Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Docker compose and NGINX configuration for setting up GitLab with kerberos as AD authentication
version: '3'
services:
# We will use an enginx layer to simply encrypt the
# HTTP traffic with SSL using a self singed certificate.
nginx:
image: 'nginx:latest'
ports:
- '80:80'
- '443:443'
- '8443:8443'
volumes:
- './volumes/nginx/config/etc/nginx'
- '/etc/cert:/etc/cert:ro'
restart: always
# The actual GitLab container configuration
gitlab:
image: 'gitlab/gitlab-ee:latest'
hostname: 'YourMachine'
domainname: 'your.domain.com'
expose:
- '80'
- '8443'
ports:
# SSH port
- '22:22'
# Kerberos requires according to reference
# a TCP outbound and a UDP inbound over
# the port 88
- '88:88/tcp'
- '88:88/udp'
volumes:
- './volumes/gitlab/data:/var/opt/gitlab'
- './volumes/gitlab/config:/etc/gitlab'
- './volumes/gitlab/logs:/var/log/gitlab'
- './volumes/gitlab/backups:/var/opt/gitlab/backups'
restart: always
# Portainer container accessing the docker socket on
# the host system for better docker management and
# monitoring
portainer:
image: 'portainer/portainer:latest'
ports:
- '9000:9000'
volumes:
- './volumes/portainer:/data'
'/var/run/docker.sock:/var/run/docker.sock'
restart: always
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['kerberos']
gitlab_rails['kerberos_enabled'] = true
gitlab_rails['kerberos_keytab'] = '/etc/gitlab/http.keytab'
# This needs to be set to allow ticket based authentication.
gitlab_rails['kerberos_use_dedicated_port'] = true
gitlab_rails['kerberos_port'] = 8443
# HTTPS will be disabled here because NGINX cares about
# routing its incomming TLS encrypted kerberos requests
# over HTTP docker-internaly to GitLab.
gitlab_rails['kerberos_https'] = false
events {
worker_connections 1024;
}
http {
large_client_header_buffers 4 32k;
# Automatically redirect all incomming HTTP reuqests to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# GitLab server reverse proxy
server {
listen 443 ssl;
ssl_certificate /etc/cert/cert.pem;
ssl_certificate_key /etc/cert/key.pem;
server_name t1-git-01;
location / {
resolver 127.0.0.11 valid=30s;
set $upstream_gitlab gitlab;
proxy_pass http://$upstream_gitlab:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
# Kerberos request reverse stream proxy
stream {
server {
listen 8443 ssl;
ssl_certificate /etc/cert/cert.pem;
ssl_certificate_key /etc/cert/key.pem;
resolver 127.0.0.11 valid=30s;
proxy_pass gitlab:8443;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.