Commit 284b7bc1 authored by Marcel Amirault's avatar Marcel Amirault Committed by Achilleas Pipinellis

Docs: Realign several CE docs that diverged from EE unnecessarily

parent 8ef6e10c
...@@ -58,6 +58,7 @@ for each GitLab application server in your environment. ...@@ -58,6 +58,7 @@ for each GitLab application server in your environment.
# Disable components that will not be on the GitLab application server # Disable components that will not be on the GitLab application server
roles ['application_role'] roles ['application_role']
nginx['enable'] = true
# PostgreSQL connection details # PostgreSQL connection details
gitlab_rails['db_adapter'] = 'postgresql' gitlab_rails['db_adapter'] = 'postgresql'
...@@ -90,6 +91,8 @@ for each GitLab application server in your environment. ...@@ -90,6 +91,8 @@ for each GitLab application server in your environment.
certificates are not present, Nginx will fail to start. See certificates are not present, Nginx will fail to start. See
[Nginx documentation](http://docs.gitlab.com/omnibus/settings/nginx.html#enable-https) [Nginx documentation](http://docs.gitlab.com/omnibus/settings/nginx.html#enable-https)
for more information. for more information.
>
> **Note:** It is best to set the `uid` and `gid`s prior to the initial reconfigure of GitLab. Omnibus will not recursively `chown` directories if set after the initial reconfigure.
## First GitLab application server ## First GitLab application server
...@@ -108,8 +111,9 @@ Additional GitLab servers (servers configured **after** the first GitLab server) ...@@ -108,8 +111,9 @@ Additional GitLab servers (servers configured **after** the first GitLab server)
need some extra configuration. need some extra configuration.
1. Configure shared secrets. These values can be obtained from the primary 1. Configure shared secrets. These values can be obtained from the primary
GitLab server in `/etc/gitlab/gitlab-secrets.json`. Add these to GitLab server in `/etc/gitlab/gitlab-secrets.json`. Copy this file to the
`/etc/gitlab/gitlab.rb` **prior to** running the first `reconfigure`. secondary servers **prior to** running the first `reconfigure` in the steps
above.
```ruby ```ruby
gitlab_shell['secret_token'] = 'fbfb19c355066a9afb030992231c4a363357f77345edd0f2e772359e5be59b02538e1fa6cae8f93f7d23355341cea2b93600dab6d6c3edcdced558fc6d739860' gitlab_shell['secret_token'] = 'fbfb19c355066a9afb030992231c4a363357f77345edd0f2e772359e5be59b02538e1fa6cae8f93f7d23355341cea2b93600dab6d6c3edcdced558fc6d739860'
......
...@@ -8,7 +8,53 @@ choice already. Some examples including HAProxy (open-source), F5 Big-IP LTM, ...@@ -8,7 +8,53 @@ choice already. Some examples including HAProxy (open-source), F5 Big-IP LTM,
and Citrix Net Scaler. This documentation will outline what ports and protocols and Citrix Net Scaler. This documentation will outline what ports and protocols
you need to use with GitLab. you need to use with GitLab.
## Basic ports ## SSL
How will you handle SSL in your HA environment? There are several different
options:
- Each application node terminates SSL
- The load balancer(s) terminate SSL and communication is not secure between
the load balancer(s) and the application nodes
- The load balancer(s) terminate SSL and communication is *secure* between the
load balancer(s) and the application nodes
### Application nodes terminate SSL
Configure your load balancer(s) to pass connections on port 443 as 'TCP' rather
than 'HTTP(S)' protocol. This will pass the connection to the application nodes
Nginx service untouched. Nginx will have the SSL certificate and listen on port 443.
See [Nginx HTTPS documentation](https://docs.gitlab.com/omnibus/settings/nginx.html#enable-https)
for details on managing SSL certificates and configuring Nginx.
### Load Balancer(s) terminate SSL without backend SSL
Configure your load balancer(s) to use the 'HTTP(S)' protocol rather than 'TCP'.
The load balancer(s) will then be responsible for managing SSL certificates and
terminating SSL.
Since communication between the load balancer(s) and GitLab will not be secure,
there is some additional configuration needed. See
[Nginx Proxied SSL documentation](https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl)
for details.
### Load Balancer(s) terminate SSL with backend SSL
Configure your load balancer(s) to use the 'HTTP(S)' protocol rather than 'TCP'.
The load balancer(s) will be responsible for managing SSL certificates that
end users will see.
Traffic will also be secure between the load balancer(s) and Nginx in this
scenario. There is no need to add configuration for proxied SSL since the
connection will be secure all the way. However, configuration will need to be
added to GitLab to configure SSL certificates. See
[Nginx HTTPS documentation](https://docs.gitlab.com/omnibus/settings/nginx.html#enable-https)
for details on managing SSL certificates and configuring Nginx.
## Ports
### Basic ports
| LB Port | Backend Port | Protocol | | LB Port | Backend Port | Protocol |
| ------- | ------------ | --------------- | | ------- | ------------ | --------------- |
...@@ -16,9 +62,9 @@ you need to use with GitLab. ...@@ -16,9 +62,9 @@ you need to use with GitLab.
| 443 | 443 | TCP or HTTPS [^1] [^2] | | 443 | 443 | TCP or HTTPS [^1] [^2] |
| 22 | 22 | TCP | | 22 | 22 | TCP |
## GitLab Pages Ports ### GitLab Pages Ports
If you're using GitLab Pages with custom domain support you will need some If you're using GitLab Pages with custom domain support you will need some
additional port configurations. additional port configurations.
GitLab Pages requires a separate virtual IP address. Configure DNS to point the GitLab Pages requires a separate virtual IP address. Configure DNS to point the
`pages_external_url` from `/etc/gitlab/gitlab.rb` at the new virtual IP address. See the `pages_external_url` from `/etc/gitlab/gitlab.rb` at the new virtual IP address. See the
...@@ -29,7 +75,7 @@ GitLab Pages requires a separate virtual IP address. Configure DNS to point the ...@@ -29,7 +75,7 @@ GitLab Pages requires a separate virtual IP address. Configure DNS to point the
| 80 | Varies [^3] | HTTP | | 80 | Varies [^3] | HTTP |
| 443 | Varies [^3] | TCP [^4] | | 443 | Varies [^3] | TCP [^4] |
## Alternate SSH Port ### Alternate SSH Port
Some organizations have policies against opening SSH port 22. In this case, Some organizations have policies against opening SSH port 22. In this case,
it may be helpful to configure an alternate SSH hostname that allows users it may be helpful to configure an alternate SSH hostname that allows users
......
...@@ -149,7 +149,7 @@ _The uploads are stored by default in ...@@ -149,7 +149,7 @@ _The uploads are stored by default in
[reconfigure gitlab]: restart_gitlab.md#omnibus-gitlab-reconfigure "How to reconfigure Omnibus GitLab" [reconfigure gitlab]: restart_gitlab.md#omnibus-gitlab-reconfigure "How to reconfigure Omnibus GitLab"
[restart gitlab]: restart_gitlab.md#installations-from-source "How to restart GitLab" [restart gitlab]: restart_gitlab.md#installations-from-source "How to restart GitLab"
[eep]: https://about.gitlab.com/gitlab-ee/ "GitLab Enterprise Edition Premium" [eep]: https://about.gitlab.com/gitlab-ee/ "GitLab Premium"
[ce]: https://about.gitlab.com/gitlab-ce/ "GitLab Community Edition" [ce]: https://about.gitlab.com/gitlab-ce/ "GitLab Community Edition"
[ee-3867]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3867 [ee-3867]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3867
[ce-17358]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17358 [ce-17358]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17358
This document was moved to [another location](./container_scanning.md). This document was moved to [another location](./container_scanning.md).
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment