GitLab with Plesk and Let's Encrypt

Mar 26, 2017

This is how I installed GitLab under a subdomain on a server Running Plesk 12.5 on Ubuntu 14.04 and added a SSL certificate from Let’s Encrypt.

Install GitLab

To install GitLab follow the instructions on the website here.

Deactivate the bundled web-server

GitLab comes with it’s own nginx as web-server. I wanted to use the apache that is already running on the server.
In the docs is a description how to do that here

Only one thing to note: The user is the user of the Plesk webspace where GitLab should be installed and the group is psacln.

1
2
web_server['external_users'] = ['jonas']
web_server['group'] = 'psacln'

Run

1
sudo gitlab-ctl reconfigure

when you are done.

Configure Apache

Then I added a new subdomain to my webspace git.jonasjuffinger.com. There I opened the Apache & nginx settings. Under Additional Apache directives it is possible to add configuration for apache.

Additional directives for HTTP
Because we will configure Let’s Encrypt later we want every request over http redirected to https, except the .well-known directory because it is needed by Let’s Encrypt:

1
2
3
4
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/.well-known/.*
RewriteRule  ^/(.*)  https://%{HTTP_HOST}/$1  [last,redirect=301]

Additional directives for HTTPS
When the request comes over https Apache should pass it to the gitlab workhorse:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8181/
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
	#Allow forwarding to gitlab-workhorse
	ProxyPassReverse /
	Require all granted
</Location>
# Apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
#RewriteEngine on
#Forward all requests to gitlab-workhorse except existing files like error documents
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html
# It is assumed that the log directory is in /var/log/httpd.
# For Debian distributions you might want to change this to
# /var/log/apache2.
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/gitlab_error.log
CustomLog /var/log/apache2/gitlab_forwarded.log common_forwarded
CustomLog /var/log/apache2/gitlab_access.log combined env=!dontlog
CustomLog /var/log/apache2/gitlab.log combined

Install and configure Let’s Encrypt

Let’s Encrypt with Plesk is very easy, just install the extension. After that you have a Let’s Encrypt button in your subdomain settings.
Breadboard Schematic

There you can install a certificate by clicking install. Plesk automatically does the renewal.

Finished

That’s everything that has to be done. Here you can see that is works but I’m sorry you won’t get an account.