Unito’s Full Guide to On-Premise Installations for GitHub or GitLab
Whether you’re using an on-premise installation of GitHub or GitLab, here are some tips to get everything working right.
Determining the accessibility of an on-premise installation
Section titled “Determining the accessibility of an on-premise installation”First, it’s essential to verify whether your on-premise installation is accessible over the internet. If so, and it’s not behind a firewall or VPN, you’re good to go out-of-the-box.
However, if your installation is behind a firewall or VPN, you’ll need to perform additional configurations, which must be performed by someone familiar with your organization’s customized installation.
There are three ways to connect Unito to your local or on-premise installation of GitHub or GitLab
Open firewall ports
Section titled “Open firewall ports”Configure your firewall and/or routers to open a specific port and forward traffic to your internal GitHub Server instance.
Any port number is fine, as long as it forwards to an HTTPS-enabled port on your server. In the Unito web app, be sure to specify the port when you type in your server’s address.
You can also specify which IP addresses can access your open port for added security. Limit access to Unito’s fixed IP addresses and your internal IP addresses.
-
Pros: This approach has the easiest setup for organizations with simple network infrastructures (e.g. with a single router). Also, administration is simple once the service is provisioned.
-
Cons: Opening ports in larger organizations can be a complex process involving multiple departments*.* Since this approach works at the network level (layer 3), there’s no control over traffic contents (e.g. which API endpoints are called).
Reverse proxy or API gateway
Section titled “Reverse proxy or API gateway”Instead of exposing the app, you can use another server/service that is reachable over the internet to act as a proxy or frontend for your GitHub server. Common examples of reverse proxies and API gateways include Strong Loop, IBM, F5, Oracle, and NGINX.
Security Enhancement: You can configure the reverse proxy to only allow access from Unito’sIP addresses, add an extra layer of security with our SSL client certificates, or require custom HTTP headers.
For these advanced configurations, we suggest you contact us, and we’ll get you all set up in no time.
-
Pros: Secure. Flexible, with full control over communications.
-
Cons: Introduces a new software component (the proxy), which needs to be configured and managed.
On-premise agent or tunneling
Section titled “On-premise agent or tunneling”A lightweight “agent” software sits in your infrastructure behind the firewall and initiates communication with the Unito infrastructure, thereby avoiding firewall issues.
The agent then maintains a bi-directional connection (or tunnel) using the HTTPS protocol. In this scenario, none of your services are exposed to the Internet.
-
Pros: No need to open ports, expose an API, or touch the network infrastructure. Simple setup: lightweight agent software can run directly on the server, or in dedicated VM.
-
Cons: Separate software download, third-party solution.
Troubleshooting tips for local GitHub or GitLab server installations
Section titled “Troubleshooting tips for local GitHub or GitLab server installations”If you encounter problems connecting your GitHub or GitLab server to Unito:
Double-check your server URL
Section titled “Double-check your server URL”Just be on the lookout for typos, extra spaces or a misspelling of GitHub or GitLab.
Make sure your server is secure over HTTPS, and not just HTTP.
-
Access your tool in a browser and login
-
Ensure the address bar indicates a secure connection over HTTPS
-
If not, contact your server administrator to have them secure your server.
Here’s some more info our HTTPS requirements and setup tips.
Internet access
Section titled “Internet access”Make sure your server is accessible via public Internet:
-
Use any online website testing tool such as Pingdom Tools to test access to your server from outside your corporate network. Just enter the full URL to access your tool.
-
If the server is not reachable, contact your server administrator to discuss how it can be exposed to Unito’s server.
SSL/TLS configuration
Section titled “SSL/TLS configuration”Make sure your server SSL/TLS certificate is correctly configured:
- Use an online SSL diagnostics tool (like SSL Labs) to verify your server’s SSL/TLS certificate.
- If the diagnostics report a problem (often a missing “intermediate certificate”), contact your server administrator with the diagnostics results.
- Here’s some more info on how to enable SSL/TLS client certificates.
Note: while browsers can be more tolerant of incorrect SSL configurations, Unito’s server enforce strict security constraints.
Application configuration
Section titled “Application configuration”GitHub Server and GitLab instances require an in-app setup before they can be connected to Unito.
How to enable SSL/TLS client certificates
Section titled “How to enable SSL/TLS client certificates”Check out our full guide to enabling SSL/TLS client certificates (Mutual TLS/mTLS).
What IP Addresses Does Unito Use?
Section titled “What IP Addresses Does Unito Use?”Here are our fixed IP addresses:
54.82.172.192
54.82.178.193
notice the third number (178) is not the same for both IPs
We also maintain the following fully qualified domain names (FQDN) to point to our IP addresses.
a.infra-ip.unito.io
b.infra-ip.unito.io
Reach out to us if all else fails
Section titled “Reach out to us if all else fails”If you need help, don’t hesitate to reach out to us.
Just remember that your local server was set up specifically for your business, meaning that some specifications are unique to your business. Since we don’t know these specifications, it will be difficult for us to know how your on-premise installation can best be configured for Unito. Make sure that the person who contacts Unito for support knows your on-premise installation’s specifications.