rendyanthony / gitlab-ssh-proxy Goto Github PK

When this GitLab SSH proxy is working, the gitlab_shell_ssh_port setting has to be removed (when previously used for a custom SSH port), otherwise GitLab will still add the non-default SSH port to SSH URLs on web frontend (notably the SSH git clone command in a repository).
See https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/1767#note_53544860.

This is a brilliant little bit of code. It works fantastically to proxy ssh sessions to e.g. gitlab running in docker, or on a container.

In my case I am using Proxmox cluster with GitLab running on a container who's IP address is on a vxnet spanning multiple servers hosted in a cloud provider. This allows me to potentially move the container without massive changes to its IP address.

In any case, some small caveats to the code in this repository as it is currently presented:

1. the 2 shell scripts call #!/usr/bin/sh. On at least Debian, this doesn't call Bash, it calls some other shell. And thus the [[ command doesn't work. Update the 1st line to use Bash as the interpreter fixed this.
2. I created the .config directory with the file gitlab-ssh.conf in it variables pointing to the container with my installed gitlab .
3. On at least Debian 11, the sshd_config file does not contain e.g. Include /etc/ssh/sshd_config.d/*.conf . In my case I added this, and then added the commands given to /etc/ssh/sshd_config.d/gitlab-proxy.conf . Then reloaded sshd. At that point everything just worked.

Thanks so much for sharing this.

Will this be possible to ssh proxy into gitlab running in lxc?

One thing I struggled to understand while reading README is the location of authorized_keys file on Gitlab server.
My case is slightly different, namely my Gitlab is running on a virtual machine behind NAT, so no docker and volumes are involved. I figured out that the file I need is located under /var/opt/gitlab/.ssh/authorized_keys. A few things are different: dot in .ssh: not sure if its absence is a typo in README or deliberate. Secondly, my authorized_keys file wasn't empty, so I appended a key instead of overwritting the whole file with a key like it says in README.
I would improve instructions in README if you are okay with it. Otherwise, great solution! Thank you!

On some systems SELinux isn't enabled or installing the module causes issues.
It would be a great addition if the SE_LINUX=no flag is better documented:
Using that flag makes the setup skip the SE Linux related step: SE_LINUX=no ./setup.sh install.

Fix interpreter path (env is better anyway IMHO):

--- a/setup.sh
+++ b/setup.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/bash
+#!/usr/bin/env bash

Packages for build commands:
apt install -y checkpolicy policycoreutils policycoreutils-python-utils

Also add Include /etc/ssh/sshd_config.d/*.conf to /etc/ssh/sshd_config – but older sshd versions don't support Include.

When trying to install the SE Linux module package, this error occurs:

Failed to resolve typeattributeset statement at /var/lib/selinux/default/tmp/modules/400/gitlab-ssh/cil:1
semodule:  Failed!

This particular line in install.sh fails:
semodule -i $BUILD_DIR/gitlab-ssh.pp

Edit: This may be caused by A) no SELinux enabled by default on the Ubuntu system and B) using an older Ubuntu 18.04.6 LTS system.