Last active
August 21, 2019 13:54
-
-
Save zekroTJA/a0a1c518dce5c77ce87d6c4d025696e0 to your computer and use it in GitHub Desktop.
Docker compose and NGINX configuration for setting up GitLab with kerberos as AD authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: '3' | |
services: | |
# We will use an enginx layer to simply encrypt the | |
# HTTP traffic with SSL using a self singed certificate. | |
nginx: | |
image: 'nginx:latest' | |
ports: | |
- '80:80' | |
- '443:443' | |
- '8443:8443' | |
volumes: | |
- './volumes/nginx/config/etc/nginx' | |
- '/etc/cert:/etc/cert:ro' | |
restart: always | |
# The actual GitLab container configuration | |
gitlab: | |
image: 'gitlab/gitlab-ee:latest' | |
hostname: 'YourMachine' | |
domainname: 'your.domain.com' | |
expose: | |
- '80' | |
- '8443' | |
ports: | |
# SSH port | |
- '22:22' | |
# Kerberos requires according to reference | |
# a TCP outbound and a UDP inbound over | |
# the port 88 | |
- '88:88/tcp' | |
- '88:88/udp' | |
volumes: | |
- './volumes/gitlab/data:/var/opt/gitlab' | |
- './volumes/gitlab/config:/etc/gitlab' | |
- './volumes/gitlab/logs:/var/log/gitlab' | |
- './volumes/gitlab/backups:/var/opt/gitlab/backups' | |
restart: always | |
# Portainer container accessing the docker socket on | |
# the host system for better docker management and | |
# monitoring | |
portainer: | |
image: 'portainer/portainer:latest' | |
ports: | |
- '9000:9000' | |
volumes: | |
- './volumes/portainer:/data' | |
'/var/run/docker.sock:/var/run/docker.sock' | |
restart: always |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gitlab_rails['omniauth_enabled'] = true | |
gitlab_rails['omniauth_allow_single_sign_on'] = ['kerberos'] | |
gitlab_rails['kerberos_enabled'] = true | |
gitlab_rails['kerberos_keytab'] = '/etc/gitlab/http.keytab' | |
# This needs to be set to allow ticket based authentication. | |
gitlab_rails['kerberos_use_dedicated_port'] = true | |
gitlab_rails['kerberos_port'] = 8443 | |
# HTTPS will be disabled here because NGINX cares about | |
# routing its incomming TLS encrypted kerberos requests | |
# over HTTP docker-internaly to GitLab. | |
gitlab_rails['kerberos_https'] = false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
events { | |
worker_connections 1024; | |
} | |
http { | |
large_client_header_buffers 4 32k; | |
# Automatically redirect all incomming HTTP reuqests to HTTPS | |
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name _; | |
return 301 https://$host$request_uri; | |
} | |
# GitLab server reverse proxy | |
server { | |
listen 443 ssl; | |
ssl_certificate /etc/cert/cert.pem; | |
ssl_certificate_key /etc/cert/key.pem; | |
server_name t1-git-01; | |
location / { | |
resolver 127.0.0.11 valid=30s; | |
set $upstream_gitlab gitlab; | |
proxy_pass http://$upstream_gitlab:80; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
} | |
} | |
} | |
# Kerberos request reverse stream proxy | |
stream { | |
server { | |
listen 8443 ssl; | |
ssl_certificate /etc/cert/cert.pem; | |
ssl_certificate_key /etc/cert/key.pem; | |
resolver 127.0.0.11 valid=30s; | |
proxy_pass gitlab:8443; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment