Skip to main content

Déploiement gitlab conteneurisé

Déploiement GitLab avec Podman et Nginx Reverse Proxy

Architecture

Internet (HTTPS:443) → Nginx (reverse proxy) → GitLab Container (HTTP:8444)
                                              → GitLab SSH (TCP:6022)

Principe : Le SSL/TLS est terminé au niveau du reverse proxy Nginx. GitLab écoute en HTTP interne sur le port 8444.

Configuration Podman Compose

Fichier : docker-compose.yml

version: '3.8'

services:
  gitlab:
    image: gitlab/gitlab-ce:18.6.6-ce.0
    container_name: gitlab
    restart: always
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.example.com'
        
        # GitLab écoute en HTTP interne
        nginx['listen_port'] = 8444
        nginx['listen_https'] = false
        
        # Headers pour indiquer que le trafic externe est HTTPS
        nginx['proxy_set_headers'] = {
          "X-Forwarded-Proto" => "https",
          "X-Forwarded-Ssl" => "on"
        }
        
        # Configuration SSH
        gitlab_rails['gitlab_shell_ssh_port'] = 6022
        
        # Timezone
        gitlab_rails['time_zone'] = 'Europe/Paris'
        
        # Désactiver services non utilisés
        prometheus_monitoring['enable'] = false
        gitlab_kas['enable'] = false
        
    hostname: gitlab.example.com
    ports:
      - "8444:8444"  # HTTP interne
      - "6022:22"    # SSH Git
    volumes:
      - ./config:/etc/gitlab
      - ./logs:/var/log/gitlab
      - ./data:/var/opt/gitlab

Configuration Nginx Reverse Proxy

Fichier : /etc/nginx/conf.d/gitlab.conf

# Redirection HTTP → HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name gitlab.example.com;
    return 301 https://$server_name$request_uri;
}

# HTTPS
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name gitlab.example.com;

    # Certificats SSL (Let's Encrypt)
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Paramètres SSL
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # Sécurité
    add_header Strict-Transport-Security "max-age=31536000" always;

    # Taille max upload (pour git push)
    client_max_body_size 100m;

    # Reverse proxy vers GitLab
    location / {
        proxy_pass http://localhost:8444;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Ssl on;

        # Configuration GitLab
        proxy_redirect off;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_http_version 1.1;

        # WebSocket support (CI/CD logs temps réel)
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Timeouts augmentés pour GitLab
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
    }
}

Déploiement

1. Préparer les volumes

mkdir -p gitlab/{config,logs,data}
cd gitlab

2. Créer le fichier docker-compose.yml

Copier la configuration ci-dessus et adapter

No comments to display

Back to top
Entity Select