Question 82089 in Docker Question posted in
The official documentation can be found here.

GitLab can't reach PlantUml in docker container

So I have GitLab EE server (Omnibus) installed and set up on Ubuntu 20.04.
Next, following official documentation found on GitLab PlantUML integration, I started PlantUML in a docker container which I did with the following command:

docker run -d --name plantuml -p 8084:8080 plantuml/plantuml-server:tomcat

Next, I also configured /etc/gitlab/gitlab.rb file and added next line for redirection as my GitLab server is using SSL:

nginx['custom_gitlab_server_config'] = "location /-/plantuml/ { n    proxy_cache off; n    proxy_pass  http://plantuml:8080/; n}n"

In the GitLab server GUI in admin panel, in Settings -> General, when I expand PlantUML, I set the value of PlantUML URL to (two ways):

1st approach:

https://HOSTNAME:8084/-/plantuml

Then, when trying to reach it through the browser through this address(https://HOSTNAME:8084/-/plantuml), I get

This site can’t provide a secure connection.

HOSTNAME sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

2nd approach:
Also I tried to put before that I tried different value in in Settings -> General -> PlantUML -> PlantUML URL:

https://HOSTNAME/-/plantuml

Then, when trying to reach it through the browser through this address (https://HOSTNAME/-/plantuml), I get

502

Whoops, GitLab is taking too much time to respond

In both cases when I trace logs with gitlab-ctl tail I get the same errors:

[crit] *901 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: CLIENT_IP, server: 0.0.0.0:443
[error] 1123593#0: *4 connect() failed (113: No route to host) while connecting to upstream

My question is which of the above two ways is correct to access PlantUML with the above configuration and is there any configuration I am missing?

Tags:

2

Answers


  1. 0

    I believe the issue is that you are running the plantuml in a docker container and then trying to reach it via gitlab (on localhost) with name.

    In order to check if that is the issue please change

    proxy_pass  http://plantuml:8080/

    to

    proxy_pass http://localhost:8080/

    and trying again with the first approach.

    Your second approach seems to be missing the container port in the url.

    Login or Signup to reply.
  2. 0

    You are right.
    PlantUML TomCat or Jetty has the same issue, only serving HTTP not HTTPS.
    If you need to have HTTPS then it’s up to nginx to provide that layer.

    Here is my Nginx config for my local plantuml. I know you want the whole integration with gitlab. Maybe because this is 6 month old, you found a solution.

    Anyway you can see that nginx is taking care of the ssl while the proxy_pass is only over http.

    upstream jetty {  server 127.0.0.1:8084 weight=100 max_fails=5 fail_timeout=5;}
server {
    listen 443 ssl; # managed by Certbot
    listen [::]:443 ssl; # managed by Certbot

    listen 80;
    listen [::]:80;
     
    server_name plantuml.mycompany.example;
    
    access_log /var/log/nginx/plantuml.mycompany.example.access.log;
    error_log /var/log/nginx/plantuml.mycompany.example.error.log;
    
    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/mycompany.example-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mycompany.example-0001/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     
    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    location / {
     proxy_set_header X-Forwarded-Host $host;
     proxy_set_header X-Forwarded-Server $host;
     proxy_pass http://jetty/;
     sub_filter '"http://jetty/'  '"/';
     sub_filter_once off;
    }
}

    If you found a solution, please share.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search