Docker-gitlab: Enabling Pages creates bad config

Yes I see the same error as well

Try attaching to the container after it starts (depending on the method you use, docker or docker compose see https://github.com/sameersbn/docker-gitlab#shell-access for docker or use docker-compose exec gitlab bash for docker-compose) and execute nginx -t . I suspect that it is due ipv6 declaration in the pages that is not altered if you do not have ipv6 enabled) like it is done for other config https://github.com/sameersbn/docker-gitlab/blob/master/assets/runtime/functions#L968

The following patch should probably help, but I do not have means to test it at this time:

diff --git a/assets/runtime/functions b/assets/runtime/functions
index af7b710..e0db170 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -988,11 +988,18 @@ nginx_configure_gitlab_hsts() {

 nginx_configure_gitlab_ipv6() {
   if [[ ! -f /proc/net/if_inet6 ]]; then
-    # disable ipv6 support
+    # disable ipv6 support in nginx for gitlab
     sed -i \
       -e "/listen \[::\]:80/d" \
       -e "/listen \[::\]:443/d" \
       ${GITLAB_NGINX_CONFIG}
+    # disable ipv6 support in nginx for pages
+    if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
+      sed -i \
+        -e "/listen \[::\]:80/d" \
+        -e "/listen \[::\]:443/d" \
+        ${GITLAB_PAGES_NGINX_CONFIG}
+    fi
   fi
 }

root@a5a195b993d2:/home/git/gitlab# sudo nginx -t
nginx: [emerg] directive "return" is not terminated by ";" in /etc/nginx/sites-enabled/gitlab-pages:17
nginx: configuration file /etc/nginx/nginx.conf test failed

Environment parameters are not substituted in this file I think

@Daxten can you paste that file (nginx config for pages) here, I do not think there should be anything in there that is not semicolon terminated.

I've got the same error here. As @Daxten said, it looks like gitlab_pages file was not "processed", because its variables was not replaced.

Here is file's content:

Redirects all HTTP traffic to the HTTPS host

server {

Either remove "default_server" from the listen line below,

or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab

to be served if you visit any address that your server responds to, eg.

the ip address of the server (http://x.x.x.x/)

listen 0.0.0.0:80;
listen [::]:80;

Replace this with something like pages.gitlab.com

server_name ~^.*gitlabpages\.mydomain\.com;
server_tokens off; ## Don't show the nginx version number, a security best practice

return 301 https://$host:{{GITLAB_PORT}}$request_uri;

access_log /var/log/gitlab/nginx/gitlab_pages_access.log;
error_log /var/log/gitlab/nginx/gitlab_pages_error.log;
}

Pages serving host

server {
listen 0.0.0.0:443 ssl;
listen [::]:443 ipv6only=on ssl http2;

Replace this with something like pages.gitlab.com

server_name ~^.*gitlabpages\.mydomain\.com;
server_tokens off; ## Don't show the nginx version number, a security best practice

Strong SSL Security

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/

ssl on;
ssl_certificate {{SSL_PAGES_CERT_PATH}};
ssl_certificate_key {{SSL_PAGES_KEY_PATH}};

GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs

ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;

See app/controllers/application_controller.rb for headers set

[Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.

Replace with your ssl_trusted_certificate. For more info see:

- https://medium.com/devops-programming/4445f4862461

- https://www.ruby-forum.com/topic/4419319

- https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx

ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;

[Optional] Generate a stronger DHE parameter:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

ssl_dhparam {{SSL_DHPARAM_PATH}};

Individual nginx logs for this GitLab vhost

access_log /var/log/gitlab/nginx/gitlab_pages_access.log;
error_log /var/log/gitlab/nginx/gitlab_pages_error.log;

location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# The same address as passed to GitLab Pages: -listen-proxy
proxy_pass http://localhost:8090/;
}

Define custom error pages

error_page 403 /403.html;
error_page 404 /404.html;
}

It would help if you used correct paste quotes around the file, as is, it is hard to read.

Also, 8.17 had a bug for that config and I submitted patch to fix it, which should be in 9+ version.

Or maybe I am wrong, but some more debug output from container should help.

@phpb-com Thanks for your help.

I'm using the 9.0.2 version, so I think it wasn't fixed.

During container's creation, the following lines related to nginx config for pages was showed in the log:

+ nginx_configure_pages
++ echo gitlabpages.mydomain.com
++ sed 's/\./\\\\./g'
+ local 'GITLAB_PAGES_DOMAIN=gitlabpages\\.mydomain\\.com'
+ [[ true == true ]]
+ echo 'Configuring nginx::gitlab-pages...'
Configuring nginx::gitlab-pages...
+ [[ false == true ]]
+ update_template /etc/nginx/sites-enabled/gitlab-pages GITLAB_PAGES_DOMAIN GITLAB_LOG_DIR
+ local FILE=/etc/nginx/sites-enabled/gitlab-pages
+ shift
+ [[ ! -f /etc/nginx/sites-enabled/gitlab-pages ]]
+ VARIABLES=($@)
+ local VARIABLES
++ stat -c %U /etc/nginx/sites-enabled/gitlab-pages
+ local USR=root
++ mktemp
+ local tmp_file=/tmp/tmp.07II4lBmkg
+ cp -a /etc/nginx/sites-enabled/gitlab-pages /tmp/tmp.07II4lBmkg
+ local variable
+ for variable in '${VARIABLES[@]}'
+ sed -ri 's/[{]{2}GITLAB_PAGES_DOMAIN[}]{2}/${GITLAB_PAGES_DOMAIN}/g' /tmp/tmp.07II4lBmkg
+ for variable in '${VARIABLES[@]}'
+ sed -ri 's/[{]{2}GITLAB_LOG_DIR[}]{2}/${GITLAB_LOG_DIR}/g' /tmp/tmp.07II4lBmkg
+ export GITLAB_PAGES_DOMAIN GITLAB_LOG_DIR
+ local IFS=:
+ sudo -HEu root envsubst '$GITLAB_PAGES_DOMAIN:$GITLAB_LOG_DIR'
+ rm -f /tmp/tmp.07II4lBmkg
+ case ${1} in

@brunosavyofs What are your startup parameters, seeing your nguni config and debug output, I can only see that you have gitlab-pages-ssl being updated with HTTP only function (https://github.com/sameersbn/docker-gitlab/blob/master/assets/runtime/functions#L1301) Means that you have SSL_PAGES_CERT_PATH SSL_PAGES_KEY_PATH files present on the system. You can probably remove/rename them as a workaround for now to fix that.

The line linked above should be patched:

-if [[ -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then
+if [[ ${GITLAB_PAGES_HTTPS} == true && -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then

Also, there is a bug that uses registry key/cert for pages cert/key value assignment. So if you have certificate assigned to registry, you will have this bug surface.

https://github.com/sameersbn/docker-gitlab/blob/master/assets/runtime/env-defaults#L142

should be fixed with:

-SSL_PAGES_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/pages.key}
-SSL_PAGES_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/pages.crt}
+SSL_PAGES_KEY_PATH=${SSL_PAGES_KEY_PATH:-$GITLAB_DATA_DIR/certs/pages.key}
+SSL_PAGES_CERT_PATH=${SSL_PAGES_CERT_PATH:-$GITLAB_DATA_DIR/certs/pages.crt}

https://github.com/sameersbn/docker-gitlab/pull/1165 should fix this

I merged this on master. I will be available on the next latest tag when the build is finished. So I will close the issue. If the problem still exists , please reopen the issue.