErrorDocument 422 /422.html ErrorDocument 500 /500.html ErrorDocument 502 /502.html ErrorDocument 503 /503.html # It is assumed that the log directory is in /var/log/httpd. # For Debian distributions you might want to change this to # /var/log/apache2. LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded ErrorLog /var/log/apache2/YOUR_SERVER_FQDN_error.log CustomLog /var/log/apache2/YOUR_SERVER_FQDN_forwarded.log common_forwarded CustomLog /var/log/apache2/YOUR_SERVER_FQDN_access.log combined env=!dontlog CustomLog /var/log/apache2/YOUR_SERVER_FQDN.log combine

That’s it! If we are lucky your new GitLab should be available and accessible through your new domain! Otherwise go through the default troubleshooting before doing enything else.

Troubleshooting

  • Have a look at the error logs.
  • Reconfigure GitLab.
    sudo gitlab-ctl reconfigure
  • Restart GitLab.
    sudo gitlab-ctl restart
  • Restart the server.

Side note

In my case the nginx service is disabled in Plesk and Apache is the only web-server running. I was encountering errors because of the Smart static files processing checkbox being enabled and nginx was not installed by default anyway so I disabled the service.

Disclaimer

The steps above worked for me and my system and I am happy to share them with you. However I am not a professional Administrator and I won’t take responsibility for any issues you may encounter by following these instructions. Be careful and use it at your own risk.

Feel free to contact me if there are errors in the instructions, steps missing or when you have ideas on how to improve it.

Published by

Chris

Christian Kauppert is a freelance game engine developer and VFX compositor living in Berlin. He uses this blog to show and write about selected works. Occasionally Chris also writes about issues and solutions he stumbles upon while developing interactive experiences and games.

Leave a Reply

Your email address will not be published. Required fields are marked *