Apache GitLab Configuration
AidanMontare opened this issue · 10 comments
I recently decided to install GitLab on my web server (already running a small personal website) to host my projects. Since the server was already using Apache, I decided to attempt to configure GitLab to use Apache.
The install went uneventfully, and using the I now have the following setup:
- My server (Ubuntu 14.04 LTS)
- Apache (2.4)
- Gitlab 7.4.3 installed from the omnibus at https://about.gitlab.com/downloads/
GitLab has the following in /etc/gitlab/gitlab.rb:
nginx['enable'] = false
web_server['external_users'] = ['www-data']
My Apache configuration is based off https://gitlab.com/gitlab-org/gitlab-recipes/blob/master/web-server/apache/gitlab-ssl-apache2.4.conf, and looks like this (stuff unrelated to the issue removed):
<VirtualHost *:80>
ServerName code.aidanmontare.net
Redirect permanent / https://code.aidanmontare.net/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
# Host Information
ServerName code.aidanmontare.net
ProxyPreserveHost On
ProxyTimeout 5
ProxyRequests Off
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
ProxyPassReverse http://127.0.0.1:8080
ProxyPassReverse https://code.aidanmontare.net/
</Location>
#apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
RequestHeader set X_FORWARDED_PROTO 'https'
# needed for downloading attachments
# This is where GitLab omnibus (package installer) put them
DocumentRoot /var/opt/gitlab/gitlab-rails/
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /deploy.html
</VirtualHost>
</IfModule>
Once I sorted out some certificate issues I was having, I can now use the GitLab web interface. Browsing around a preforming basic tasks mostly works.
However, I tried adding a test repository and recieved the following error upon clicking "add project":
422
The change you wanted was rejected.
Maybe you tried to change something you didn't have access to.
Also, GitLab runs painfully slowly (as compared to a test installation VM on my local computer using the included Nginx). Using the Firefox network monitor, I see that one resource is generating 502 errors like the following:
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /assets/application-d78e3aebfdf9aa068bc71234b2bfea02.js.
Reason: Error reading from remote server
Also, in my Apache log I see many entries like the following:
[X] [proxy_http:error] [pid 16705] (20014)Internal error: [client X] AH01102: error reading status line from remote server 127.0.0.1:8080
[X] [proxy:error] [pid 16705] [client X] AH00898: Error reading from remote server returned by /assets/application-d78e3aebfdf9aa068bc71234b2bfea02.js
This same resource seems to be a problem for every page I load.
Any thoughts? I have tried a lot of ideas I saw around the web relating to these problems, and none so far have seemed to work.
I did some more digging around the interwebs looking for people with similar problems. Eventually, I found the following Stack Overflow question:
http://stackoverflow.com/questions/25785903/gitlab-7-2-1-with-apache-server-instead-of-nginx
The following configuration option stuck out:
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
Most advice I have seen uses one of the following:
DocumentRoot /var/opt/gitlab/gitlab-rails/
DocumentRoot /var/opt/gitlab/gitlab-rails/public
I tried using the /opt version, and my GitLab installation now works as expected, at least from the web interface. The 502 errors are gone and I can add new projects, but I still cannot clone these projects through SSH or HTTP.
Any thoughts?
Upon attempting to clone a project over HTTP:
Cloning into 'project'...
fatal: unable to access 'X': The requested URL returned error: 400
Upon attempting to clone a project over SSH:
Cloning into 'project'...
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
It seems the HTTP clone issues had only occured because git did not no how to handle a server with client side SSL certificates. I temporarily disabled these and was able to push and clone a repository over http. However, SSH still does not work.
After reading some people's comments, I tried adding the git user to /etc/ssh/sshd_config under a AllowUsers directive. No luck there.
Running ssh -vvvT git@code.myserver does not work, but gives only timeout errors.
Here is the output of /opt/gitlab/embedded/service/gitlab-shell/bin/check:
Check GitLab API access: OK
Check directories and files:
/var/opt/gitlab/git-data/repositories: OK
/var/opt/gitlab/.ssh/authorized_keys: OK
Test redis-cli executable: redis-cli 2.8.2
Send ping to redis server: PONG
Most confusingly, I looked in my server's system logs and there was no iptables denied statements for my IP.
I really don't understand why my server is not accepting my ssh connections (for GitLab, as I can still manage it through SSH).
I finally got SSH working through the following additional changes:
- adding the
www-datauser to thegitgroup - setting the following is required in the Apache configuration:
<Directory /opt/gitlab/embedded/service/gitlab-rails/public>
# required for icons
Options FollowSymLinks
Require ip 127.0.0.1
</Directory>
- Making sure that
127.0.0.1is allowed to access the apache virtual server (this will affect the gitlab-shell program)
Now everything works as expected. I will close this issue since my problems with GitLab seem to be gone, but I may open a merge request soon with an updated version of the Apache configuration recipe.
@AidanMontare thanks for investigating and getting back to inform about your findings :)
A PR would be great. Just try to keep the manual installation paths, for example instead of /opt/gitlab/embedded/service/gitlab-rails/public use /home/git/gitlab/public.
I agree that for consistency all the paths should be the same. A note about the differences between GitLab manual installations and GitLab Omnibus installations would be helpful to those who are not aware of what the path should be for their installation method.
Also, I noticed some people's advice on the web gave /home/git/gitlab/public while others listed /home/git/gitlab/. However, my configuration for Omnibus GitLab seems to work, so I don't know which path would be correct for manual installations.
As a unrelated question, while my GitLab server is currently up and running fine, I noticed that trying to view the details of some commits returns a 502 proxy error. From reading on the interwebs, it seems that this is because Apache is timing out before it receives the reply from GitLab.
Until I get to doing some preformance tuning, it would be nice to simply turn off this timeout. I am aware of the Apache ProxyTimeout, which I currently have this set to 600. Are there any other timeout settings in Apache or GitLab that might help alleviate this issue?
Any updates on the sluggishness? I'm running CentOS6 with GitLab 7.7.2 Omnibus 5.4.2 on Apache 2.2 and well over a two minutes to load any page..
Update Seems to be faster now that...
- Commenting out AllowEncodedSlashes (I'm on Apache 2.2 not 2.4)
- Setting DocumentRoot to the correct public folder (/opt/gitlab/embedded/service/gitlab-rails/public)
- Commenting out LogFormat/ErrorLog/CustomLog
I'm on 2.4 and Ubuntu Server, and things seem to be running quite well now, though I have logs enabled and such. Some pages still take some time to load, but I haven't ran into any that timeout like they used to. I'm actually not quite sure what it is that made it work better.
I have set-up gitlab to run on my current Apache web server yet when I go to my URL I get a screen that says; Not Found: / And when I try to access anything in the public folder I can have it show up on the browser screen such as the deply.html screen. How do I get this to allow me to access to the main log in page?