Search code examples
nginxgitlabmattermost

nginx server configuration for Gitlab Mattermost (using non-bundled nginx server)

I'm trying to configure Gitlab Mattermost as per https://docs.gitlab.com/omnibus/gitlab-mattermost/README.html. I am using a non-bundled nginx server, which is configured as described here. The rest of Gitlab is currently working; I can access it by going to http://code.my.company.com.

Mattermost is probably configured correctly, but I can't seem to find any info on how to configure the non-bundled nginx with Mattermost. In particular, I'm wondering what the proxy_pass should be.

The Gitlab sample configuration file uses proxy_pass http://gitlab-workhorse. Near the top of the same file they define that as unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket. This works well for Gitlab itself (as we would hope!), but I don't know what proxy_pass to use for Mattermost.

As you'll see in my nginx config file below, I created the Mattermost part of the nginx config by simply copy/pasting most of the normal Gitlab nginx config, which includes the proxy_pass http://gitlab-workhorse line. Not surprisingly, this just resulted in http://code.my.company.com:1337 forwarding to the normal Gitlab, not to Mattermost.

Here is my /etc/nginx/sites-available/default file (all comments in this file are mine; if you want to see the original comments, see the source):

## Most of this is copy/pasted from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab
## A few of the paths are different from the current version,
## perhaps because the Gitlab-suggested nginx config was different when I installed Gitlab

upstream gitlab-workhorse {
  server unix:/var/opt/gitlab/gitlab-workhorse/socket;
}

map $http_upgrade $connection_upgrade_gitlab {
    default upgrade;
    '' close;
}

## Mattermost config, mostly copy/pasted from the server{} block below
server {
  listen 0.0.0.0:1337 default_server;
  listen [::]:1337 default_server;
  server_name code.my.company.com;

  location / {
    client_max_body_size 0;
    gzip off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade_gitlab;

    proxy_pass http://gitlab-workhorse;
  }

}

## normal Gitlab config
server {
  listen 0.0.0.0:80 default_server;
  listen [::]:80 default_server;
  server_name code.my.company.com; 
  server_tokens off; 
  root /opt/gitlab/embedded/service/gitlab-rails/public;

  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;


  location / {
    client_max_body_size 0;
    gzip off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade_gitlab;

    proxy_pass http://gitlab-workhorse;
  }
}

And here are the relevant parts of /etc/gitlab/gitlab.rb:

external_url 'http://code.my.company.com'
mattermost_external_url 'http://code.my.company.com:1337'

nginx['enable'] = false
mattermost_nginx['enable'] = false

mattermost['gitlab_enable'] = true
mattermost['gitlab_id'] = "HiddenForStackOverflowPost"
mattermost['gitlab_secret'] = "HiddenForStackOverflowPost"
mattermost['gitlab_scope'] = ""
mattermost['gitlab_auth_endpoint'] = "http://code.my.company.com/oauth/authorize"
mattermost['gitlab_token_endpoint'] = "http://code.my.company.com/oauth/token"
mattermost['gitlab_user_api_endpoint'] = "http://code.my.company.com/api/v3/user"
Solution

  • Here's an example from the docs of what a working Mattermost nginx config looks like:

    upstream backend {
   server 10.10.10.2:8065;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;

server {
   listen 80;
   server_name    mattermost.example.com;

   location /api/v3/users/websocket {
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       client_max_body_size 50M;
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Frame-Options SAMEORIGIN;
       proxy_buffers 256 16k;
       proxy_buffer_size 16k;
       proxy_read_timeout 600s;
       proxy_pass http://backend;
   }

   location / {
       client_max_body_size 50M;
       proxy_set_header Connection "";
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Frame-Options SAMEORIGIN;
       proxy_buffers 256 16k;
       proxy_buffer_size 16k;
       proxy_read_timeout 600s;
       proxy_cache mattermost_cache;
       proxy_cache_revalidate on;
       proxy_cache_min_uses 2;
       proxy_cache_use_stale timeout;
       proxy_cache_lock on;
       proxy_pass http://backend;
   }
}

    You'll need to replace 10.0.0.2:8065 with the IP (or host) and port of where Mattermost is running. If you want SSL set up too, take a look at the docs here (where this example configuration is taken from).