index.md 15.7 KB
Newer Older
1 2 3 4
---
description: 'Learn how to administer GitLab Pages.'
---

5
# GitLab Pages administration
6 7

> **Notes:**
8 9 10 11 12 13
> - [Introduced][ee-80] in GitLab EE 8.3.
> - Custom CNAMEs with TLS support were [introduced][ee-173] in GitLab EE 8.5.
> - GitLab Pages [were ported][ce-14605] to Community Edition in GitLab 8.17.
> - This guide is for Omnibus GitLab installations. If you have installed
>   GitLab from source, follow the [Pages source installation document](source.md).
> - To learn how to use GitLab Pages, read the [user documentation][pages-userguide].
14
> - Support for subgroup project's websites was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/30548) in GitLab 11.8.
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

This document describes how to set up the _latest_ GitLab Pages feature. Make
sure to read the [changelog](#changelog) if you are upgrading to a new GitLab
version as it may include new features and changes needed to be made in your
configuration.

## Overview

GitLab Pages makes use of the [GitLab Pages daemon], a simple HTTP server
written in Go that can listen on an external IP address and provide support for
custom domains and custom certificates. It supports dynamic certificates through
SNI and exposes pages using HTTP2 by default.
You are encouraged to read its [README][pages-readme] to fully understand how
it works.

30 31 32
In the case of [custom domains](#custom-domains) (but not
[wildcard domains](#wildcard-domains)), the Pages daemon needs to listen on
ports `80` and/or `443`. For that reason, there is some flexibility in the way
B
Ben Bodenmiller 已提交
33
which you can set it up:
34

B
Ben Bodenmiller 已提交
35 36
1. Run the Pages daemon in the same server as GitLab, listening on a secondary IP.
1. Run the Pages daemon in a separate server. In that case, the
37
   [Pages path](#change-storage-path) must also be present in the server that
B
Ben Bodenmiller 已提交
38 39
   the Pages daemon is installed, so you will have to share it via network.
1. Run the Pages daemon in the same server as GitLab, listening on the same IP
40 41 42 43 44 45
   but on different ports. In that case, you will have to proxy the traffic with
   a loadbalancer. If you choose that route note that you should use TCP load
   balancing for HTTPS. If you use TLS-termination (HTTPS-load balancing) the
   pages will not be able to be served with user provided certificates. For
   HTTP it's OK to use HTTP or TCP load balancing.

B
Ben Bodenmiller 已提交
46 47
In this document, we will proceed assuming the first option. If you are not
supporting custom domains a secondary IP is not needed.
48 49 50 51 52

## Prerequisites

Before proceeding with the Pages configuration, you will need to:

53 54
1. Have an exclusive root domain for serving GitLab Pages. Note that you cannot
   use a subdomain of your GitLab's instance domain.
55 56 57
1. Configure a **wildcard DNS record**.
1. (Optional) Have a **wildcard certificate** for that domain if you decide to
   serve Pages under HTTPS.
58
1. (Optional but recommended) Enable [Shared runners](../../ci/runners/README.md)
59
   so that your users don't have to bring their own.
B
Ben Bodenmiller 已提交
60
1. (Only for custom domains) Have a **secondary IP**.
61

62 63 64
NOTE: **Note:**
If your GitLab instance and the Pages daemon are deployed in a private network or behind a firewall, your GitLab Pages websites will only be accessible to devices/users that have access to the private network.

65 66 67 68 69 70 71 72 73 74 75 76
### Add the domain to the Public Suffix List

The [Public Suffix List](https://publicsuffix.org) is used by browsers to
decide how to treat subdomains. If your GitLab instance allows members of the
public to create GitLab Pages sites, it also allows those users to create
subdomains on the pages domain (`example.io`). Adding the domain to the Public
Suffix List prevents browsers from accepting
[supercookies](https://en.wikipedia.org/wiki/HTTP_cookie#Supercookie),
among other things.

Follow [these instructions](https://publicsuffix.org/submit/) to submit your
GitLab Pages subdomain. For instance, if your domain is `example.io`, you should
77 78
request that `example.io` is added to the Public Suffix List. GitLab.com
added `gitlab.io` [in 2016](https://gitlab.com/gitlab-com/infrastructure/issues/230).
79

80 81 82 83 84 85 86
### DNS configuration

GitLab Pages expect to run on their own virtual host. In your DNS server/provider
you need to add a [wildcard DNS A record][wiki-wildcard-dns] pointing to the
host that GitLab runs. For example, an entry would look like this:

```
N
Natho 已提交
87
*.example.io. 1800 IN A    192.0.2.1
88
*.example.io. 1800 IN AAAA 2001::1
89 90 91
```

where `example.io` is the domain under which GitLab Pages will be served
N
Natho 已提交
92
and `192.0.2.1` is the IPv4 address of your GitLab instance and `2001::1` is the
93
IPv6 address. If you don't have IPv6, you can omit the AAAA record.
94

E
Evan Read 已提交
95 96
NOTE: **Note:**
You should not use the GitLab domain to serve user pages. For more information see the [security section](#security).
97 98 99 100 101

[wiki-wildcard-dns]: https://en.wikipedia.org/wiki/Wildcard_DNS_record

## Configuration

102 103 104 105
Depending on your needs, you can set up GitLab Pages in 4 different ways.
The following options are listed from the easiest setup to the most
advanced one. The absolute minimum requirement is to set up the wildcard DNS
since that is needed in all configurations.
106

107
### Wildcard domains
108

E
Evan Read 已提交
109 110 111 112 113 114 115
**Requirements:**

- [Wildcard DNS setup](#dns-configuration)

---

URL scheme: `http://page.example.io`
116

117 118 119
This is the minimum setup that you can use Pages with. It is the base for all
other setups as described below. Nginx will proxy all requests to the daemon.
The Pages daemon doesn't listen to the outside world.
120

121
1. Set the external URL for GitLab Pages in `/etc/gitlab/gitlab.rb`:
122

A
Alexander Tanayno 已提交
123
    ```shell
124
    pages_external_url 'http://example.io'
125 126 127
    ```

1. [Reconfigure GitLab][reconfigure]
128

M
Marcia Ramos 已提交
129 130
Watch the [video tutorial][video-admin] for this configuration.

131
### Wildcard domains with TLS support
132

E
Evan Read 已提交
133 134 135 136 137 138 139 140
**Requirements:**

- [Wildcard DNS setup](#dns-configuration)
- Wildcard TLS certificate

---

URL scheme: `https://page.example.io`
141

142 143
Nginx will proxy all requests to the daemon. Pages daemon doesn't listen to the
outside world.
144

145 146
1. Place the certificate and key inside `/etc/gitlab/ssl`
1. In `/etc/gitlab/gitlab.rb` specify the following configuration:
147

A
Alexander Tanayno 已提交
148
    ```shell
149 150 151 152 153
    pages_external_url 'https://example.io'

    pages_nginx['redirect_http_to_https'] = true
    pages_nginx['ssl_certificate'] = "/etc/gitlab/ssl/pages-nginx.crt"
    pages_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/pages-nginx.key"
154 155
    ```

156 157
    where `pages-nginx.crt` and `pages-nginx.key` are the SSL cert and key,
    respectively.
158 159 160

1. [Reconfigure GitLab][reconfigure]

161
## Advanced configuration
162

163 164 165
In addition to the wildcard domains, you can also have the option to configure
GitLab Pages to work with custom domains. Again, there are two options here:
support custom domains with and without TLS certificates. The easiest setup is
166 167
that without TLS certificates. In either case, you'll need a secondary IP. If
you have IPv6 as well as IPv4 addresses, you can use them both.
168

169
### Custom domains
170

E
Evan Read 已提交
171 172 173 174 175 176 177 178
**Requirements:**

- [Wildcard DNS setup](#dns-configuration)
- Secondary IP

---

URL scheme: `http://page.example.io` and `http://domain.com`
179

B
Ben Bodenmiller 已提交
180
In that case, the Pages daemon is running, Nginx still proxies requests to
181 182
the daemon but the daemon is also able to receive requests from the outside
world. Custom domains are supported, but no TLS.
183

184 185
1. Edit `/etc/gitlab/gitlab.rb`:

A
Alexander Tanayno 已提交
186
    ```shell
187
    pages_external_url "http://example.io"
N
Natho 已提交
188
    nginx['listen_addresses'] = ['192.0.2.1']
189
    pages_nginx['enable'] = false
N
Natho 已提交
190
    gitlab_pages['external_http'] = ['192.0.2.2:80', '[2001::2]:80']
191 192
    ```

N
Natho 已提交
193 194
    where `192.0.2.1` is the primary IP address that GitLab is listening to and
    `192.0.2.2` and `2001::2` are the secondary IPs the GitLab Pages daemon
195
    listens on. If you don't have IPv6, you can omit the IPv6 address.
196 197 198

1. [Reconfigure GitLab][reconfigure]

199
### Custom domains with TLS support
200

E
Evan Read 已提交
201 202 203 204 205 206 207 208 209
**Requirements:**

- [Wildcard DNS setup](#dns-configuration)
- Wildcard TLS certificate
- Secondary IP

---

URL scheme: `https://page.example.io` and `https://domain.com`
210

B
Ben Bodenmiller 已提交
211
In that case, the Pages daemon is running, Nginx still proxies requests to
212 213
the daemon but the daemon is also able to receive requests from the outside
world. Custom domains and TLS are supported.
214

215
1. Edit `/etc/gitlab/gitlab.rb`:
216

A
Alexander Tanayno 已提交
217
    ```shell
218
    pages_external_url "https://example.io"
N
Natho 已提交
219
    nginx['listen_addresses'] = ['192.0.2.1']
220 221 222
    pages_nginx['enable'] = false
    gitlab_pages['cert'] = "/etc/gitlab/ssl/example.io.crt"
    gitlab_pages['cert_key'] = "/etc/gitlab/ssl/example.io.key"
N
Natho 已提交
223 224
    gitlab_pages['external_http'] = ['192.0.2.2:80', '[2001::2]:80']
    gitlab_pages['external_https'] = ['192.0.2.2:443', '[2001::2]:443']
225 226
    ```

N
Natho 已提交
227 228
    where `192.0.2.1` is the primary IP address that GitLab is listening to and
    `192.0.2.2` and `2001::2` are the secondary IPs where the GitLab Pages daemon
229
    listens on. If you don't have IPv6, you can omit the IPv6 address.
230

231 232
1. [Reconfigure GitLab][reconfigure]

233 234 235 236 237 238 239 240 241 242 243 244
### Custom domain verification

To prevent malicious users from hijacking domains that don't belong to them,
GitLab supports [custom domain verification](../../user/project/pages/getting_started_part_three.md#dns-txt-record).
When adding a custom domain, users will be required to prove they own it by
adding a GitLab-controlled verification code to the DNS records for that domain.

If your userbase is private or otherwise trusted, you can disable the
verification requirement. Navigate to `Admin area ➔ Settings` and uncheck
**Require users to prove ownership of custom domains** in the Pages section.
This setting is enabled by default.

245 246
### Access control

247 248 249
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.

GitLab Pages access control can be configured per-project, and allows access to a Pages
250 251 252 253 254 255 256 257 258 259 260 261 262
site to be controlled based on a user's membership to that project.

Access control works by registering the Pages daemon as an OAuth application
with GitLab. Whenever a request to access a private Pages site is made by an
unauthenticated user, the Pages daemon redirects the user to GitLab. If
authentication is successful, the user is redirected back to Pages with a token,
which is persisted in a cookie. The cookies are signed with a secret key, so
tampering can be detected.

Each request to view a resource in a private site is authenticated by Pages
using that token. For each request it receives, it makes a request to the GitLab
API to check that the user is authorized to read that site.

263
Pages access control is disabled by default. To enable it:
264

265
1. Enable it in `/etc/gitlab/gitlab.rb`:
266 267 268 269 270

    ```ruby
    gitlab_pages['access_control'] = true
    ```

271 272
1. [Reconfigure GitLab][reconfigure].
1. Users can now configure it in their [projects' settings](../../user/project/pages/introduction.md#gitlab-pages-access-control-core-only).
273

274 275 276 277 278 279 280 281 282 283 284
## Activate verbose logging for daemon

Verbose logging was [introduced](https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/2533) in
Omnibus GitLab 11.1.

Follow the steps below to configure verbose logging of GitLab Pages daemon.

1. By default the daemon only logs with `INFO` level.
   If you wish to make it log events with level `DEBUG` you must configure this in
   `/etc/gitlab/gitlab.rb`:

285 286 287
    ```shell
    gitlab_pages['log_verbose'] = true
    ```
288 289 290

1. [Reconfigure GitLab][reconfigure]

291 292 293 294
## Change storage path

Follow the steps below to change the default path where GitLab Pages' contents
are stored.
295

296 297 298
1. Pages are stored by default in `/var/opt/gitlab/gitlab-rails/shared/pages`.
   If you wish to store them in another location you must set it up in
   `/etc/gitlab/gitlab.rb`:
299

300 301 302
    ```shell
    gitlab_rails['pages_path'] = "/mnt/storage/pages"
    ```
303 304

1. [Reconfigure GitLab][reconfigure]
M
maxmeyer 已提交
305 306 307 308 309 310 311 312

## Configure listener for reverse proxy requests

Follow the steps below to configure the proxy listener of GitLab Pages. [Introduced](https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/2533) in
Omnibus GitLab 11.1.

1. By default the listener is configured to listen for requests on `localhost:8090`.

313 314
    If you wish to disable it you must configure this in
    `/etc/gitlab/gitlab.rb`:
315

316 317 318
    ```shell
    gitlab_pages['listen_proxy'] = nil
    ```
M
maxmeyer 已提交
319

320 321
    If you wish to make it listen on a different port you must configure this also in
    `/etc/gitlab/gitlab.rb`:
M
maxmeyer 已提交
322

323 324 325
    ```shell
    gitlab_pages['listen_proxy'] = "localhost:10080"
    ```
M
maxmeyer 已提交
326 327

1. [Reconfigure GitLab][reconfigure]
328

329
## Set maximum pages size
330

331 332 333
The maximum size of the unpacked archive per project can be configured in the
Admin area under the Application settings in the **Maximum size of pages (MB)**.
The default is 100MB.
334

335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370
## Running GitLab Pages in a separate server

You may want to run GitLab Pages daemon on a separate server in order to decrease the load on your main application server.
Follow the steps below to configure GitLab Pages in a separate server.

1. Suppose you have the main GitLab application server named `app1`. Prepare 
new Linux server (let's call it `app2`), create NFS share there and configure access to 
this share from `app1`. Let's use the default GitLab Pages folder `/var/opt/gitlab/gitlab-rails/shared/pages` 
as the shared folder on `app2` and mount it to `/mnt/pages` on `app1`.

1. On `app2` install GitLab omnibus and modify `/etc/gitlab/gitlab.rb` this way:

    ```shell
    external_url 'http://<ip-address-of-the-server>'
    pages_external_url "http://<your-pages-domain>"
    postgresql['enable'] = false
    redis['enable'] = false
    prometheus['enable'] = false
    unicorn['enable'] = false
    sidekiq['enable'] = false
    gitlab_workhorse['enable'] = false
    gitaly['enable'] = false
    alertmanager['enable'] = false
    node_exporter['enable'] = false
    ```
1. Run `sudo gitlab-ctl reconfigure`.
1. On `app1` apply the following changes to `/etc/gitlab/gitlab.rb`:

    ```shell
    gitlab_pages['enable'] = false
    pages_external_url "http://<your-pages-domain>"
    gitlab_rails['pages_path'] = "/mnt/pages"
    ```
    
1. Run `sudo gitlab-ctl reconfigure`.

371 372 373 374 375 376 377 378 379
## Backup

Pages are part of the [regular backup][backup] so there is nothing to configure.

## Security

You should strongly consider running GitLab pages under a different hostname
than GitLab to prevent XSS attacks.

380 381 382 383 384 385 386 387 388 389
## Changelog

GitLab Pages were first introduced in GitLab EE 8.3. Since then, many features
where added, like custom CNAME and TLS support, and many more are likely to
come. Below is a brief changelog. If no changes were introduced or a version is
missing from the changelog, assume that the documentation is the same as the
latest previous version.

---

E
Evan Read 已提交
390
**GitLab 8.17 ([documentation](https://gitlab.com/gitlab-org/gitlab-ce/blob/8-17-stable/doc/administration/pages/index.md))**
391

392
- GitLab Pages were ported to Community Edition in GitLab 8.17.
393 394
- Documentation was refactored to be more modular and easy to follow.

E
Evan Read 已提交
395
**GitLab 8.5 ([documentation](https://gitlab.com/gitlab-org/gitlab-ee/blob/8-5-stable-ee/doc/pages/administration.md))**
396 397 398 399 400 401 402 403

- In GitLab 8.5 we introduced the [gitlab-pages][] daemon which is now the
  recommended way to set up GitLab Pages.
- The [NGINX configs][] have changed to reflect this change. So make sure to
  update them.
- Custom CNAME and TLS certificates support.
- Documentation was moved to one place.

E
Evan Read 已提交
404
**GitLab 8.3 ([documentation](https://gitlab.com/gitlab-org/gitlab-ee/blob/8-3-stable-ee/doc/pages/administration.md))**
405 406 407

- GitLab Pages feature was introduced.

408
[backup]: ../../raketasks/backup_restore.md
409
[ce-14605]: https://gitlab.com/gitlab-org/gitlab-ce/issues/14605
410 411 412 413 414 415
[ee-80]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/80
[ee-173]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/173
[gitlab pages daemon]: https://gitlab.com/gitlab-org/gitlab-pages
[NGINX configs]: https://gitlab.com/gitlab-org/gitlab-ee/tree/8-5-stable-ee/lib/support/nginx
[pages-readme]: https://gitlab.com/gitlab-org/gitlab-pages/blob/master/README.md
[pages-userguide]: ../../user/project/pages/index.md
416 417
[reconfigure]: ../restart_gitlab.md#omnibus-gitlab-reconfigure
[restart]: ../restart_gitlab.md#installations-from-source
418
[gitlab-pages]: https://gitlab.com/gitlab-org/gitlab-pages/tree/v0.2.4
M
Marcia Ramos 已提交
419
[video-admin]: https://youtu.be/dD8c7WNcc6s