Tweaks for GitLab

Gitlab with apache2

Gitlab can use apache instead of nginx. The (gitlab-recipes repository) instructions are wrong - apache supports proxying to UNIX sockets so there's no need to change any gitlab configuration to use TCP.

Basically you will have to:

• disable nginx
• enable apache modules:
  • mod_rewrite
  • mod_ssl (if needed)
  • mod_proxy
  • mod_proxy_http
  • mod_headers
• add/modify apache configuration file

a2enmod rewrite ssl proxy_http headers

See below for Apache configuration file example (using Let's Encrypt SSL certificates and HTTP to HTTPS redirect). Replace YOUR_SERVER_FQDN string with your domain (e.g. git.example.org).

<VirtualHost *:80>
        ServerName YOUR_SERVER_FQDN
        Redirect / https://YOUR_SERVER_FQDN/
</VirtualHost>

<VirtualHost *:443>
        SSLCertificateFile    /etc/letsencrypt/live/YOUR_SERVER_FQDN/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_SERVER_FQDN/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
        ProxyPreserveHost On

        ServerName YOUR_SERVER_FQDN

        # Ensure that encoded slashes are not decoded but left in their encoded state.
        # http://doc.gitlab.com/ce/api/projects.html#get-single-project
        AllowEncodedSlashes NoDecode

        <Location />
                Require all granted
                ProxyPassReverse https://YOUR_SERVER_FQDN/
        </Location>

        RewriteEngine on
        #Forward all requests to gitlab-workhorse except existing files like error documents
        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
        RewriteCond %{REQUEST_URI} ^/uploads/.*
        RewriteRule .* unix:/run/gitlab/gitlab-workhorse.socket|http://YOUR_SERVER_FQDN%{REQUEST_URI} [P,QSA,NE]

        RequestHeader set X_FORWARDED_PROTO 'https'
        RequestHeader set X-Forwarded-Ssl on

        # needed for downloading attachments
        DocumentRoot /var/lib/gitlab/public

        # Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
        ErrorDocument 404 /404.html
        ErrorDocument 422 /422.html
        ErrorDocument 500 /500.html
        ErrorDocument 502 /502.html
        ErrorDocument 503 /503.html

        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
        ErrorLog /var/log/apache2/YOUR_SERVER_FQDN_error.log
        CustomLog /var/log/apache2/YOUR_SERVER_FQDN_forwarded.log common_forwarded
        CustomLog /var/log/apache2/YOUR_SERVER_FQDN_access.log combined env=!dontlog
        CustomLog /var/log/apache2/YOUR_SERVER_FQDN.log combined
</VirtualHost>

Reduce memory usage on small instances

Run puma in single process mode

By default, ?puma is run in cluster mode, with three dedicated workers. According to some measurements you can reclaim up to 250MB of memory by disabling this cluster mode in favour of a single process.

Disabling puma cluster mode is done in the configuration file /etc/gitlab/puma.rb. Look for the following line:

workers 3

and replace it with:

workers 0

Once the change in configuration is done, you need to restart puma with:

# service gitlab-puma restart

Instability warning

It seems that GitLab only has good support for clusterized Puma. If you get HTTP 500 errors after this change, especially gitlab-workhorse failures, it might get fixed by setting workers to 1 instead of 0.