- How GitLab Pages works
- Prerequisites
- Configuration
- Advanced configuration
- NGINX caveats
- Access control
- Change storage path
- Set maximum Pages size
- Backup
- Security
GitLab Pages administration for self-compiled installations
This document explains how to configure GitLab Pages for self-compiled GitLab installations.
For more information about configuring GitLab Pages for Linux Package installations (recommended), see the Linux package documentation.
The advantage of using the Linux package installation is that it contains the latest supported version of GitLab Pages.
How GitLab Pages works
GitLab Pages makes use of the GitLab Pages daemon, a lightweight HTTP server that listens on an external IP address and provides support for
custom domains and certificates. It supports dynamic certificates through
SNI
and exposes pages using HTTP2 by default.
You are encouraged to read its README
to fully understand how it works.
In the case of custom domains (but not
wildcard domains), the Pages daemon needs to listen on
ports 80
and/or 443
. For that reason, there is some flexibility in the way
which you can set it up:
- Run the Pages daemon in the same server as GitLab, listening on a secondary IP.
- Run the Pages daemon in a separate server. In that case, the Pages path must also be present in the server that the Pages daemon is installed, so you must share it through the network.
- Run the Pages daemon in the same server as GitLab, listening on the same IP but on different ports. In that case, you must proxy the traffic with a load balancer. If you choose that route, you should use TCP load balancing for HTTPS. If you use TLS-termination (HTTPS-load balancing), the pages aren’t able to be served with user-provided certificates. For HTTP, you can use HTTP or TCP load balancing.
In this document, we proceed assuming the first option. If you aren’t supporting custom domains, a secondary IP isn’t needed.
Prerequisites
Before proceeding with the Pages configuration, make sure that:
- You have a separate domain to serve GitLab Pages from. In this document we
assume that to be
example.io
. - You have configured a wildcard DNS record for that domain.
- You have installed the
zip
andunzip
packages in the same server that GitLab is installed because they are needed to compress and decompress the Pages artifacts. - Optional. You have a wildcard certificate for the Pages domain if you
decide to serve Pages (
*.example.io
) under HTTPS. - Optional but recommended. You have configured and enabled the instance runners so your users don’t have to bring their own.
DNS configuration
GitLab Pages expect to run on their own virtual host. In your DNS server/provider
you need to add a wildcard DNS A
record pointing to the
host that GitLab runs. For example, an entry would look like this:
*.example.io. 1800 IN A 192.0.2.1
Where example.io
is the domain to serve GitLab Pages from,
and 192.0.2.1
is the IP address of your GitLab instance.
Configuration
Depending on your needs, you can set up GitLab Pages in 4 different ways. The following options are listed from the easiest setup to the most advanced one. The absolute minimum requirement is to set up the wildcard DNS because that is needed in all configurations.
Wildcard domains
Prerequisites:
URL scheme: http://<namespace>.example.io/<project_slug>
This setup is the minimum you can use Pages with. It is the base for all other setups as described below. NGINX proxies all requests to the daemon. The Pages daemon doesn’t listen to the outside world.
-
Install the Pages daemon:
cd /home/git sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-pages.git cd gitlab-pages sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_PAGES_VERSION) sudo -u git -H make
-
Go to the GitLab installation directory:
cd /home/git/gitlab
-
Edit
gitlab.yml
and under thepages
setting, setenabled
totrue
and thehost
to the FQDN to serve GitLab Pages from:## GitLab Pages pages: enabled: true # The location where pages are stored (default: shared/pages). # path: shared/pages host: example.io access_control: false port: 8090 https: false artifacts_server: false external_http: ["127.0.0.1:8090"] secret_file: /home/git/gitlab/gitlab-pages-secret
-
Add the following configuration file to
/home/git/gitlab-pages/gitlab-pages.conf
, and be sure to changeexample.io
to the FQDN from which you want to serve GitLab Pages andgitlab.example.com
to the URL of your GitLab instance:listen-http=:8090 pages-root=/home/git/gitlab/shared/pages api-secret-key=/home/git/gitlab/gitlab-pages-secret pages-domain=example.io internal-gitlab-server=https://gitlab.example.com
You may use an
http
address, when running GitLab Pages and GitLab on the same host. If you usehttps
and use a self-signed certificate, be sure to make your custom CA available to GitLab Pages. For example, you can do this by setting theSSL_CERT_DIR
environment variable. -
Add the secret API key:
sudo -u git -H openssl rand -base64 32 > /home/git/gitlab/gitlab-pages-secret
-
To enable the pages daemon:
-
If your system uses systemd as init, run:
sudo systemctl edit gitlab.target
In the editor that opens, add the following and save the file:
[Unit] Wants=gitlab-pages.service
-
If your system uses SysV init instead, edit
/etc/default/gitlab
and setgitlab_pages_enabled
totrue
:gitlab_pages_enabled=true
-
-
Copy the
gitlab-pages
NGINX configuration file:sudo cp lib/support/nginx/gitlab-pages /etc/nginx/sites-available/gitlab-pages.conf sudo ln -sf /etc/nginx/sites-{available,enabled}/gitlab-pages.conf
- Restart NGINX.
- Restart GitLab.
Wildcard domains with TLS support
Prerequisites:
- Wildcard DNS setup
- Wildcard TLS certificate
URL scheme: https://<namespace>.example.io/<project_slug>
NGINX proxies all requests to the daemon. Pages daemon doesn’t listen to the outside world.
-
Install the Pages daemon:
cd /home/git sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-pages.git cd gitlab-pages sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_PAGES_VERSION) sudo -u git -H make
-
In
gitlab.yml
, set the port to443
and https totrue
:## GitLab Pages pages: enabled: true # The location where pages are stored (default: shared/pages). # path: shared/pages host: example.io port: 443 https: true
-
Edit
/etc/default/gitlab
and setgitlab_pages_enabled
totrue
in order to enable the pages daemon. Ingitlab_pages_options
the-pages-domain
must match thehost
setting that you set above. The-root-cert
and-root-key
settings are the wildcard TLS certificates of theexample.io
domain:gitlab_pages_enabled=true gitlab_pages_options="-pages-domain example.io -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090 -root-cert /path/to/example.io.crt -root-key /path/to/example.io.key"
-
Copy the
gitlab-pages-ssl
NGINX configuration file:sudo cp lib/support/nginx/gitlab-pages-ssl /etc/nginx/sites-available/gitlab-pages-ssl.conf sudo ln -sf /etc/nginx/sites-{available,enabled}/gitlab-pages-ssl.conf
- Restart NGINX.
- Restart GitLab.
Advanced configuration
In addition to the wildcard domains, you can also have the option to configure GitLab Pages to work with custom domains. Again, there are two options here: support custom domains with and without TLS certificates. The easiest setup is that without TLS certificates.
Custom domains
Prerequisites:
- Wildcard DNS setup
- Secondary IP
URL scheme: http://<namespace>.example.io/<project_slug>
and http://custom-domain.com
In that case, the pages daemon is running. NGINX still proxies requests to the daemon, but the daemon is also able to receive requests from the outside world. Custom domains are supported, but no TLS.
-
Install the Pages daemon:
cd /home/git sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-pages.git cd gitlab-pages sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_PAGES_VERSION) sudo -u git -H make
-
Edit
gitlab.yml
to look like the example below. You need to change thehost
to the FQDN to serve GitLab Pages from. Setexternal_http
to the secondary IP on which the pages daemon listens for connections:pages: enabled: true # The location where pages are stored (default: shared/pages). # path: shared/pages host: example.io port: 80 https: false external_http: 192.0.2.2:80
-
To enable the daemon, edit
/etc/default/gitlab
and setgitlab_pages_enabled
totrue
. Ingitlab_pages_options
, the value for-pages-domain
must match thehost
and-listen-http
must match theexternal_http
:gitlab_pages_enabled=true gitlab_pages_options="-pages-domain example.io -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090 -listen-http 192.0.2.2:80"
-
Copy the
gitlab-pages-ssl
NGINX configuration file:sudo cp lib/support/nginx/gitlab-pages /etc/nginx/sites-available/gitlab-pages.conf sudo ln -sf /etc/nginx/sites-{available,enabled}/gitlab-pages.conf
- Edit all GitLab related configurations in
/etc/nginx/site-available/
and replace0.0.0.0
with192.0.2.1
, where192.0.2.1
the primary IP where GitLab listens to. - Restart NGINX.
- Restart GitLab.
Custom domains with TLS support
Prerequisites:
- Wildcard DNS setup
- Wildcard TLS certificate
- Secondary IP
URL scheme: https://<namespace>.example.io/<project_slug>
and https://custom-domain.com
In that case, the pages daemon is running. NGINX still proxies requests to the daemon, but the daemon is also able to receive requests from the outside world. Custom domains and TLS are supported.
-
Install the Pages daemon:
cd /home/git sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-pages.git cd gitlab-pages sudo -u git -H git checkout v$(</home/git/gitlab/GITLAB_PAGES_VERSION) sudo -u git -H make
-
Edit
gitlab.yml
to look like the example below. You need to change thehost
to the FQDN to serve GitLab Pages from. Setexternal_http
andexternal_https
to the secondary IP on which the pages daemon listens for connections:## GitLab Pages pages: enabled: true # The location where pages are stored (default: shared/pages). # path: shared/pages host: example.io port: 443 https: true external_http: 192.0.2.2:80 external_https: 192.0.2.2:443
-
Edit
/etc/default/gitlab
and setgitlab_pages_enabled
totrue
in order to enable the pages daemon. Ingitlab_pages_options
, you must match the-pages-domain
withhost
,-listen-http
withexternal_http
, and-listen-https
withexternal_https
settings. The-root-cert
and-root-key
settings are the wildcard TLS certificates of theexample.io
domain:gitlab_pages_enabled=true gitlab_pages_options="-pages-domain example.io -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090 -listen-http 192.0.2.2:80 -listen-https 192.0.2.2:443 -root-cert /path/to/example.io.crt -root-key /path/to/example.io.key"
-
Copy the
gitlab-pages-ssl
NGINX configuration file:sudo cp lib/support/nginx/gitlab-pages-ssl /etc/nginx/sites-available/gitlab-pages-ssl.conf sudo ln -sf /etc/nginx/sites-{available,enabled}/gitlab-pages-ssl.conf
- Edit all GitLab related configurations in
/etc/nginx/site-available/
and replace0.0.0.0
with192.0.2.1
, where192.0.2.1
the primary IP where GitLab listens to. - Restart NGINX.
- Restart GitLab.
NGINX caveats
Be extra careful when setting up the domain name in the NGINX configuration. You must not remove the backslashes.
If your GitLab Pages domain is example.io
, replace:
server_name ~^.*\.YOUR_GITLAB_PAGES\.DOMAIN$;
with:
server_name ~^.*\.example\.io$;
If you are using a subdomain, make sure to escape all dots (.
) except from
the first one with a backslash (). For example pages.example.io
would be:
server_name ~^.*\.pages\.example\.io$;
Access control
GitLab Pages access control can be configured per project. Access to a Pages site can be controlled based on a user’s membership to that project.
Access control works by registering the Pages daemon as an OAuth application with GitLab. Whenever a request to access a private Pages site is made by an unauthenticated user, the Pages daemon redirects the user to GitLab. If authentication is successful, the user is redirected back to Pages with a token, which is persisted in a cookie. The cookies are signed with a secret key, so tampering can be detected.
Each request to view a resource in a private site is authenticated by Pages using that token. For each request it receives, it makes a request to the GitLab API to check that the user is authorized to read that site.
Access Control parameters for Pages are set in a configuration file, which
by convention is named gitlab-pages-config
. The configuration file is passed to
pages using the -config flag
or CONFIG
environment variable.
Pages access control is disabled by default. To enable it:
-
Modify your
config/gitlab.yml
file:pages: access_control: true
- Restart GitLab.
- Create a new system OAuth application.
This should be called
GitLab Pages
and have aRedirect URL
ofhttps://projects.example.io/auth
. It does not need to be a “trusted” application, but it does need theapi
scope. -
Start the Pages daemon by passing a configuration file with the following arguments:
auth-client-id=<OAuth Application ID generated by GitLab> auth-client-secret=<OAuth code generated by GitLab> auth-redirect-uri='http://projects.example.io/auth' auth-secret=<40 random hex characters> auth-server=<URL of the GitLab instance>
- Users can now configure it in their projects’ settings.
Change storage path
Follow the steps below to change the default path where GitLab Pages’ contents are stored.
-
Pages are stored by default in
/home/git/gitlab/shared/pages
. If you wish to store them in another location you must set it up ingitlab.yml
under thepages
section:pages: enabled: true # The location where pages are stored (default: shared/pages). path: /mnt/storage/pages
Set maximum Pages size
The default for the maximum size of unpacked archives per project is 100 MB.
To change this value:
- On the left sidebar, at the bottom, select Admin.
- Select Settings > Preferences.
- Expand Pages.
- Update the value for Maximum size of pages (MB).
Backup
Pages are part of the regular backup so there is nothing to configure.
Security
You should strongly consider running GitLab Pages under a different hostname than GitLab to prevent XSS attacks.