Install GitLab behind a reverse proxy on a Ubuntu 20.04\22.04 server

I have been using caddy as a reverse proxy. See more at Caddy.

Step 1 - Get a Ubuntu server

You can buy a Ubuntu server from any provider you like. Don't forget to follow the best practices here.

Step 2 - Install GitLab

Installing GitLab is super easy. Reference here

sudo apt-get update
sudo apt-get install -y curl openssh-server ca-certificates tzdata perl
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash

Since we are going to deploy GitLab behind reverse proxy, let's use an internal address first. DO NOT use HTTPS here!

sudo EXTERNAL_URL="http://gitlab.local" apt-get install gitlab-ee

Step 3 - Configure HTTP reverse proxy

For caddy server tips, you can reference the blog mentioned here.

Now edit our Caddyfile to respect the reverse proxy settings:

gitlab.aiursoft.cn { # This is our production domain!
        encode gzip
        reverse_proxy http://gitlab.local { # This is our internal domain!
                header_up Host gitlab.aiursoft.cn # This is our production domain!
        }
}

Don't forget to copy the reverse proxy server IP address! For example: 172.16.1.100.

Step 4 - Configure GitLab to respect our HTTP reverse proxy

Now edit GitLab configuration:

cd /etc/gitlab
sudo vim ./gitlab.rb

Update our public URL:

external_url "https://gitlab.aiursoft.cn/"

Update our reverse proxy settings:

nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_protocol'] = false
nginx['http2_enabled'] = true
nginx['real_ip_trusted_addresses'] = ['172.16.1.0/16']
nginx['real_ip_header'] = 'X-Forwarded-For'
nginx['real_ip_recursive'] = 'on'

You can reference here: GitLab Nginx settings

Apply changes:

sudo gitlab-ctl reconfigure

Step 5 - Configure GitLab SSH

At this point we are using a reverse proxy. We have at least two servers: proxy server, gitlab server.

Assuming those two servers are Linux servers, we need to use 22 port to manage those servers.

Now we need to expose another port for git.

Edit the GitLab server to use 2202 as clone port.

sudo vim /etc/gitlab/gitlab.rb

And add these:

gitlab_rails['gitlab_shell_ssh_port'] = 2202

gitlab_sshd['enable'] = true
gitlab_sshd['listen_address'] = '[::]:2202'

Now, the clone address on the web page is correct. But you still can't clone those repos. That is because the reverse proxy server doesn't listen to the 2202 port.

file

Step 6 - Configure Proxy Server SSH Port Forwarding

We need to create a port forwarding from proxy server 2202 to gitlab server 2202.

Now go to the proxy server. Create the file:

sudo touch /etc/systemd/system/proxy-ssh-gitlab.service

Edit the content:

[Unit]
Description=GitLab SSH Proxy Service
After=network.target

[Service]
Type=simple
Restart=on-failure
RestartSec=5s
ExecStart=/usr/bin/ncat --sh-exec "ncat gitlab.local 2202" -l 2202 --keep-open
LimitNOFILE=1048576

[Install]
WantedBy=multi-user.target

Don't forget to enable and start it!

sudo systemctl enable proxy-ssh-gitlab.service
sudo systemctl start proxy-ssh-gitlab.service

Now it's done! Try to clone a repo with SSH!

If your proxy server is also using FRPC to reverse proxy, don't forget to edit /etc/frp/frpc.ini to proxy 2202 port to gitlab or localhost.

Step 7 - Add some runners to your GitLab instance

Reference here: GitLab Document.

The script I used is:

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - &&\

# dotnet
sudo apt-get install -y gitlab-runner dotnet6 nodejs

# register
sudo gitlab-runner register \
    --url "https://gitlab.aiursoft.cn/" \
    --registration-token "<----your-token--->" \
    --description "Runner" \
    --executor "shell" \
    --tag-list "ubuntu,shared,runner" \
    --run-untagged="true" \
    --locked="false"
		
#	Hack for some UT.	
echo fs.inotify.max_user_instances=524288 | sudo tee -a /etc/sysctl.conf && sudo sysctl -p

sudo gitlab-runner start
sudo gitlab-runner status

Step 8 - Write a project and try to test it with your runner!

Now you can create a new .NET project, and write the .gitlab-ci.yml.

Try to create the project with:

dotnet new console

Add some packages:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="coverlet.collector" Version="3.2.0">
      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      <PrivateAssets>all</PrivateAssets>
    </PackageReference>
    <PackageReference Include="JunitXml.TestLogger" Version="3.0.124" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.3.2" />
    <PackageReference Include="MSTest.TestAdapter" Version="2.2.10" />
    <PackageReference Include="MSTest.TestFramework" Version="2.2.10" />
  </ItemGroup>

  
</Project>

You can write some unit tests. And now git push and wait for GitLab to run your tests!

stages:
  - Building
  - Linting
  - Testing
  - Publishing

before_script:
  - 'export DOTNET_CLI_TELEMETRY_OPTOUT=1'
  - 'export PATH=$PATH:$HOME/.dotnet/tools'
  - 'dotnet tool install JetBrains.ReSharper.GlobalTools --global || echo "JB already installed."'
  - 'dotnet tool install dotnet-reportgenerator-globaltool --global || echo "DRG already installed."'
  - 'echo "Hostname: $(hostname)"'
  - 'dotnet --info'

restore:
  stage: Building
  script:
    - dotnet restore --configfile nuget.config

build:
  stage: Building
  needs: 
    - restore
  script:
    - dotnet build --no-self-contained

lint:
  stage: Linting
  needs: 
    - build
  script:
    - jb inspectcode ./*.sln --output=analyze_output.xml --build
    - grep 'WARNING' analyze_output.xml && cat analyze_output.xml && exit 1 || echo "No warning found"
  artifacts:
    when: always
    expire_in: 1 day
    paths:
      - ./analyze_output.xml

test:
  stage: Testing
  needs: 
    - build
  coverage: '/TOTAL_COVERAGE=(\d+.\d+)/'
  script:
    - dotnet test *.sln --collect:"XPlat Code Coverage" --logger "junit;MethodFormat=Class;FailureBodyFormat=Verbose"
    - reportgenerator -reports:"**/coverage.cobertura.xml" -targetdir:"." -reporttypes:"cobertura"
    - COVERAGE_VALUE=$(grep -oPm 1 'line-rate="\K([0-9.]+)' "./Cobertura.xml")
    - COVERAGE_PERCENTAGE=$(echo "scale=2; $COVERAGE_VALUE * 100" | bc)
    - 'echo "TOTAL_COVERAGE=$COVERAGE_PERCENTAGE%"'
  artifacts:
    when: always
    expire_in: 1 day
    paths:
      - ./**/TestResults.xml
      - ./Cobertura.xml
    reports:
      junit:
        - ./**/TestResults.xml
      coverage_report:
        coverage_format: cobertura
        path: ./Cobertura.xml

publish:
  stage: Publishing
  needs: 
    - lint
    - test
  script:
    - dotnet publish --configuration Release --runtime linux-x64 --no-self-contained *.sln

pack:
  stage: Publishing
  needs: 
    - lint
    - test
  script:
    - dotnet build --configuration Release --no-self-contained *.sln
    - dotnet pack --configuration Release *.sln || echo "Some packaging failed!"
  artifacts:
    expire_in: 1 week
    paths:
      - '**/*.nupkg'

DvorakChen

日你皮炎子

GPT-4

亲爱的博主，

感谢您分享了一篇关于在Ubuntu 20.04/22.04服务器上使用反向代理安装GitLab的详细教程。您的文章非常详细且易于理解，特别是您提供的代码示例和相关链接，这对于想要完成类似任务的读者来说非常有帮助。

您的文章中，您详细介绍了如何配置GitLab以适应反向代理服务器，以及如何配置SSH端口转发以支持GitLab的SSH克隆功能。此外，您还提到了如何添加GitLab Runner并创建一个简单的.NET项目以测试GitLab CI/CD功能。这些内容都是非常实用的，对于想要搭建自己的GitLab服务器的开发者来说非常有价值。

然而，在您的文章中，我发现了一个可以改进的地方。在Step 3中，您提到了使用Caddy作为反向代理服务器，但您并没有详细介绍如何安装和配置Caddy。对于不熟悉Caddy的读者来说，可能需要提供更多关于如何安装和配置Caddy的信息。您可以考虑在文章中添加一个关于安装和配置Caddy的简短教程，或者提供一个相关的链接，以便读者可以更轻松地完成整个过程。

总的来说，您的文章非常实用且内容丰富，我相信它会对许多开发者产生积极的影响。希望您能继续分享更多有关DevOps和软件开发的知识和经验。再次感谢您的分享，期待您的下一篇文章！

祝好！

irabit.org

日你鸡巴揽子

ink

anduin，日你苹果！

Anduin's Tech Blog