DevOps Intermediate Tutorial

Tips and Tricks of self-host gitlab setup

Set up your Gitlab give you completely control on how your code version control and CICD process. A practical notes to self-hosting GitLab with the Omnibus image—covering setup, port and proxy configuration, SSH access, Web IDE fixes, CI/CD best practices, and Docker registry tweaks.

W
Wenliang Zhang
Blog Author at WeDaita
2 min read 495 views
Tips and Tricks of self-host gitlab setup

Installation

We do not need to set up PostgreSQL and Redis separately for GitLab's official Omnibus image, because:The GitLab Omnibus image (gitlab/gitlab-ee or gitlab/gitlab-ce) includes everything: PostgreSQL, Redis, Sidekiq, NGINX, etc., all bundled inside one container. When would you set up Postgres/Redis separately?Only if you:
  •  Want to run externalized services (for HA, backups, or performance tuning).
  •  Are using GitLab in a highly available or scaled-out architecture.
  • - Have data compliance rules requiring separation of services.
For most users, especially with Docker and small teams, the Omnibus image is all you need.

Reconfig ports

By default, GitLab listens on ports 80 (HTTP) and 443 (HTTPS) inside the container. To properly configure GitLab , you need to rerun the reconfigure command
  • set the external_url to `http://gitlab.wedaita.com `and port to `8929` in the GITLAB_OMNIBUS_CONFIG environment variable.
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.wedaita.com'       
        nginx['listen_port']   = 8929
        nginx['listen_https']  = false                         # disable HTTPS inside, GitLab itself doesn't do HTTPS
        letsencrypt['enable']  = false                         # disable internal LE, you're using external LE
        gitlab_rails['gitlab_shell_ssh_port'] = 2424

        # NEW: tell GitLab which proxies to trust
        gitlab_rails['trusted_proxies'] = ['172.24.0.0/16']   # ← replace with your subnet

        # Tell GitLab it's behind a secure proxy
        nginx['proxy_set_headers'] = {
          "X-Forwarded-Proto" => "https",
          "X-Forwarded-Ssl" => "on"
        }
        # this is for IDE
        gitlab_rails['omniauth_redirect_url'] = 'https://gitlab.wedaita.com/-/ide/oauth_redirect'
  • Run gitlab-ctl reconfigure inside the container:
docker-compose down
docker-compose up -d

docker exec -it gitlab gitlab-ctl reconfigure
What gitlab-ctl reconfigure actually does GitLab Omnibus uses Chef scripts under the hood. When the container starts:
  • It reads your GITLAB_OMNIBUS_CONFIG (from env).
  • Then it generates configuration files (like NGINX, Unicorn, etc.) from templates.
  • Finally, it starts the services (Puma, Redis, GitLab Shell, etc.).
Root accout:
  • username `root`
  • Retrieve the password: `docker exec -it gitlab cat /etc/gitlab/initial_root_password`

SSH:

Some ISPs (especially home ISPs) block inbound connections on uncommon ports such as 80, 443, 22, 2424 etc. To allow inbound connections on port 2424, you need to add a port forwarding rule to your router. 
wedaita 80 TCP 192.168.1.235 80 Always
wedaita 443 TCP 192.168.1.235 443 Always
gitlab-ssh 2424 TCP 192.168.1.235 2424 Always

Web Editor

GitLab dynamically constructs OAuth redirect URLs from the external_url. If you're accessing GitLab with a different domain or protocol (HTTP vs HTTPS) than what external_url is set to, GitLab's internal OAuth validation will reject the redirect. Once GitLab is properly reconfigured with the correct external_url, it will internally register `https://gitlab.wedaita.com/-/ide/oauth_redirect` as a valid OAuth callback. To comfirm:
  • Log in to GitLab as Admin.
  • Go to:Admin Area → Applications (/admin/applications)
  • Look for the OAuth application used for the Web IDE (or create one).

General CICD deployment rules

  1. The pipeline normally have 3 stages
  • build
  • test
  • deployment
  1. Deployment stage normally has dependencies on build and test stage. So in order to run deployment, the build and test stage should be successful. Deployment stage should have at least 3 environments.
  • dev (or QA): the environment should be run completely locally by developers. the evn could be slightly different for users
  • staging: the environment should be automatically run when there is a commit to the release branch or we can use a protected tag to trigger the deployment. NOTE: the protected tag should be created by the admin.
  • production: the environment can be run manually and only when the staging environment is successful.

Docker Registry

GitLab only tracks repos rooted at the project registry path! So if you project is `learning-gitlab/cicd`, you can only see the image pushed to `registry.wedaita.com/learning-gitlab/cicd:<tag>` in GitLab UI.

How to Fix (Increase Registry Size Limit)

You need to configure nginx['client_max_body_size'] in /etc/gitlab/gitlab.rb. 
registry_nginx['client_max_body_size'] = '0'   # unlimited
If behind your own nginx reverse proxy,  Edit the nginx config serving the registry (/etc/nginx/sites-enabled/gitlab-registry.conf): 
server {
    location /v2/ {
        client_max_body_size 0;
    }
}
 
Tags:
Advanced
Share this post:
Comments (1)
Login to comment
W
Wenliang Zhang 2 months, 4 weeks ago

for my own note

In This Article

Navigate through the sections of this post.

Technical Newsletter

Get the latest tutorials and insights delivered to your inbox.

Previous Post
WeDaita Rich Text Blogging is Now …