Gitlab + Mattermost Linux Apache2 SSL VirtualHost Configurationfiles

Gitlab installed from source:

https://docs.gitlab.com/ce/install/installation.html

Mattermost installed from source:

https://docs.mattermost.com/guides/administrator.html#install-guides

Needed modules:

# mod_rewrite
# mod_ssl
# mod_proxy
# mod_proxy_http
# mod_headers
# mod_proxy_balancer
# mod_proxy_wstunnel

Gitlab Apache Configfile:

<VirtualHost *:80>

ServerName gitlab.example.local
ServerSignature Off
ServerAdmin admin@example.local

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]

</VirtualHost>

<VirtualHost *:443>

ServerAdmin admin@example.local
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off

SSLCertificateFile      /etc/ssl/certs/webserver.pem
SSLCertificateKeyFile /etc/ssl/private/webservernopwd.key
SSLCertificateChainFile /etc/ssl/certs/chain.pem

ServerName gitlab.example.local
ServerSignature Off

ProxyPreserveHost On

AllowEncodedSlashes NoDecode

<Location />
Require all granted

#Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:8181
ProxyPassReverse http://gitlab.example.local/
</Location>

RewriteEngine on

#Forward all requests to gitlab-workhorse except existing files like error documents
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]

RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on

# needed for downloading attachments
DocumentRoot /home/git/gitlab/public

#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/gitlab_error.log
CustomLog /var/log/apache2/gitlab_forwarded.log common_forwarded
CustomLog /var/log/apache2/gitlab_access.log combined env=!dontlog
CustomLog /var/log/apache2/gitlab.log combined

</VirtualHost>

Gitlab /etc/default/gitlab:

...
gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr localhost:8181 -authBackend http://127.0.0.1:8080"
...
#If installed:
gitlab_pages_options="-pages-domain example.com -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090" 
...

Gitlab /home/git/gitlab/config/gitlab.yml:

...
  #
  # 1. GitLab app settings
  # ==========================

  ## GitLab settings
  gitlab:
    ## Web server settings (note: host is the FQDN, do not include http://)
    host: gitlab.example.local
    port: 443 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
    https: true # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
...
  ## Mattermost
  ## For enabling Add to Mattermost button
  mattermost:
    enabled: true
    host: 'https://mattermost.gitlab.example.local'
...

Mattermost Apache Configfile:

<VirtualHost *:80>

ServerName mattermost.gitlab.example.local
ServerAdmin admin@example.local

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

</VirtualHost>


<VirtualHost *:443>

ServerName mattermost.gitlab.example.local
ServerAdmin admin@example.local

SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on

SSLCertificateFile      /etc/ssl/certs/webserver.pem
SSLCertificateKeyFile /etc/ssl/private/webservernopwd.key
SSLCertificateChainFile /etc/ssl/certs/chain.pem

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://127.0.0.1:8065/
ProxyPassReverse / http://127.0.0.1:8065/
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/api/v4/websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
RequestHeader set X-Forwarded-Proto "https"

<Location /api/v4/websocket>
Require all granted
ProxyPassReverse http://127.0.0.1:8065
ProxyPassReverseCookieDomain 127.0.0.1 mattermost.gitlab.example.local
</Location>

<Location />
Require all granted
ProxyPassReverse http://127.0.0.1:8065
ProxyPassReverseCookieDomain 127.0.0.1 mattermost.gitlab.example.local

</Location>

ErrorLog ${APACHE_LOG_DIR}/error_mattermost.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access_mattermost.log combine

</VirtualHost>

<IfModule mod_ssl.c>

SSLStaplingCache shmcb:/var/run/ocsp(128000)

</IfModule>

Mattermost /opt/mattermost/config/config.json:

{
    "ServiceSettings": {
        "SiteURL": "https://mattermost.gitlab.example.local",
        "LicenseFileLocation": "",
        "ListenAddress": ":8065",
        "ConnectionSecurity": "",
        "TLSCertFile": "",
        "TLSKeyFile": "",
        "UseLetsEncrypt": false,
        "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
        "Forward80To443": false,
...
        "EnableAPIv3": false,
...
        "WebsocketSecurePort": 443,
        "WebsocketPort": 80,
        "WebserverMode": "gzip",
...

    "GitLabSettings": {
        "Enable": true,
        "Secret": "<HIDDEN>",
        "Id": "<HIDDEN>",
        "Scope": "api",
        "AuthEndpoint": "https://gitlab.example.local/oauth/authorize",
        "TokenEndpoint": "https://gitlab.example.local/oauth/token",
        "UserApiEndpoint": "https://gitlab.example.local/api/v4/user"
    },

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
*