0

I have an Ubuntu 16.04 machine running Apache2 and Docker (the docker itself is running GitLab from the Docker hub). This box also hosts a Phabricator instance, hence why I have put GitLab into its own Docker to separate things.

It's also important to note that I am able to access the server in two different ways: within my company's private network via a private IP (10.10.X.Y) or through a host name "gitlab.example.com" that points to a public IP.

From within the private network, if I go to "10.10.X.Y:10080", then I can access GitLab in all its glory. If I go to "gitlab.example.com:10080" outside the network (and open 10080 in the firewall), then I can still access GitLab with no issue.

However, I want to avoid having 10080 open; I would also prefer that my developers only need to type in the hostname and not have to include the port number.

I've attempted several things to accomplish this to no avail...

  • Apache2 ProxyPass (have tried using localhost and the docker's IP for ProxyPass/ProxyReverse). I've verified that the mod_proxy is enabled. Accessing the URL gives me an error stating there's no configuration for the site. If I comment out all the Proxy info below, then the default Apache2 success page is served (presumably because it falls back to the main document root since I don't have one defined below).

    <VirtualHost *:80>
    ProxyPreserveHost On
    ProxyRequests On
    ServerName gitlab.example.com
    ProxyPass / http://172.17.0.2:80/
    ProxyPassReverse / http://172.17.0.2:80/
    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>
</VirtualHost>

  • iptables PREROUTING. I'm not an expert on iptables, and most of my network routing is done via Barracuda, but I've read online you should be able to route from one port to another from within the same box. I've tried several commands as below but still no luck. I'm so lost when it comes to iptables that the below commands may be way off.

    sudo iptables -A PREROUTING -t nat -s gitlab.example.com -p tcp --dport 80 -j DNAT --to-destination 172.17.0.2:10080
sudo iptables -t nat -A OUTPUT -d 172.17.0.2 -p tcp --dport 80 -j REDIRECT --to-port 10080
sudo iptables -A PREROUTING -t nat -s gitlab.example.com -p tcp --dport 80 -j REDIRECT --to-port 10080

  • Rinetd. This sounded promising, but is not functioning like I expect. I only really tried the below command and then moved on. Perhaps I misunderstood the command or how to compile it to function.

    sudo rinetd gitlab.example.com 80 172.17.0.2 10080

  • I also attempted some stuff with iproute2 and socat, but I documented those attempts very poorly and am not sure exactly what I've tried with these two. I know that whatever I tried obviously didn't work!

I feel like there has to be some other method that I'm missing and now I'm banging my head against the wall trying to get this to work. Any insight would be much appreciated.

engsysadmin
  • 1
  • 3

2 Answers2

0

rinetd uses a configuration file to run. You can just put this line in a file called rinetd.conf:

gitlab.example.com 80 172.17.0.2 10080

And then run rinetd as you intended (-f runs in foreground mode; otherwise it will fork to the background like a traditional daemon):

sudo rinetd -f -c rinetd.conf
sam hocevar
  • 103
  • 5
  • Hey @sam hocevar. Unfortunately, rinetd did not function for me. I definitely should have read a little closer on the rinetd man page to know about daemon mode (I had a bunch of instances running in the background!), but all those instances confirmed that my settings should have been correct. I ended up finding the resolution to my issue and will post an answer in case anybody else has my issue. – engsysadmin Jul 24 '17 at 20:15
0

I found the solution to my problem. It was a user error on my part during my initial attempts.

Apache Proxy

My VHost:

<VirtualHost *:80>
    ServerName gitlab.example.com

    ProxyPreserveHost On
    <Proxy *>
            Order allow,deny
            Allow from all
    </Proxy>
    ProxyPass / http://172.17.0.2:80/
    ProxyPassReverse / http://172.17.0.2:80/
</VirtualHost>

NOTE: 172.17.0.2 is the IP of my gitlab container.

What I had missed in my initial attempts was... wait for it... I didn't enable the proxy_http mod!! So no wonder it never worked. It never would have.

After setting up the VHost, make sure to run these things:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo service apache2 reload

And voila! I can now access my gitlab instance from gitlab.example.com in a browser, and it will auto redirect to port 10080, but leave the URL in the browser as is.

EDIT: I ran into an issue with my original configuration when I denied traffic to port 10080 through the firewall, because I was attempting to proxy back into the server using the hostname. Instead, I changed to the docker's IP:PORT in the VHost to resolve that issue.

engsysadmin
  • 1
  • 3