Docker – Synology DSM 5.2 – Gitlab with Docker SSL Connection Error

dockergitlabsynology

I installed Synology DSM 5.2 yesterday, because it's stable release came out.

Afterwards I installed and configured Docker, MariaDB and the gitlab from the official Synology repo.

Gitlab is running on ort :30000
and the ssh access for gitlab is running on port :30001

The Docker container is running, but whenever I try to access the Docker Website:

=> I get SSL errors in FireFox

An error occurred during a connection to example.org:30000. SSL
received a record that exceeded the maximum permissible length. (Error
code: ssl_error_rx_record_too_long)

=> and Chrome:

SSL connection error

ERR_SSL_PROTOCOL_ERROR

Which can indicate an unencrypted connection (http-only) over this port and the DSM enforces HTTPS protocol somehow.

I use an officially signed and verified certificate, which works flawless in the normal DSM Webinterface, Webdav and webservices like DokuWiki.

Has someone experienced a similar problem or even found a solution.
Google seems empty on the topic of Synology DSM 5.2 Docker/Gitlab SSL errors.

Best Answer

My IT infrastructure enforced SSL via HSTS for the Subdomain, the Synology was running on. HTTP access worked for the gitlab Docker image, after HSTS was disabled.

HSTS on the Synology itself was also disabled.

Enabling SSL for the GitLab Docker container (from Synology) is not possible. Gitlab is distributed as installable package for DSM 5.2 and is HTTP only without SSL encryption. You cannot even enable it, because the docker container settings are not editable. If you set up your own Docker Container, you can enable SSL, supply your Certificate and you are fine.

After I configured my own Docker container with new MariaDB credentials, mail settings and SSL certificate, it worked even with enabled HSTS.

Related Solutions

Nginx: Proxypass to a docker image that handles ssl connections and letsencrypt certificate renewal

Just change the nginx configuration into:

server {
   listen 80;
   server_name mail.example.com;

   location /.well-known {
        proxy_pass http://127.0.0.1:8080/.well-known ;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 100m;

   }

   location / {
        rewrite ^(.*) https://$server_name$1 permanent;
   }

}

server {
 listen 443 ssl;
 server_name mail.example.com;

 ssl_certificate     /opt/docker-mailcow/data/assets/ssl/cert.pem;
 ssl_certificate_key /opt/docker-mailcow/data/assets/ssl/key.pem;
 ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers         HIGH:!aNULL:!MD5;


 location / {
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 100m;
 }

}

Where ssl_certificate and ssl_certificate_key points to a file that is a directory that acme-mailcow docker image volume generates the certificates.

Please keep in mind to set ADDITIONAL_SAN and MAILCOW_HOSTNAME the correct MX record of your mailserver.

Also replace the mail.example.com with your own MX record (that should be the same with A record in my case).

Synology DSM – Troubleshooting SSH Access Issues

To log in via ssh, the user must be in the "administrators" group. If you look at /etc/ssh/sshd_config on the Synology you will see an AllowGroups line that sets up this restriction. If you put user2 into the administrators group, they will be able to log in with ssh. Putting a user into the administrators group will automatically change their shell (the last field on their line in /etc/passwd) from /sbin/no login to /bin/bash.

My Synology sshd configuration allows a second group, "ssh_users", but I have not tested that at all.

If you play around with this, be aware that manual changes to user properties in files like /etc/passwd and /etc/group are often undone if you modify the user in DSM, and sometimes if you make apparently unrelated changes in DSM. Sometimes an upgrade will undo manual changes too.

Best Answer

Related Solutions

Nginx: Proxypass to a docker image that handles ssl connections and letsencrypt certificate renewal

Synology DSM – Troubleshooting SSH Access Issues

Related Topic