1

I am trying to deploy a new GitLab instance on NixOS 20.09.1632.a6a3a368dda (Nightingale).

I have this rather minimal configuration.nix:

{ modulesPath, ... }:
let
  host = "example.org";
  adminEmail = "admin@example.org";
in
{
  imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ];
  ec2.hvm = true;

  services.gitlab = rec {
    enable = true;

    inherit host;
    port = 80;

    # You, dear sysadmin, have to make these files exist.
    initialRootPasswordFile = "/tmp/gitlab-secrets/initial-password";

    secrets = rec {
      # A file containing 30 "0" characters.
      secretFile = "/tmp/gitlab-secrets/zeros";
      dbFile = secretFile;
      otpFile = secretFile;
      # openssl genrsa 2048 > jws.rsa
      jwsFile = "/tmp/gitlab-secrets/jws.rsa";
    };
  };

  services.nginx = {
    enable = true;
    user = "gitlab";
    virtualHosts = {
      "${host}" = {
        locations."/" = {
          # http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
          proxyPass = "http://unix:/var/gitlab/state/tmp/sockets/gitlab.socket";
        };
      };
    };
  };

  networking.firewall = {
    enable = true;
    allowPing = false;
    allowedTCPPorts = [
      22
      80
    ];
  };
}

When activating this configuration, many processes are started (redis, postgresql, sidekiq, etc). However, nginx (thanks to, I assume, GitLab's Rails HTTP server) responds to requests for / with this:

* Connected to example.org (X.X.X.X) port 80 (#0)
> GET / HTTP/1.1
> Host: example.org
> User-Agent: curl/7.72.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Server: nginx
< Date: Thu, 11 Feb 2021 19:38:40 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Referrer-Policy: strict-origin-when-cross-origin
< X-UA-Compatible: IE=edge
< Location: http://localhost/users/sign_in
< Cache-Control: no-cache
< Set-Cookie: experimentation_subject_id=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqZGhabU0zWXpVNExUSmxNR1F0TkdZMlpTMWlZVEkwTFdKak1EVTFaREZoTURJd1ppST0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS5leHBlcmltZW50YXRpb25fc3ViamVjdF9pZCJ9fQ%3D%3D--cbf53392028ed41f7c582a64e643476a5c2aab6b; path=/; expires=Mon, 11 Feb 2041 19:38:40 -0000; HttpOnly
< X-Request-Id: 545cc04e-1689-4351-b5a9-ca171f1a85d4
< X-Runtime: 0.060596
< 
* Connection #0 to host example.org left intact
<html><body>You are being <a href="http://localhost/users/sign_in">redirected</a>.</body></html>

Since localhost is not example.org, this fails.

How do I configure GitLab to know its own hostname?

Jean-Paul Calderone
  • 352
  • 1
  • 4
  • 14

1 Answers1

1

The desired behavior can achieved with the proxy_set_header NGINX directive:

proxy_set_header Host       $host;

If you include this line in the reverse proxy configuration, NGINX will rewrite the host header (i.e. localhost) sent back from the upstream server (i.e. GitLab) with the hostname from the original request (i.e. example.org). Enabling the services.nginx.recommendedProxySettings option in NixOS will generate NGINX configuration with the directive included.

nutty7t
  • 26
  • 2