i want to use GitLab through apache with ssl. I followed this guide but i still get a 503 Service Unavailable message.
I have installed GitLab as described in the instruction from GitLab.
My gitlab.rb configuration looks like the file in the guide:
external_url 'https://domain:4443'
nginx['ssl_certificate'] = "/etc/gitlab/tls/SignedCertificateBundle.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/tls/SignedCertificate.key"
My virtual host:
<VirtualHost *:443>
ServerName domain
ServerAlias domain
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
SSLEngine on
SSLCertificateFile /etc/gitlab/tls/SignedCertificate.crt
SSLCertificateKeyFile /etc/gitlab/tls/SignedCertificate.key
SSLCACertificateFile /etc/gitlab/tls/IntermediateCertificate.crt
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine on
ProxyRequests Off
ProxyPass / https://domain:4443/
ProxyPassReverse / https://domain/
Header edit Location ^http://domain/ https://domain/
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
Did i forget something?
i found a solution for my problem (maybe others struggling with the same thing)
My gitlab.rb config file:
external_url 'https://domain'
nginx['listen_address'] = 'localhost'
nginx['listen_port'] = 8888
nginx['listen_https'] = false
And my virtual host:
<VirtualHost *:443>
ServerName domain
ServerAlias domain
ServerAdmin mail
RequestHeader set Host "domain"
RequestHeader add X-Forwarded-Ssl on
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost On
ProxyPass / http://localhost:8888/
ProxyPassReverse / http://localhost:8888/
SSLEngine on
SSLCertificateFile /etc/gitlab/tls/SignedCertificate.crt
SSLCertificateKeyFile /etc/gitlab/tls/SignedCertificate.key
SSLCACertificateFile /etc/gitlab/tls/IntermediateCertificate.crt
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
</VirtualHost>
For me GitLab is now working with TLS over apache
Related
Hello all,
i have set up a proxy server on ubuntu that redirects a subdomain to an ip adress (target server).
It works, but only with https.
How can i make it work in http, so that it redirects as https (the target server only works with https) ?
Here are a few (fake-)data:
the subdomain is "mysub.mydomain.de"
the IP of the Proxy-Server is "101.102.103.104"
the IP of the target server is "106.107.108.109"
the subdomain gets redirected via A-record to the proxy-server-IP
My config file under /etc/apache2/sites-available/000-default.conf looks like this:
<VirtualHost mysub.mydomain.de:443>
ServerName mysub.mydomain.de
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost on
ProxyRequests off
SSLCertificateFile /etc/apache2/sites-available/Zert/public.crt
SSLCertificateKeyFile /etc/apache2/sites-available/Zert/private.key
SSLCertificateChainFile /etc/apache2/sites-available/Zert/intermediate.crt
ProxyPass "/" "https://106.107.108.109:443"
ProxyPassReverse "/" "https://106.107.108.109:443"
</VirtualHost>
<VirtualHost mysub.mydomain.de:80>
ServerName mysub.mydomain.de
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost on
ProxyRequests off
SSLCertificateFile /etc/apache2/sites-available/Zert/public.crt
SSLCertificateKeyFile /etc/apache2/sites-available/Zert/private.key
SSLCertificateChainFile /etc/apache2/sites-available/Zert/intermediate.crt
ProxyPass "/" "https://106.107.108.109:443"
ProxyPassReverse "/" "https://106.107.108.109:443"
</VirtualHost>
What i don't understand is: even if the second VirtualHost-block redirects from port 80 to https, will it also change the port to 443 ?
Thanks!
Tim
Based on this one https://github.com/chovyy/npm-audit-proxy
In this case
Nexus OSS v3 manager running behind Apache reverse proxy.
There is need to proxy npm audit as well from https://registry.npmjs.org/-/npm/v1/security/audits/.
So how to configure properly Apache to pass npm adit call to
https://registry.npmjs.org/-/npm/v1/security/audits/
This Apache configuration worked in my case.
<VirtualHost 0.0.0.0:443>
ServerName nexus.corporate.domain
SSLEngine on
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder On
SSLCompression off
SSLCertificateFile /etc/ssl/localcerts/nexus/nexus.pem
SSLCertificateKeyFile /etc/ssl/localcerts/nexus/nexus.key
SSLCertificateChainFile /etc/ssl/localcerts/nexus/Local_Corporate_CA_chain.crt
SSLSessionTickets off
SSLProxyEngine On
ProxyPass /repository/npm-public/-/npm/v1/security/audits https://registry.npmjs.org/-/npm/v1/security/audits
ProxyPassReverse /repository/npm-public/-/npm/v1/security/audits https://registry.npmjs.org/-/npm/v1/security/audits
ProxyPass / http://127.0.0.1:8081/ nocanon
ProxyPassReverse / http://127.0.0.1:8081/
ProxyRequests Off
ProxyPreserveHost Off
AllowEncodedSlashes on
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
<Proxy http://127.0.0.1:8081/*>
Order allow,deny
Allow from all
</Proxy>
ErrorLog /var/log/apache2/nexus_apache_error.log
CustomLog /var/log/apache2/nexus_apache_access.log common
</VirtualHost>
I had error Forbidde 403 but it was caused by ProxyPreserveHost on.
Changed it to ProxyPreserveHost off
/repository/npm-public/ is npm group type repository created in nexus.
https://nexus.corporate.domain/repository/npm-public/
I'm trying to understand what is going on with LocationMatch. Right now I have a Location similar to the following,
<Location "/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</Location>
Next I change only Location to LocationMatch, as below, and that works fine.
<LocationMatch "/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</LocationMatch>
But as soon as I introduce a regular expression this no longer matches correctly. For example, I want to match paths starting with /context,
<LocationMatch "^/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</LocationMatch>
I've been through the documentation multiple times and can't seem to figure out why this regex doesn't match. I've also seen SOQs like Apache LocationMatch matching urls starting with... but this regex doesn't work. I have a single VirtualHost on a vanilla Ubuntu apache2 install with this single LocationMatch. The entire conf file looks like this,
ProxyRequests off
PassEnv HTTPD_SERVER_NAME HTTPD_SERVER_ADMIN SSL_CERTIFICATE_FILE SSL_CERTIFICATE_KEY_FILE
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile ${SSL_CERTIFICATE_FILE}
SSLCertificateKeyFile ${SSL_CERTIFICATE_KEY_FILE}
Protocols h2 http/1.1
ServerName ${HTTPD_SERVER_NAME}
ServerAdmin ${HTTPD_SERVER_ADMIN}
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
# Requires Apache >= 2.4.11
SSLSessionTickets Off
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<LocationMatch "^/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</LocationMatch>
</VirtualHost>
My question is, should <LocationMatch "^/context"> match URLs starting with /context? For example, https://mydomain/context? And if this should match, any idea what else could be interfering? I'm on version 2.4.41, but I've seen this behavior since at least 2.4.6. Thanks
According to the Apache docs on the ProxyPass directive:
When used inside a <Location> section, the first argument is omitted
and the local directory is obtained from the <Location>. The same will
occur inside a <LocationMatch> section; however, ProxyPass does not
interpret the regexp as such, so it is necessary to use ProxyPassMatch
in this situation instead.
If I understand this correctly, it's not that your <Location> regex is invalid, it's just that your <ProxyPass> doesn't interpret it as a regex. So use <ProxyPassMatch> instead.
Also, this SO question led me to some other pages which support the idea that <LocationMatch> and <ProxyPass> are incompatible with each other:
As indicated by this comment and this page, I need to replace
ProxyPass [with] ProxyPassMatch when using that inside a LocationMatch block
I currently have Jenkins running behind SSL with http re-driecting to https. For a custom integration which doesn't support SSL yet, I need to disable the http to https re-direct. I am unable to do so by commenting the re-direct in apache conf.
Following is my apache config.
<VirtualHost *:80>
ServerName jenkins-tb.myorg.com
ServerAlias www.jenkins-tb.myorg.com
ProxyRequests Off
ProxyVia On
Redirect permanent / https://jenkins-tb.myorg.com/
# RewriteEngine On
# RewriteCond %{HTTPS} !=on
# RewriteRule ^/?login/(.*) https://%{SERVER_NAME}/login/$1 [R,L]
</Virtualhost>
<VirtualHost *:443>
ServerName jenkins-tb.myorg.com
ServerAlias www.jenkins-tb.myorg.com
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/crt/jenkins-asd.myorg.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/key/server_jenkins-asd.myorg.com.key
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
# ProxyPassReverse /login http://jenkins-thunderbolt.myorg.com/login
# ProxyPassReverse /login https://jenkins-thunderbolt.myorg.com/login
ProxyPass /sonar http://localhost:9000/sonar
ProxyPassReverse /sonar http://localhost:9000/sonar
RequestHeader set X_FORWARDED_PROTO "https"
RequestHeader set X-Forwarded-Port "443"
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
<Proxy http://localhost:8080/*>
Order allow,deny
Allow from all
</Proxy>
ProxyPreserveHost on
# AllowEncodedSlashes NoDecode
</VirtualHost>
How do i re-enable http without disabling https? Basically need to stop re-direction from http to https.
Based on you configuration, replace the <VirtualHost *:80> block with the following. But please note, passwords are now transfered in clear text.
<VirtualHost *:80>
ServerName jenkins-tb.myorg.com
ServerAlias www.jenkins-tb.myorg.com
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ProxyPass /sonar http://localhost:9000/sonar
ProxyPassReverse /sonar http://localhost:9000/sonar
RequestHeader set X_FORWARDED_PROTO "http"
RequestHeader set X-Forwarded-Port "80"
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
<Proxy http://localhost:8080/*>
Order allow,deny
Allow from all
</Proxy>
ProxyPreserveHost on
</Virtualhost>
This also includes that /sonar is also available over http.
I'm getting an error message with my https site. when I am working with my http site it working fine on APACHE2 on Ubuntu 14.04.
here is my virtual host config for https site
<VirtualHost _default_:443>
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
RequestHeader set Front-End-Https "On"
servername jenkins.mydomain.com
Proxypass / https://192.168.0.93:8080/ Keepalive=on
ProxypassReverse / https://jenkins.mydomain.com/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/wildcard.crt
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</virtualHost>
please tell me where I am doing mistake.
I have solved my issue. I had few mistakes in my virtualhost configurations.
new virtualhost configurations with ssl is below
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/wildcard.crt
ServerAdmin ITSupport#Mydomain.com
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</proxy>
ServerName jenkins.mydomain.com
ProxyPass / http://192.168.0.93:8080/ nocanon
ProxyPassReverse / http://jenkins.mydomain.com/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</virtualhost>
In your server You just need to change your code from this :
const port = process.env.PORT || 9000
app.listen(port, () => {
console.log(Serve at http://localhost:${port})
})
to this :
app.listen(port, () => {
console.log(Serve at https://your_domain)
})