We have set-up a GitLab server (GitLab 7.0 Community Edition).
It is up and running and our colleagues can use it within the LAN (the IP address and Host are only visible from the LAN).
Some of the projects hosted on this GitLab instance should be "shared" with external users (not part of our company). We would like to let them access the Git repositories in order to be able to clone, pull and push.
The GitLab server will stay within the LAN. But we can setup a server in our DMZ which could reverse-proxy (or some other alternatives) the GitLab server. We would like however that only the ".git" URLs are accessible via HTTPS (so not give access to the GitLab WUI (Web User interface)).
How can we set-up the "reverse-proxy" in the DMZ to provide access for external users (on the internet) to our internal Git repositories hosted on GitLab?
Wishes:
- Only
https://*/*.git/*
URLs should be allowed externally; - HTTP basic authentication on the reverse proxy would be a plus;
- But GitLab authentication mechanism over HTTPS shall remain;
- Local user on our LAN should still be able to use SSH for Git operations;
- GitLab Web UI should not be accessible externally;
Note: we do have already a server in our DMZ with NGINX running. If we can use this "software stack" to do the reverse-proxying, that would be great.
Note2: this question already had a bounty of 100 which has expired and the points were lost. If I get an answer which solve my problem, I will open a bounty and reward the answer with it.
Answer
Did you try the obvious naive solution?
server {
[...ssl and servername stuff...]
location / {
# fake the hostname to the hostname that gitlab expects
#
proxy_set_header Host hostname-for-gitlabhost;
proxy_pass https://internal-gitlab-instance;
proxy_read_timeout 90;
}
}
Additionally, you might set the location to something that allows only the
https://...../*.gitURLs
This should work:
Instead of
location /above, something like:
location ~ ^/(.*\.git) {
proxy_set_header Host hostname-for-gitlabhost;
proxy_pass https://internal-gitlab-instance/$1;
proxy_read_timeout 90;
}
This captures the request-uri and adds it to the proxy call withing the location statement.
I am not really sure if this works, just typed it from the top of my head.
No comments:
Post a Comment