MJUN Tech Note

UbuntuでGitLabをapache経由でproxyする

今回はUbuntuでApacheを使ってGitlabをサブディレクトリで立てる方法です.
SSL証明書はGitLabではなく,Apacheとcertbotで管理します.

今回のゴールは,https://hoge.com/gitlabにGitLabを立てることです.

apacheのインストール

まずはapache2のインストール.

sudo apt install apache2
sudo systemctl status apache

certbotの導入

次にcertbotを導入します.予め,登録用のメールアドレスとドメインを用意してください.

sudo apt install certbot python3-certbot-apache
sudo certbot --apache

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): hoge@hoge.com

You must agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
(A)gree/(C)ancel: A

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let s Encrypt project and the non-profit
organization that develops Certbot?
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
----------------------------------------
1: hoge.com
----------------------------------------
 (Enter 'c' to cancel): 1

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
----------------------------------------
1: No redirect
2: Redirect
----------------------------------------
(press 'c' to cancel): 2

Congratulations! You have successfully enabled https://hoge.com

# 自動更新が働いているかを確認
sudo systemctl status certbot.timer

apacheの設定

次に,apacheにProxyの設定をします.
/etc/apache2/sites-enabled/000-default-le-ssl.confに以下を加筆します.

ProxyPass /gitlab http://localhost:8000/gitlab
ProxyPassReverse /gitlab http://localhost:8000/gitlab

ついでにapacheのバージョンが外から見えないように,/etc/apache2/conf-enabled/security.confを編集します.

ServerTokens Prod
ServerSignature Off

設定が終わったら,apacheを再起動します.

sudo systemctl restart apache

GitLabの立ち上げ

今回はdocker-composeでGitLabを立ち上げます.

version: '3.7'
services:
  gitlab:
    image: gitlab/gitlab-ce:14.7.7-ce.0
    restart: always
    hostname: 'hoge.com'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://hoge.com/gitlab/'
        gitlab_rails['gitlab_shell_ssh_port'] = 22
        gitlab_rails['time_zone'] = 'Asia/Tokyo'
        letsencrypt['enable'] = false
        nginx['listen_port'] = 8088

    ports:
      - '8000:8000'
      - '22:22'
    volumes:
      - ./gitlab/data:/var/opt/gitlab
      - ./gitlab/logs:/var/log/gitlab
      - ./gitlab/config:/etc/gitlab

SSL証明書はapacheで管理するので,letsencrypt['enable'] = falseとしておきます.

以上でapache経由で任意のサブディレクトリでGitLabにアクセスできます.