load_balancer.md 2.99 KB
Newer Older
Drew Blessing's avatar
Drew Blessing committed
1 2 3 4 5 6 7 8 9 10 11 12
# Load Balancer for GitLab HA

In an active/active GitLab configuration, you will need a load balancer to route
traffic to the application servers. The specifics on which load balancer to use
or the exact configuration is beyond the scope of GitLab documentation. We hope
that if you're managing HA systems like GitLab you have a load balancer of
choice already. Some examples including HAProxy (open-source), F5 Big-IP LTM,
and Citrix Net Scaler. This documentation will outline what ports and protocols
you need to use with GitLab.

## Basic ports

13 14 15
| LB Port | Backend Port | Protocol        |
| ------- | ------------ | --------------- |
| 80      | 80           | HTTP  [^1]      |
16
| 443     | 443          | TCP or HTTPS [^1] [^2] |
17
| 22      | 22           | TCP             |
Drew Blessing's avatar
Drew Blessing committed
18 19 20 21

## GitLab Pages Ports

If you're using GitLab Pages you will need some additional port configurations.
Ben Bodenmiller's avatar
Ben Bodenmiller committed
22 23
GitLab Pages requires a separate virtual IP address. Configure DNS to point the
`pages_external_url` from `/etc/gitlab/gitlab.rb` at the new virtual IP address. See the
Drew Blessing's avatar
Drew Blessing committed
24 25 26 27
[GitLab Pages documentation][gitlab-pages] for more information.

| LB Port | Backend Port | Protocol |
| ------- | ------------ | -------- |
28 29
| 80      | Varies [^3]  | HTTP     |
| 443     | Varies [^3]  | TCP [^4] |
Drew Blessing's avatar
Drew Blessing committed
30 31 32 33 34

## Alternate SSH Port

Some organizations have policies against opening SSH port 22. In this case,
it may be helpful to configure an alternate SSH hostname that allows users
Ben Bodenmiller's avatar
Ben Bodenmiller committed
35
to use SSH on port 443. An alternate SSH hostname will require a new virtual IP address
Drew Blessing's avatar
Drew Blessing committed
36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
compared to the other GitLab HTTP configuration above.

Configure DNS for an alternate SSH hostname such as altssh.gitlab.example.com.

| LB Port | Backend Port | Protocol |
| ------- | ------------ | -------- |
| 443     | 22           | TCP      |

---

Read more on high-availability configuration:

1. [Configure the database](database.md)
1. [Configure Redis](redis.md)
1. [Configure NFS](nfs.md)
1. [Configure the GitLab application servers](gitlab.md)

53
[^1]: [Web terminal](../../ci/environments.md#web-terminals) support requires
54 55 56
      your load balancer to correctly handle WebSocket connections. When using
      HTTP or HTTPS proxying, this means your load balancer must be configured
      to pass through the `Connection` and `Upgrade` hop-by-hop headers. See the
57
      [web terminal](../integration/terminal.md) integration guide for
58 59
      more details.
[^2]: When using HTTPS protocol for port 443, you will need to add an SSL
Drew Blessing's avatar
Drew Blessing committed
60 61
      certificate to the load balancers. If you wish to terminate SSL at the
      GitLab application server instead, use TCP protocol.
62
[^3]: The backend port for GitLab Pages depends on the
Drew Blessing's avatar
Drew Blessing committed
63 64
      `gitlab_pages['external_http']` and `gitlab_pages['external_https']`
      setting. See [GitLab Pages documentation][gitlab-pages] for more details.
65
[^4]: Port 443 for GitLab Pages should always use the TCP protocol. Users can
Drew Blessing's avatar
Drew Blessing committed
66 67 68
      configure custom domains with custom SSL, which would not be possible
      if SSL was terminated at the load balancer.

69
[gitlab-pages]: ../pages/index.md