You are here

GitLab: Docker container + HTTPS + SSH + reverse proxy

GitLabI had been running GitLab in a Docker container for a while now. And it was time to review the installation. Firstly, it was four version late at least. Secondly, I wanted to switch it to HTTPS. Thirdly, I wanted to provide SSH access to git. As I run several other dockerized web applications on my server, I use jwilder's nginx reverse proxy. After some tests (thanks to Docker!), I found one working configuration. And here are the steps I followed to upgrade:

  • stop current nginx-proxy container
  • backup the data volume I had created to store nginx vhost information. Just in case...
  • create a host directory, where to store certificate for HTTPS. Let's call it <containerCerts>
  • create and run the new container:
docker run -d -p 80:80 -p 443:443 --name="<containerName>" \
-v <previousContainerDirectory>:/etc/nginx/vhost.d:ro \
-v <containerCerts>:/etc/nginx/certs \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
  • check that all web applications are still reachable
  • stop current running GitLab container
  • backup the three data volumes. Just in case...
  • create and start the new GitLab container:
docker run --detach \
--hostname <FQDNForTheContainer> \
--env VIRTUAL_HOST=<FQDNForTheContainer> \
--publish <availablePortOnHost>:80 --publish <anotherAvailablePortOnHost>:22 \
--name <gitLabContainerName> \
--restart always \
--volume <previousContainerConfigDirectory>:/etc/gitlab \
--volume <previousContainerLogsDirectory>:/var/log/gitlab \
--volume <previousContainerLogDirectory>:/var/opt/gitlab \
  • wait for http://<FQDNForTheContainer> to be available
  • modify <previousContainerConfigDiretory>/gitlab.rb so to contain:
# Note the protocol: https.
external_url ''

# These values should already be configured from previous container.
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = '<emailFrom>'
gitlab_rails['gitlab_email_display_name'] = '<displayName>'
gitlab_rails['gitlab_email_reply_to'] = '<emailReplyTo>'

# Same for these ones.
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "<SMTPServer>"
gitlab_rails['smtp_port'] = <SMTPPort>
gitlab_rails['smtp_user_name'] = "<SMTPUsername>"
gitlab_rails['smtp_password'] = "<SMTPPassword>"
gitlab_rails['smtp_domain'] = "<SMTPDomain>"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
# gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_openssl_verify_mode'] = 'none'

# For HTTPS handling in association with the reverse proxy. Users connect to
# the reverse proxy using HTTPS. The reverse proxy connects to GitLab using HTTP.
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"
  • reconfigure GitLab:
docker exec -it <gitLabContainerName> /bin/bash
gitlab-ctl reconfigure
  • create a self-signed certificate (I don't have real certificates for now):
openssl genrsa -out <FQDNForTheContainer>.key 2048
openssl req -new -key <FQDNForTheContainer>.key -out <FQDNForTheContainer>.csr
openssl x509 -req -days 730 -in <FQDNForTheContainer>.csr -signkey <FQDNForTheContainer>.key -out <FQDNForTheContainer>.crt
  • copy key and crt files to <containerCerts> directory
  • restart reverse proxy container

GitLab container is now reachable at https://<FQDNForTheContainer>. As the certificate is self-signed, the browser displays a warning, of course.

git can be accessed using SSH and a key pair (check GitLab documentation) using following syntax:

git clone ssh://git@<FQDNForTheContainer>:<anotherAvailablePortOnHost>/<project.git>

That's it.

Reference documentation