Using GitLab behind nginx enabled basic_auth?

Question

I've successfully installed GitLab for management of private repositories (it's quite awesome!).

The problem I am having is by default, Gitlab login is presented when anyone hits my subdomain. I would like to protect the entire area with a basic_auth layer before the user gets the GitLab login screen. Unfortunately, this breaks my ability to push/pull from GitLab when it's enabled.

my nginx config to enable basic_auth:

  auth_basic            "Restricted";
  auth_basic_user_file  htpasswd;

Any ideas on how I can enable basic_auth without breaking git / gitlab functionality?

Answer 1

Add this to /etc/gitlab/gitlab.rb:

nginx['custom_gitlab_server_config'] = "auth_basic 'Restricted';\n  auth_basic_user_file htpasswd;\n"

And run gitlab-ctl reconfigure

Answer 2

Kind of a hack at the moment but give this is a shot.

Edit your nginx site configuration to add / modify the following locations

location ^~ /api/v3/internal/allowed {
    proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
    proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
    proxy_redirect     off;

    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_set_header   Host              $http_host;
    proxy_set_header   X-Real-IP         $remote_addr;

    proxy_pass http://gitlab;}

location / {
    auth_basic "Gitlab Restricted Access";
    auth_basic_user_file  /home/git/gitlab/htpasswd.users;
    # serve static files from defined root folder;.
    # @gitlab is a named location for the upstream fallback, see below
    try_files $uri $uri/index.html $uri.html @gitlab;
}

Leaving your @gitlab location block as is.

The trick is you let /api/v3/internal/allowd bypass the authentication. If you look at the logs when you do an git pull / push a request is made to the server whether or not to allow it. And on the standard nginx config with htpasswd that request would be blocked because the server has no idea about the authentication required.

Anyway not sure if there's a better alternative (couldn't find any) but this seems to work for me.

Answer 3

Your issue is that you want set a password restriction for public access to GitLab, but let Gitlab-Shell access the local GitLab instance without restriction.

You can have 2 nginx configurations depending on the IP interface. Change the line listen 0.0.0.0:80 default_server to listen 127.0.0.1:80 default_server.

https://github.com/gitlabhq/gitlabhq/blob/v7.7.2/lib/support/nginx/gitlab#L37-38