1--- 2disqus_identifier: 'https://docs.gitlab.com/ee/user/project/pages/getting_started_part_three.html' 3stage: Release 4group: Release 5info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments 6--- 7 8# Custom domains and SSL/TLS certificates **(FREE)** 9 10Setting up GitLab Pages with custom domains, and adding SSL/TLS certificates to them, are optional features of GitLab Pages. 11 12To use one or more custom domain names with your Pages site, you can: 13 14- Add a [custom **root domain** or a **subdomain**](#set-up-pages-with-a-custom-domain). 15- Add [SSL/TLS certification](#adding-an-ssltls-certificate-to-pages). 16 17## Set up Pages with a custom domain 18 19To set up Pages with a custom domain name, read the requirements 20and steps below. 21 22### Requirements 23 24- A GitLab Pages website up and running, served under the default Pages domain 25 (`*.gitlab.io`, for GitLab.com). 26- A custom domain name `example.com` or subdomain `subdomain.example.com`. 27- Access to your domain's server control panel to set up DNS records: 28 - A DNS record (`A`, `ALIAS`, or `CNAME`) pointing your domain to the GitLab Pages server. If 29 there are multiple DNS records on that name, you must use an `ALIAS` record. 30 - A DNS `TXT` record to verify your domain's ownership. 31- Set either `external_http` or `external_https` in `/etc/gitlab/gitlab.rb` to the IP and port of 32 your [Pages Daemon](../../../../administration/pages/index.md#overview). 33 If you don't have IPv6, you can omit the IPv6 address. 34 35 Example: 36 37 ```ruby 38 # Redirect pages from HTTP to HTTPS 39 gitlab_pages['external_http'] = ['192.0.2.2:80', '[2001:db8::2]:80'] # The secondary IPs for the GitLab Pages daemon 40 gitlab_pages['external_https'] = ['192.0.2.2:443', '[2001:db8::2]:443'] # The secondary IPs for the GitLab Pages daemon 41 ``` 42 43### Steps 44 45Follow the steps below to add your custom domain to Pages. See also 46this document for an [overview on DNS records](dns_concepts.md). 47 48#### 1. Add a custom domain to Pages 49 50Navigate to your project's **Setting > Pages** and click **+ New domain** 51to add your custom domain to GitLab Pages. You can choose whether to: 52 53- Add an [SSL/TLS certificate](#adding-an-ssltls-certificate-to-pages). 54- Leave it blank (it can be added later). 55 56Click **Create New Domain**. 57 58![Add new domain](img/add_certificate_to_pages.png) 59 60#### 2. Get the verification code 61 62After you add a new domain to Pages, the verification code prompts you. Copy the values from GitLab 63and paste them in your domain's control panel as a `TXT` record on the next step. 64 65![Get the verification code](img/get_domain_verification_code_v12_0.png) 66 67#### 3. Set up DNS records for Pages 68 69Read this document for an [overview of DNS records for Pages](dns_concepts.md). 70If you're familiar with the subject, follow the instructions below 71according to the type of domain you want to use with your Pages site: 72 73- [For root domains](#for-root-domains), `example.com`. 74- [For subdomains](#for-subdomains), `subdomain.example.com`. 75- [For both](#for-both-root-and-subdomains). 76 77You can [configure IPv6 on self-managed instances](../../../../administration/pages/index.md#advanced-configuration), 78but IPv6 is not currently configured for Pages on GitLab.com. 79Follow [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/214718) for details. 80 81##### For root domains 82 83Root domains (`example.com`) require: 84 85- A [DNS A record](dns_concepts.md#a-record) pointing your domain to the Pages server. 86- A [TXT record](dns_concepts.md#txt-record) to verify your domain's ownership. 87 88| From | DNS Record | To | 89| --------------------------------------------- | ---------- | --------------- | 90| `example.com` | A | `35.185.44.232` | 91| `_gitlab-pages-verification-code.example.com` | `TXT` | `gitlab-pages-verification-code=00112233445566778899aabbccddeeff` | 92 93For projects on GitLab.com, this IP is `35.185.44.232`. 94For projects living in other GitLab instances (CE or EE), please contact 95your sysadmin asking for this information (which IP address is Pages 96server running on your instance). 97 98![DNS A record pointing to GitLab.com Pages server](img/dns_add_new_a_record_example_updated_2018.png) 99 100WARNING: 101Note that if you use your root domain for your GitLab Pages website 102**only**, and if your domain registrar supports this feature, you can 103add a DNS apex `CNAME` record instead of an `A` record. The main 104advantage of doing so is that when GitLab Pages IP on GitLab.com 105changes for whatever reason, you don't need to update your `A` record. 106There may be a few exceptions, but **this method is not recommended** 107as it most likely doesn't work if you set an [`MX` record](dns_concepts.md#mx-record) for your root domain. 108 109##### For subdomains 110 111Subdomains (`subdomain.example.com`) require: 112 113- A DNS [`ALIAS` or `CNAME` record](dns_concepts.md#cname-record) pointing your subdomain to the Pages server. 114- A DNS [TXT record](dns_concepts.md#txt-record) to verify your domain's ownership. 115 116| From | DNS Record | To | 117|:--------------------------------------------------------|:----------------|:----------------------| 118| `subdomain.example.com` | `ALIAS`/`CNAME` | `namespace.gitlab.io` | 119| `_gitlab-pages-verification-code.subdomain.example.com` | `TXT` | `gitlab-pages-verification-code=00112233445566778899aabbccddeeff` | 120 121Note that, whether it's a user or a project website, the DNS record 122should point to your Pages domain (`namespace.gitlab.io`), 123without any `/project-name`. 124 125![DNS CNAME record pointing to GitLab.com project](img/dns_cname_record_example.png) 126 127##### For both root and subdomains 128 129There are a few cases where you need to point both the subdomain and root 130domain to the same website, for instance, `example.com` and `www.example.com`. 131 132They require: 133 134- A DNS `A` record for the domain. 135- A DNS `ALIAS`/`CNAME` record for the subdomain. 136- A DNS `TXT` record for each. 137 138| From | DNS Record | To | 139| ------------------------------------------------- | ---------- | ---------------------- | 140| `example.com` | A | `35.185.44.232` | 141| `_gitlab-pages-verification-code.example.com` | `TXT` | `gitlab-pages-verification-code=00112233445566778899aabbccddeeff` | 142|---------------------------------------------------+------------+------------------------| 143| `www.example.com` | CNAME | `namespace.gitlab.io` | 144| `_gitlab-pages-verification-code.www.example.com` | `TXT` | `gitlab-pages-verification-code=00112233445566778899aabbccddeeff` | 145 146If you're using Cloudflare, check 147[Redirecting `www.domain.com` to `domain.com` with Cloudflare](#redirecting-wwwdomaincom-to-domaincom-with-cloudflare). 148 149> **Notes**: 150> 151> - **Do not** use a `CNAME` record if you want to point your 152 `domain.com` to your GitLab Pages site. Use an `A` record instead. 153> - **Do not** add any special chars after the default Pages 154 domain. For example, don't point `subdomain.domain.com` to 155 or `namespace.gitlab.io/`. Some domain hosting providers may request a trailing dot (`namespace.gitlab.io.`), though. 156> - GitLab Pages IP on GitLab.com [was changed](https://about.gitlab.com/releases/2017/03/06/we-are-changing-the-ip-of-gitlab-pages-on-gitlab-com/) in 2017. 157> - GitLab Pages IP on GitLab.com [has changed](https://about.gitlab.com/blog/2018/07/19/gcp-move-update/#gitlab-pages-and-custom-domains) 158 from `52.167.214.135` to `35.185.44.232` in 2018. 159 160#### 4. Verify the domain's ownership 161 162Once you have added all the DNS records: 163 1641. Go back at your project's **Settings > Pages**. 1651. Locate your domain name and click **Details**. 1661. Click the **Retry verification** button to activate your new domain. 167 168![Verify your domain](img/retry_domain_verification_v12_0.png) 169 170As soon as your domain becomes active, your website is available through your domain name. 171 172WARNING: 173Considering GitLab instances with domain verification enabled, 174if the domain can't be verified for 7 days, it's removed 175from the GitLab project. 176 177> **Notes:** 178> 179> - Domain verification is **required for GitLab.com users**; 180 for GitLab self-managed instances, your GitLab administrator has the option 181 to [disabled custom domain verification](../../../../administration/pages/index.md#custom-domain-verification). 182> - [DNS propagation may take some time (up to 24h)](https://www.inmotionhosting.com/support/domain-names/dns-nameserver-changes/complete-guide-to-dns-records/), 183 although it's usually a matter of minutes to complete. Until it does, verification 184 fails, and attempts to visit your domain result in a 404. 185> - Once your domain has been verified, leave the verification record 186 in place. Your domain is periodically reverified, and may be 187 disabled if the record is removed. 188 189##### Troubleshooting Pages domain verification 190 191To manually verify that you have properly configured the domain verification 192`TXT` DNS entry, you can run the following command in your terminal: 193 194```shell 195dig _gitlab-pages-verification-code.<YOUR-PAGES-DOMAIN> TXT 196``` 197 198Expect the output: 199 200```plaintext 201;; ANSWER SECTION: 202_gitlab-pages-verification-code.<YOUR-PAGES-DOMAIN>. 300 IN TXT "gitlab-pages-verification-code=<YOUR-VERIFICATION-CODE>" 203``` 204 205In some cases it can help to add the verification code with the same domain name as you are trying to register. 206 207For a root domain: 208 209| From | DNS Record | To | 210| ------------------------------------------------- | ---------- | ---------------------- | 211| `example.com` | `TXT` | `gitlab-pages-verification-code=00112233445566778899aabbccddeeff` | 212| `_gitlab-pages-verification-code.example.com` | `TXT` | `gitlab-pages-verification-code=00112233445566778899aabbccddeeff` | 213 214For a subdomain: 215 216| From | DNS Record | To | 217| ------------------------------------------------- | ---------- | ---------------------- | 218| `www.example.com` | `TXT` | `gitlab-pages-verification-code=00112233445566778899aabbccddeeff` | 219| `_gitlab-pages-verification-code.www.example.com` | `TXT` | `gitlab-pages-verification-code=00112233445566778899aabbccddeeff` | 220 221### Adding more domain aliases 222 223You can add more than one alias (custom domains and subdomains) to the same project. 224An alias can be understood as having many doors leading to the same room. 225 226All the aliases you've set to your site are listed on **Setting > Pages**. 227From that page, you can view, add, and remove them. 228 229### Redirecting `www.domain.com` to `domain.com` with Cloudflare 230 231If you use Cloudflare, you can redirect `www` to `domain.com` 232without adding both `www.domain.com` and `domain.com` to GitLab. 233 234To do so, you can use Cloudflare's page rules associated to a 235`CNAME` record to redirect `www.domain.com` to `domain.com`. You 236can use the following setup: 237 2381. In Cloudflare, create a DNS `A` record pointing `domain.com` to `35.185.44.232`. 2391. In GitLab, add the domain to GitLab Pages and get the verification code. 2401. In Cloudflare, create a DNS `TXT` record to verify your domain. 2411. In GitLab, verify your domain. 2421. In Cloudflare, create a DNS `CNAME` record pointing `www` to `domain.com`. 2431. In Cloudflare, add a Page Rule pointing `www.domain.com` to `domain.com`: 244 - Navigate to your domain's dashboard and click **Page Rules** 245 on the top nav. 246 - Click **Create Page Rule**. 247 - Enter the domain `www.domain.com` and click **+ Add a Setting**. 248 - From the dropdown menu, choose **Forwarding URL**, then select the 249 status code **301 - Permanent Redirect**. 250 - Enter the destination URL `https://domain.com`. 251 252## Adding an SSL/TLS certificate to Pages 253 254Read this document for an [overview on SSL/TLS certification](ssl_tls_concepts.md). 255 256To secure your custom domain with GitLab Pages you can opt by: 257 258- Using the [Let's Encrypt integration with GitLab Pages](lets_encrypt_integration.md), 259 which automatically obtains and renews SSL certificates 260 for your Pages domains. 261- Manually adding SSL/TLS certificates to GitLab Pages websites 262 by following the steps below. 263 264### Manual addition of SSL/TLS certificates 265 266You can use any certificate satisfying the following requirements: 267 268- A GitLab Pages website up and running accessible via a custom domain. 269- **A PEM certificate**: it is the certificate generated by the CA, 270 which needs to be added to the field **Certificate (PEM)**. 271- **An [intermediate certificate](https://en.wikipedia.org/wiki/Intermediate_certificate_authority)**: (aka "root certificate"), it is 272 the part of the encryption keychain that identifies the CA. 273 Usually it's combined with the PEM certificate, but there are 274 some cases in which you need to add them manually. 275 [Cloudflare certs](https://about.gitlab.com/blog/2017/02/07/setting-up-gitlab-pages-with-cloudflare-certificates/) 276 are one of these cases. 277- **A private key**, it's an encrypted key which validates 278 your PEM against your domain. 279 280For example, [Cloudflare certificates](https://about.gitlab.com/blog/2017/02/07/setting-up-gitlab-pages-with-cloudflare-certificates/) 281meet these requirements. 282 283#### Steps 284 285- To add the certificate at the time you add a new domain, go to your 286 project's **Settings > Pages > New Domain**, add the domain name and the certificate. 287- To add the certificate to a domain previously added, go to your 288 project's **Settings > Pages**, locate your domain name, click **Details** and **Edit** to add the certificate. 289 290![Pages project - adding certificates](img/add_certificate_to_pages.png) 291 2921. Add the PEM certificate to its corresponding field. 2931. If your certificate is missing its intermediate, copy 294 and paste the root certificate (usually available from your CA website) 295 and paste it in the [same field as your PEM certificate](https://about.gitlab.com/blog/2017/02/07/setting-up-gitlab-pages-with-cloudflare-certificates/), 296 just jumping a line between them. 2971. Copy your private key and paste it in the last field. 298 299**Do not** open certificates or encryption keys in 300regular text editors. Always use code editors (such as 301Sublime Text, Atom, Dreamweaver, Brackets, etc). 302 303## Force HTTPS for GitLab Pages websites 304 305To make your website's visitors even more secure, you can choose to 306force HTTPS for GitLab Pages. By doing so, all attempts to visit your 307website through HTTP are automatically redirected to HTTPS through 301. 308 309It works with both the GitLab default domain and with your custom 310domain (as long as you've set a valid certificate for it). 311 312To enable this setting: 313 3141. Navigate to your project's **Settings > Pages**. 3151. Tick the checkbox **Force HTTPS (requires valid certificates)**. 316 317If you use Cloudflare CDN in front of GitLab Pages, make sure to set the SSL connection setting to 318`full` instead of `flexible`. For more details, see the [Cloudflare CDN directions](https://support.cloudflare.com/hc/en-us/articles/200170416-End-to-end-HTTPS-with-Cloudflare-Part-3-SSL-options#h_4e0d1a7c-eb71-4204-9e22-9d3ef9ef7fef). 319 320<!-- ## Troubleshooting 321 322Include any troubleshooting steps that you can foresee. If you know beforehand what issues 323one might have when setting this up, or when something is changed, or on upgrading, it's 324important to describe those, too. Think of things that may go wrong and include them here. 325This is important to minimize requests for support, and to avoid doc comments with 326questions that you know someone might ask. 327 328Each scenario can be a third-level heading, for example, `### Getting error message X`. 329If you have none to add when creating a doc, leave this section in place 330but commented out to help encourage others to add to it in the future. --> 331