diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 0a0d9241e27..8e85634d054 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -3,9 +3,11 @@ # # # # # # # # # # # # # # # # # # # # How to use: -# 1. copy file as gitlab.yml -# 2. Replace gitlab -> host with your domain -# 3. Replace gitlab -> email_from +# 1. Copy file as gitlab.yml +# 2. Update gitlab -> host with your fully qualified domain name +# 3. Update gitlab -> email_from +# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git +# 5. Review this configuration file for other settings you may want to adjust production: &base # @@ -16,8 +18,8 @@ production: &base gitlab: ## Web server settings (note: host is the FQDN, do not include http://) host: localhost - port: 80 - https: false + port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details + https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details # Uncommment this line below if your ssh host is different from HTTP/HTTPS one # (you'd obviously need to replace ssh.host_example.com with your own host). diff --git a/doc/install/installation.md b/doc/install/installation.md index 423a5f0cb19..a3a456659e7 100644 --- a/doc/install/installation.md +++ b/doc/install/installation.md @@ -76,7 +76,7 @@ Is the system packaged Git too old? Remove it and compile from source. # Install into /usr/local/bin sudo make prefix=/usr/local install - # When editing config/gitlab.yml (Step 5), change the git bin_path to /usr/local/bin/git + # When editing config/gitlab.yml (Step 5), change the git -> bin_path to /usr/local/bin/git **Note:** In order to receive mail notifications, make sure to install a mail server. By default, Debian is shipped with exim4 but this [has problems](https://github.com/gitlabhq/gitlabhq/issues/4866#issuecomment-32726573) while Ubuntu does not ship with one. The recommended mail server is postfix and you can install it with: @@ -153,12 +153,7 @@ We recommend using a PostgreSQL database. For MySQL check [MySQL setup guide](da # Copy the example GitLab config sudo -u git -H cp config/gitlab.yml.example config/gitlab.yml - # Make sure to change "localhost" to the fully-qualified domain name of your - # host serving GitLab where necessary - # - # If you want to use https make sure that you set `https` to `true`. See #using-https for all necessary details. - # - # If you installed Git from source, change the git bin_path to /usr/local/bin/git + # Update GitLab config file, follow the directions at top of file sudo -u git -H editor config/gitlab.yml # Make sure GitLab can write to the log/ and tmp/ directories @@ -196,6 +191,8 @@ We recommend using a PostgreSQL database. For MySQL check [MySQL setup guide](da **Important Note:** Make sure to edit both `gitlab.yml` and `unicorn.rb` to match your setup. +**Note:** If you want to use HTTPS, see [Using HTTPS](#using-https) for the additional steps. + ### Configure GitLab DB Settings # PostgreSQL only: @@ -233,16 +230,11 @@ GitLab Shell is an SSH access and repository management software developed speci # Run the installation task for gitlab-shell (replace `REDIS_URL` if needed): sudo -u git -H bundle exec rake gitlab:shell:install[v1.9.7] REDIS_URL=redis://localhost:6379 RAILS_ENV=production - # By default, the gitlab-shell config is generated from your main gitlab config. - # - # Note: When using GitLab with HTTPS please change the following: - # - Provide paths to the certificates under `ca_file` and `ca_path` options. - # - The `gitlab_url` option must point to the https endpoint of GitLab. - # - In case you are using self signed certificate set `self_signed_cert` to `true`. - # See #using-https for all necessary details. - # + # By default, the gitlab-shell config is generated from your main GitLab config. # You can review (and modify) the gitlab-shell config as follows: sudo -u git -H editor /home/git/gitlab-shell/config.yml + +**Note:** If you want to use HTTPS, see [Using HTTPS](#using-https) for the additional steps. ### Initialize Database and Activate Advanced Features @@ -309,7 +301,7 @@ Make sure to edit the config file to match your setup: # domain name of your host serving GitLab. sudo editor /etc/nginx/sites-available/gitlab -**Note:** If you want to use HTTPS, replace the `gitlab` Nginx config with `gitlab-ssl`. See [Using HTTPS](#using-https) for all necessary details. +**Note:** If you want to use HTTPS, replace the `gitlab` Nginx config with `gitlab-ssl`. See [Using HTTPS](#using-https) for HTTPS configuration details. ### Test Configuration @@ -350,11 +342,30 @@ Visit YOUR_SERVER in your web browser for your first GitLab login. The setup has ### Using HTTPS -To recapitulate what is needed to use GitLab with HTTPS: +To use GitLab with HTTPS: -1. In `gitlab.yml` set the `https` option to `true` -1. In the `config.yml` of gitlab-shell set the relevant options (see the [install GitLab Shell section](#install-gitlab-shell) of this document). -1. Use the `gitlab-ssl` nginx example config instead of the `gitlab` config. +1. In `gitlab.yml`: + 1. Set the `port` option in section 1 to `443`. + 1. Set the `https` option in section 1 to `true`. +1. In the `config.yml` of gitlab-shell: + 1. Set `gitlab_url` option to the HTTPS endpoint of GitLab (e.g. `https://git.example.com`). + 1. Set the certificates using either the `ca_file` or `ca_path` option. +1. Use the `gitlab-ssl` Nginx example config instead of the `gitlab` config. + 1. Update `YOUR_SERVER_FQDN`. + 1. Update `ssl_certificate` and `ssl_certificate_key`. + 1. Review the configuration file and consider applying other security and performance enhancing features. + +Using a self-signed certificate is discouraged but if you must use it follow the normal directions then: + 1. Generate a self-signed SSL certificate: + + ``` + mkdir -p /etc/nginx/ssl/ + cd /etc/nginx/ssl/ + sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key + sudo chmod o-r gitlab.key + ``` + + 1. In the `config.yml` of gitlab-shell set `self_signed_cert` to `true`. ### Additional Markup Styles diff --git a/doc/update/4.2-to-5.0.md b/doc/update/4.2-to-5.0.md index 6ec153f6245..897cd0b91fa 100644 --- a/doc/update/4.2-to-5.0.md +++ b/doc/update/4.2-to-5.0.md @@ -10,7 +10,7 @@ GitLab 5.0 is affected by critical security vulnerability CVE-2013-4490. - Self signed SSL certificates are not supported until GitLab 5.1 - **requires ruby1.9.3** -## 0. Stop gitlab +## 0. Stop GitLab sudo service gitlab stop @@ -41,7 +41,7 @@ git checkout v1.1.0 # copy config cp config.yml.example config.yml -# change url to gitlab instance +# change url to GitLab instance # ! make sure url end with '/' like 'https://gitlab.example/' vim config.yml @@ -49,14 +49,14 @@ vim config.yml ./support/rewrite-hooks.sh # check ruby version for git user ( 1.9 required!! ) -# gitlab shell requires system ruby 1.9 +# GitLab shell requires system ruby 1.9 ruby -v # exit from git user exit ``` -## 4. Copy gitlab instance to git user +## 4. Copy GitLab instance to git user ```bash sudo cp -R /home/gitlab/gitlab /home/git/gitlab @@ -162,8 +162,43 @@ sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production ``` -**P.S. If everything works as expected you can remove gitlab user from system** +## 9. Cleanup + +**If everything works as expected you can cleanup some old things** +Recommend you wait a bit and do a backup before completing the following. ```bash +# remove GitLab user from system sudo userdel -r gitlab + +cd /home/git + +# cleanup .profile +## remove text from .profile added during gitolite installation: +## PATH=\$PATH:/home/git/bin +## export PATH +## to see what a clean .profile for new users on your system would look like see /etc/skel/.profile +sudo -u git -H vim .profile + +# remove gitolite +sudo rm -R bin +sudo rm -Rf gitolite +sudo rm -R .gitolite +sudo rm .gitolite.rc +sudo rm -f gitlab.pub +sudo rm projects.list + +# reset tmp folders +sudo service gitlab stop +cd /home/git/gitlab +sudo rm -R tmp +sudo -u git -H mkdir tmp +sudo chmod -R u+rwX tmp/ + +# reboot system +sudo reboot + +# login, check that GitLab is running fine +cd /home/git/gitlab +sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production ``` diff --git a/doc/update/6.0-to-7.2.md b/doc/update/6.0-to-7.2.md index 770519a46e0..8dfcbcdd056 100644 --- a/doc/update/6.0-to-7.2.md +++ b/doc/update/6.0-to-7.2.md @@ -135,7 +135,8 @@ git diff 6-0-stable:config/gitlab.yml.example 7-2-stable:config/gitlab.yml.examp * Make `/home/git/gitlab/config/gitlab.yml` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-2-stable/config/gitlab.yml.example but with your settings. * Make `/home/git/gitlab/config/unicorn.rb` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-2-stable/config/unicorn.rb.example but with your settings. * Make `/home/git/gitlab-shell/config.yml` the same as https://gitlab.com/gitlab-org/gitlab-shell/blob/v1.9.7/config.yml.example but with your settings. -* Make `/etc/nginx/sites-available/nginx` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-2-stable/lib/support/nginx/gitlab but with your settings. +* HTTP setups: Make `/etc/nginx/sites-available/nginx` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-2-stable/lib/support/nginx/gitlab but with your settings. +* HTTPS setups: Make `/etc/nginx/sites-available/nginx-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-2-stable/lib/support/nginx/gitlab-ssl but with your settings. * Copy rack attack middleware config ```bash diff --git a/doc/update/6.9-to-7.0.md b/doc/update/6.9-to-7.0.md index bbb3b2617a7..1f3421a799b 100644 --- a/doc/update/6.9-to-7.0.md +++ b/doc/update/6.9-to-7.0.md @@ -105,6 +105,9 @@ There are new configuration options available for gitlab.yml. View them with the git diff origin/6-9-stable:config/gitlab.yml.example origin/7-0-stable:config/gitlab.yml.example ``` +* HTTP setups: Make `/etc/nginx/sites-available/nginx` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab but with your settings. +* HTTPS setups: Make `/etc/nginx/sites-available/nginx-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab-ssl but with your setting + ### 7. Start application sudo service gitlab start diff --git a/doc/update/7.1-to-7.2.md b/doc/update/7.1-to-7.2.md index b06f62aeb03..ff5574114a8 100644 --- a/doc/update/7.1-to-7.2.md +++ b/doc/update/7.1-to-7.2.md @@ -89,6 +89,9 @@ There are new configuration options available for gitlab.yml. View them with the git diff 7-1-stable:config/gitlab.yml.example 7-2-stable:config/gitlab.yml.example ``` +* HTTP setups: Make `/etc/nginx/sites-available/nginx` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab but with your settings. +* HTTPS setups: Make `/etc/nginx/sites-available/nginx-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab-ssl but with your setting + Update rack attack middleware config ``` diff --git a/doc/update/7.2-to-7.3.md b/doc/update/7.2-to-7.3.md new file mode 100644 index 00000000000..7cc8f8e2ede --- /dev/null +++ b/doc/update/7.2-to-7.3.md @@ -0,0 +1,10 @@ +# From 7.2 to 7.3 + +# GitLab 7.3 has not been released yet! + +This document currently just serves as a place to keep track of updates that will be needed for the 7.3 update. + +### Update config files + +* HTTP setups: Make `/etc/nginx/sites-available/nginx` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab but with your settings. +* HTTPS setups: Make `/etc/nginx/sites-available/nginx-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab-ssl but with your setting \ No newline at end of file diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl index 9ab228b46d7..0ba9d055c8c 100644 --- a/lib/support/nginx/gitlab-ssl +++ b/lib/support/nginx/gitlab-ssl @@ -26,23 +26,12 @@ ## [1] https://github.com/agentzh/chunkin-nginx-module#status ## [2] https://github.com/agentzh/chunkin-nginx-module ## -################################### -## SSL file editing ## -################################### -## -## Edit `gitlab-shell/config.yml`: -## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com` -## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt` -## 3) Set "self_signed_cert" to `true` -## Edit `gitlab/config/gitlab.yml`: -## 1) Define port for http "port: 443" -## 2) Enable https "https: true" -## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm" ## ################################### ## SSL configuration ## ################################### ## +## See installation.md#using-https for additional HTTPS configuration details. upstream gitlab { server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; @@ -87,6 +76,23 @@ server { add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 10s; + + ## [Optional] Generate a stronger DHE parameter: + ## cd /etc/ssl/certs + ## sudo openssl dhparam -out dhparam.pem 4096 + ## + # ssl_dhparam /etc/ssl/certs/dhparam.pem; + ## Individual nginx logs for this GitLab vhost access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log;