= Tweaks for GitLab =
== Gitlab with apache2 ==
Gitlab can use apache instead of nginx.
The ([[https://gitlab.com/gitlab-org/gitlab-recipes/-/tree/master/web-server/apache|gitlab-recipes repository]]) instructions are wrong - apache supports proxying to UNIX sockets so there's no need to change any gitlab configuration to use TCP.
Basically you will have to:
* disable nginx
* enable apache modules:
* mod_rewrite
* mod_ssl (if needed)
* mod_proxy
* mod_proxy_http
* mod_headers
* add/modify apache configuration file
{{{
a2enmod rewrite ssl proxy_http headers
}}}
See below for Apache configuration file example (using Let's Encrypt SSL certificates and HTTP to HTTPS redirect). Replace YOUR_SERVER_FQDN string with your domain (e.g. git.example.org).
{{{
ServerName YOUR_SERVER_FQDN
Redirect / https://YOUR_SERVER_FQDN/
SSLCertificateFile /etc/letsencrypt/live/YOUR_SERVER_FQDN/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_SERVER_FQDN/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
ProxyPreserveHost On
ServerName YOUR_SERVER_FQDN
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
Require all granted
ProxyPassReverse https://YOUR_SERVER_FQDN/
RewriteEngine on
#Forward all requests to gitlab-workhorse except existing files like error documents
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* unix:/run/gitlab/gitlab-workhorse.socket|http://YOUR_SERVER_FQDN%{REQUEST_URI} [P,QSA,NE]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
# needed for downloading attachments
DocumentRoot /var/lib/gitlab/public
# Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/YOUR_SERVER_FQDN_error.log
CustomLog /var/log/apache2/YOUR_SERVER_FQDN_forwarded.log common_forwarded
CustomLog /var/log/apache2/YOUR_SERVER_FQDN_access.log combined env=!dontlog
CustomLog /var/log/apache2/YOUR_SERVER_FQDN.log combined
}}}
== Reduce memory usage on small instances ==
=== Run puma in single process mode ===
By default, [[puma]] is run in cluster mode, with three dedicated workers. According to [[https://gitlab.com/gitlab-org/application-performance-team/memory-team-2gb-week/-/issues/2#note_449139363|some measurements]] you can reclaim up to 250MB of memory by disabling this cluster mode in favour of a single process.
Disabling puma cluster mode is done in the configuration file '''/etc/gitlab/puma.rb'''. Look for the following line:
{{{
workers 3
}}}
and replace it with:
{{{
workers 0
}}}
Once the change in configuration is done, you need to restart puma with:
{{{
# service gitlab-puma restart
}}}
==== Instability warning ====
It seems that GitLab only has good support for clusterized Puma. If you get HTTP 500 errors after this change, especially gitlab-workhorse failures, it might get fixed by setting '''workers''' to '''1''' instead of '''0'''.