2

I have private Gitlab instance running on a private IP. I want to host a website with Gitlab pages that is only visible inside my network and not accessible from the outside. Also I need my private Gitlab instance to not be accessible from the outside.

Gitlab pages can only be used when having the following prerequisites: 

Have an exclusive root domain for serving GitLab Pages. Note that you cannot use a subdomain of your GitLab’s instance domain.
Configure a wildcard DNS record.
(Optional) Have a wildcard certificate for that domain if you decide to serve Pages under HTTPS.
(Optional but recommended) Enable Shared runners so that your users don’t have to bring their own.
(Only for custom domains) Have a secondary IP.

I would like to configure it that way but it only serves me if that doesn't open up my Gitlab instance to the public and if my site could be hosted within my network.

Is that possible? Or will it open up my server to the public?

Thanks very much in advance, really appreciate it.

Micromegas
  • 231
  • 1
  • 10

2 Answers2

1

If you use a private IPv4 address for your Gitlab instance, it will not be visible on the Internet.

For example: 192.168.1.125

However, you could set up your Internet router (or whatever it is used for) to allow external access, so you should make sure it is not set up accidentally.

You then have to take care of the domain and name resolution within your network, but without detailed knowledge of your infrastructure you can say nothing about it.

An example domain would be gitlab.local

You then need a DNS server in your network, usually the Internet routers do the same, but are sometimes inflexible here.

Of course, you can also book a domain on the Internet and enter 192.168.1.125 as A-Record, but you must make sure that the domain provider allows the entry of private IPv4 addresses.

Andre
  • 36
  • 3
  • Hi Andre, thanks very much for your help! Yes, my IP is 192.168.XXX, so that should be good. What do you mean with a DNS server in my network? I mean for what do I need it? And are you saying I won't need the DNS server when I put my A-Record into my booked domain? Also GL say that setting this: ```pages_external_url 'http://example.io'``` is necessary.... So that doesn't mean it would be accessible? – Micromegas Oct 15 '19 at 09:52
  • I believe that a local domain, like gitlab.local, works the same way, because I don't understand why you should need an external domain. Maybe there is a reason, but I don't see it right now. Maybe the "external_url" is just misleading. At least with the Community Edition of Gitlab, which you can run locally, with an externally hosted version it would be different. That's why I would advise you to try it first, but I added above that you can do it with an external domain as well. – Andre Oct 15 '19 at 10:02
  • Ok that's great help, thanks so much. Sorry but what exactly do you mean with local domain? You mean just setting something like gitlab.local as external_url or configuring it somewhere in my local setup? – Micromegas Oct 15 '19 at 10:07
  • 1
    A local domain is for my domain, which you set up and operate on your local network, on your DNS server or on your Internet router. If your local top-level domain is .local, then gitlab.local would be a local domain name... There are just a lot of possibilities and you have to find out what is possible with your local conditions. If you can set up gitlab.local in your network, I would also add it to "external_url". On my system it looks like this: external_url 'https://git.fritz.box' – Andre Oct 15 '19 at 11:12
  • ok perfect, thx for the clarification. I will try it first with my domain and then when I have time to do more research I'll reconfigure it for a local domain. Perfect thank you – Micromegas Oct 15 '19 at 11:22
  • A little follow up question: I tried to point my domain with my IP to the Gitlab instance (with A record as IP and I also tried with a Wildcard record.) When reconfiguring gitlab both tell me, server not found. Is there something I am missing? – Micromegas Oct 15 '19 at 12:45
  • I guess I should ask a new question – Micromegas Oct 15 '19 at 12:45
1

If you have an rfc1918 address (eg 192.168..) nothing in DNS will make that directly accessible from the wider Internet.

Using an A record on a public domain could expose that you are running a server, and give an external party hints about your network, but it would not provide a mechanism to allow access to it.

You will not be able to use ACME challenges (ie letsencrypt) for your domains, so you may need to buy one from a provider that does mail based authentication or build your own CA and self-sign.

An alternative to putting an "A" record on your public domain would be to modify your local name server to inject support for the domain in your LAN or to modify each computers hosts file.

davidgo
  • 5,964
  • 2
  • 21
  • 38
  • thanks Davidgo! I already modified my hosts, yet gitlab won't let me serve my gitlab pages on it. Or should that work as well and I just didn't configure it correctly? – Micromegas Oct 15 '19 at 11:09
  • What happens when you try? – davidgo Oct 15 '19 at 17:58
  • I get a server not found error when I try to access the page. I think for Gitlab pages one has to have a domain with a wildcard A record attached to it... At least as far as I understand the docs, but of course I could be wrong :) – Micromegas Oct 16 '19 at 07:28
  • I don't believe you can have awildcardAhists entry - you will need to manually add each variant. What happens when you ping subdomain.domain.com ? – davidgo Oct 16 '19 at 07:40
  • Pinging my host works fine. But maybe I misunderstood and configured it wrongly. I gave the IP of my gl instance a name like git.example.de and then added this into my gitlab.rb config for the pages url – Micromegas Oct 16 '19 at 08:31
  • what I did now was to add a wildcard A record to my domain and then added this in the gitlab instance which seems to work for now.... It's not optimal because it would be better having everything local but a working solution for now... – Micromegas Oct 16 '19 at 08:35