How To Secure GitLab server with SSL certificate

0
238

Recently we have cover the Installation of GitLab CE on CentOS 8. Today we will cover the steps that can be taken to secure your GitLab Server with SSL Certificates. Because SSL certificates provides enhanced security to you and protect from spams.

Here we will discuss two ways to configure GitLab with HTTPS access.

  • Commercial SSL Certificate like DigiCert,Comodo etc
  • Let’s Encrypt SSL

Secure GitLab Server with a Commercial SSL

First of all purchase the SSL from trusted providers like Comodo, DigiCert etc. Then download the Certificate file and put it with the private key to the /etc/gitlab/ssl/ directory.

 /etc/gitlab/ssl/git.example.com.key
/etc/gitlab/ssl/git.example.com.crt

Then configure your SSL settings using /etc/gitlab/gitlab.rb file.

As to use secure connection change External URL from http to https

external_url 'https://git.example.com'

Now, enable Nginx under ##Gitlab NGINX section then provide SSL key & certificate paths.

nginx['enable'] = true
nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/git.example.com.key"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/git.example.com.crt"
nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"

Then do other SSL settings by reading & make the changes that fit for your deployment. When you have finished, run the below command.

sudo gitlab-ctl reconfigure

When the command finishes , visit the URL https://git.example.com to Login to your GitLab dashboard.

Secure GitLab Server with Let’s Encrypt SSL Certificate

Firstly Open the file /etc/gitlab/gitlab.rb & then look for Let’s Encrypt integration section.

To install Let’s Encrypt you must have a Domain name with Valid A record pointing to your GitLab Server. Set your server hostname to DNS name with a valid A record.

sudo hostnamectl set-hostname git.example.com --static

Do the similar configurations

etsencrypt['enable'] = true
letsencrypt['contact_emails'] = ['[email protected]'] # This should be an array of email addresses to add as contacts
letsencrypt['auto_renew'] = true

Specify the autorenew hour and day of the month for your certificate.

letsencrypt['auto_renew_hour'] = 3
letsencrypt['auto_renew_day_of_month'] = "*/7"

Then run the following command to take the effect of changes.

sudo gitlab-ctl reconfigure

Now, run the below command to Validate GitLab settings

l
$ sudo gitlab-rake gitlab:check
Checking GitLab Shell …
GitLab Shell version >= 8.4.1 ? … OK (8.4.1)
hooks directories in repos are links: … can't check, you have no projects
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful
Checking GitLab Shell … Finished
Checking Gitaly …
default … OK
Checking Gitaly … Finished
Checking Sidekiq …
Running? … yes
Number of Sidekiq processes … 1
Checking Sidekiq … Finished
Reply by email is disabled in config/gitlab.yml
Checking LDAP …
Server: ldapmain
LDAP authentication… Success
LDAP users with access to your GitLab server (only showing the first 100 results)
Checking LDAP … Finished
Checking GitLab …
Git configured correctly? … yes
Database config exists? … yes
All migrations up? … yes
Database contains orphaned GroupMembers? … no
GitLab config exists? … yes
GitLab config up to date? … yes
Log directory writable? … yes
Tmp directory writable? … yes
Uploads directory exists? … yes
Uploads directory has correct permissions? … yes
Uploads directory tmp has correct permissions? … skipped (no tmp uploads folder yet)
Init script exists? … skipped (omnibus-gitlab has no init script)
Init script up-to-date? … skipped (omnibus-gitlab has no init script)
Projects have namespace: … can't check, you have no projects
Redis version >= 2.8.0? … yes
Ruby version >= 2.3.5 ? … yes (2.4.5)
Git version >= 2.9.5 ? … yes (2.18.1)
Git user has default SSH configuration? … yes
Active users: … 2
Checking GitLab … Finished

LEAVE A REPLY

Please enter your comment!
Please enter your name here