Replace grack with gitlab-git-http-server

2015-08-31 15:30:15 +02:00 · 2015-08-31 15:30:15 +02:00 · 4027a26e7b
commit 4027a26e7b
parent 1081a322f1
10 changed files with 294 additions and 90 deletions
--- a/5
+++ b/5
@ -40,11 +40,6 @@ gem "browser", '~> 1.0.0'
 # Provide access to Gitlab::Git library
 gem "gitlab_git", '~> 7.2.14'

-# Ruby/Rack Git Smart-HTTP Server Handler
-# GitLab fork with a lot of changes (improved thread-safety, better memory usage etc)
-# For full list of changes see https://github.com/SaitoWu/grack/compare/master...gitlabhq:master
-gem 'gitlab-grack', '~> 2.0.2', require: 'grack'
-
 # LDAP Auth
 # GitLab fork with several improvements to original library. For full list of changes
 # see https://github.com/intridea/omniauth-ldap/compare/master...gitlabhq:master
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -263,8 +263,6 @@ GEM
      flowdock (~> 0.7)
      gitlab-grit (>= 2.4.1)
      multi_json
-    gitlab-grack (2.0.2)
-      rack (~> 1.5.1)
    gitlab-grit (2.7.2)
      charlock_holmes (~> 0.6)
      diff-lcs (~> 1.1)
@ -787,7 +785,6 @@ DEPENDENCIES
  gemnasium-gitlab-service (~> 0.2)
  github-markup
  gitlab-flowdock-git-hook (~> 1.0.1)
-  gitlab-grack (~> 2.0.2)
  gitlab-linguist (~> 3.0.1)
  gitlab_emoji (~> 0.1)
  gitlab_git (~> 7.2.14)
@ -881,6 +878,3 @@ DEPENDENCIES
  virtus
  webmock (~> 1.21.0)
  wikicloth (= 0.8.1)
-
-BUNDLED WITH
-   1.10.6
--- a/config/routes.rb
+++ b/config/routes.rb
@ -30,12 +30,7 @@ Gitlab::Application.routes.draw do
  end

  # Enable Grack support
-  mount Grack::Bundle.new({
-    git_path:     Gitlab.config.git.bin_path,
-    project_root: Gitlab.config.gitlab_shell.repos_path,
-    upload_pack:  Gitlab.config.gitlab_shell.upload_pack,
-    receive_pack: Gitlab.config.gitlab_shell.receive_pack
-  }), at: '/', constraints: lambda { |request| /[-\/\w\.]+\.git\//.match(request.path_info) }, via: [:get, :post]
+  mount Grack::Auth.new({}), at: '/', constraints: lambda { |request| /[-\/\w\.]+\.git\//.match(request.path_info) }, via: [:get, :post]

  # Help
  get 'help'                  => 'help#index'
--- a/doc/install/installation.md
+++ b/doc/install/installation.md
@ -125,13 +125,25 @@ Install the Bundler Gem:

    sudo gem install bundler --no-ri --no-rdoc

-## 3. System Users
+## 3. Go
+
+Since GitLab 8.0, Git HTTP requests are handled by gitlab-git-http-server.
+This is a small daemon written in Go.
+To install gitlab-git-http-server we need a Go compiler.
+
+    curl -O --progress https://storage.googleapis.com/golang/go1.5.linux-amd64.tar.gz
+    echo '5817fa4b2252afdb02e11e8b9dc1d9173ef3bd5a  go1.5.linux-amd64.tar.gz' | shasum -c - && \
+      sudo tar -C /usr/local -xzf go1.5.linux-amd64.tar.gz
+    sudo ln -sf /usr/local/go/bin/{go,godoc,gofmt} /usr/local/bin/
+    rm go1.5.linux-amd64.tar.gz
+
+## 4. System Users

 Create a `git` user for GitLab:

    sudo adduser --disabled-login --gecos 'GitLab' git

-## 4. Database
+## 5. Database

 We recommend using a PostgreSQL database. For MySQL check [MySQL setup guide](database_mysql.md). *Note*: because we need to make use of extensions you need at least pgsql 9.1.

@ -157,7 +169,7 @@ We recommend using a PostgreSQL database. For MySQL check [MySQL setup guide](da
    # Quit the database session
    gitlabhq_production> \q

-## 5. Redis
+## 6. Redis

    sudo apt-get install redis-server

@ -187,7 +199,7 @@ We recommend using a PostgreSQL database. For MySQL check [MySQL setup guide](da
    # Add git to the redis group
    sudo usermod -aG redis git

-## 6. GitLab
+## 7. GitLab

    # We'll install GitLab into home directory of the user "git"
    cd /home/git
@ -297,6 +309,13 @@ GitLab Shell is an SSH access and repository management software developed speci

 **Note:** Make sure your hostname can be resolved on the machine itself by either a proper DNS record or an additional line in /etc/hosts ("127.0.0.1  hostname"). This might be necessary for example if you set up gitlab behind a reverse proxy. If the hostname cannot be resolved, the final installation check will fail with "Check GitLab API access: FAILED. code: 401" and pushing commits will be rejected with "[remote rejected] master -> master (hook declined)".

+### Install gitlab-git-http-server
+
+    cd /home/git
+    sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-git-http-server.git
+    cd gitlab-git-http-server
+    sudo -u git -H make
+
 ### Initialize Database and Activate Advanced Features

    sudo -u git -H bundle exec rake gitlab:setup RAILS_ENV=production
@ -345,7 +364,7 @@ Check if GitLab and its environment are configured correctly:
    # or
    sudo /etc/init.d/gitlab restart

-## 7. Nginx
+## 8. Nginx

 **Note:** Nginx is the officially supported web server for GitLab. If you cannot or do not want to use Nginx as your web server, have a look at the [GitLab recipes](https://gitlab.com/gitlab-org/gitlab-recipes/).

--- a/doc/update/7.14-to-8.0.md
+++ b/doc/update/7.14-to-8.0.md
@ -0,0 +1,159 @@
+# From 7.14 to 8.0
+
+### 0. Double-check your Git version
+
+**This notice applies only to /usr/local/bin/git**
+
+If you compiled Git from source on your GitLab server then please double-check
+that you are using a version that protects against CVE-2014-9390. For six
+months after this vulnerability became known the GitLab installation guide
+still contained instructions that would install the outdated, 'vulnerable' Git
+version 2.1.2.
+
+Run the following command to get your current Git version.
+
+```
+/usr/local/bin/git --version
+```
+
+If you see 'No such file or directory' then you did not install Git according
+to the outdated instructions from the GitLab installation guide and you can go
+to the next step 'Stop server' below.
+
+If you see a version string then it should be v1.8.5.6, v1.9.5, v2.0.5, v2.1.4,
+v2.2.1 or newer. You can use the [instructions in the GitLab source
+installation
+guide](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/install/installation.md#1-packages-dependencies)
+to install a newer version of Git.
+
+### 1. Stop server
+
+    sudo service gitlab stop
+
+### 2. Backup
+
+```bash
+cd /home/git/gitlab
+sudo -u git -H bundle exec rake gitlab:backup:create RAILS_ENV=production
+```
+
+### 3. Get latest code
+
+```bash
+sudo -u git -H git fetch --all
+sudo -u git -H git checkout -- db/schema.rb # local changes will be restored automatically
+```
+
+For GitLab Community Edition:
+
+```bash
+sudo -u git -H git checkout 8-0-stable
+```
+
+OR
+
+For GitLab Enterprise Edition:
+
+```bash
+sudo -u git -H git checkout 8-0-stable-ee
+```
+
+### 4. Update gitlab-shell
+
+```bash
+cd /home/git/gitlab-shell
+sudo -u git -H git fetch
+sudo -u git -H git checkout v2.6.4
+```
+
+### 5. Install gitlab-git-http-server
+
+First we download Go 1.5 and install it into /usr/local/go.
+
+    curl -O --progress https://storage.googleapis.com/golang/go1.5.linux-amd64.tar.gz
+    echo '5817fa4b2252afdb02e11e8b9dc1d9173ef3bd5a  go1.5.linux-amd64.tar.gz' | shasum -c - && \
+      sudo tar -C /usr/local -xzf go1.5.linux-amd64.tar.gz
+    sudo ln -sf /usr/local/go/bin/{go,godoc,gofmt} /usr/local/bin/
+    rm go1.5.linux-amd64.tar.gz
+
+Now we download gitlab-git-http-server and install it in /home/git/gitlab-git-http-server.
+
+    cd /home/git
+    sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-git-http-server.git
+    cd gitlab-git-http-server
+    sudo -u git -H make
+
+If you put your Git repositories in a directory different from /home/git/repositories, you need to tell gitlab-git-http-server about it via /etc/gitlab/default.
+See lib/support/init.d/gitlab.default.example for the options.
+
+### 6. Install libs, migrations, etc.
+
+```bash
+cd /home/git/gitlab
+
+# MySQL installations (note: the line below states '--without ... postgres')
+sudo -u git -H bundle install --without development test postgres --deployment
+
+# PostgreSQL installations (note: the line below states '--without ... mysql')
+sudo -u git -H bundle install --without development test mysql --deployment
+
+# Run database migrations
+sudo -u git -H bundle exec rake db:migrate RAILS_ENV=production
+
+# Clean up assets and cache
+sudo -u git -H bundle exec rake assets:clean assets:precompile cache:clear RAILS_ENV=production
+
+# Update init.d script
+sudo cp lib/support/init.d/gitlab /etc/init.d/gitlab
+```
+
+### 7. Update config files
+
+#### New configuration options for `gitlab.yml`
+
+There are new configuration options available for [`gitlab.yml`](config/gitlab.yml.example). View them with the command below and apply them to your current `gitlab.yml`.
+
+```
+git diff origin/7-14-stable:config/gitlab.yml.example origin/8-0-stable:config/gitlab.yml.example
+``````
+
+#### New NGINX configuration
+
+Because of the new gitlab-git-http-server you need to update your NGINX configuration.
+If you skip this step 'git clone' and 'git push' over HTTP(S) will stop working.
+
+```
+# Remove '-ssl' twice in the diff command below if you use HTTP instead of HTTPS
+git diff origin/7-14-stable:lib/support/nginx/gitlab-ssl origin/8-0-stable:lib/support/nginx/gitlab-ssl
+```
+
+### 8. Start application
+
+    sudo service gitlab start
+    sudo service nginx restart
+
+### 9. Check application status
+
+Check if GitLab and its environment are configured correctly:
+
+    sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
+
+To make sure you didn't miss anything run a more thorough check with:
+
+    sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production
+
+If all items are green, then congratulations, the upgrade is complete!
+
+## Things went south? Revert to previous version (7.14)
+
+### 1. Revert the code to the previous version
+Follow the [upgrade guide from 7.13 to 7.14](7.13-to-7.14.md), except for the database migration
+(The backup is already migrated to the previous version)
+
+### 2. Restore from the backup:
+
+```bash
+cd /home/git/gitlab
+sudo -u git -H bundle exec rake gitlab:backup:restore RAILS_ENV=production
+```
+If you have more than one backup *.tar file(s) please add `BACKUP=timestamp_of_backup` to the command above.
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@ -26,12 +26,8 @@ module Grack
      auth!

      if project && authorized_request?
-        if ENV['GITLAB_GRACK_AUTH_ONLY'] == '1'
-          # Tell gitlab-git-http-server the request is OK, and what the GL_ID is
-          render_grack_auth_ok
-        else
-          @app.call(env)
-        end
+        # Tell gitlab-git-http-server the request is OK, and what the GL_ID is
+        render_grack_auth_ok
      elsif @user.nil? && !@gitlab_ci
        unauthorized
      else
@ -132,7 +128,9 @@ module Grack

      case git_cmd
      when *Gitlab::GitAccess::DOWNLOAD_COMMANDS
-        if user
+        if !Gitlab.config.gitlab_shell.upload_pack
+          false
+        elsif user
          Gitlab::GitAccess.new(user, project).download_access_check.allowed?
        elsif project.public?
          # Allow clone/fetch for public projects
@ -141,7 +139,9 @@ module Grack
          false
        end
      when *Gitlab::GitAccess::PUSH_COMMANDS
-        if user
+        if !Gitlab.config.gitlab_shell.receive_pack
+          false
+        elsif user
          # Skip user authorization on upload request.
          # It will be done by the pre-receive hook in the repository.
          true
--- a/lib/support/init.d/gitlab
+++ b/lib/support/init.d/gitlab
@ -37,6 +37,10 @@ web_server_pid_path="$pid_path/unicorn.pid"
 sidekiq_pid_path="$pid_path/sidekiq.pid"
 mail_room_enabled=false
 mail_room_pid_path="$pid_path/mail_room.pid"
+gitlab_git_http_server_pid_path="$pid_path/gitlab-git-http-server.pid"
+gitlab_git_http_server_options="-listenUmask 0 -listenNetwork unix -listenAddr $socket_path/gitlab-git-http-server.socket -authBackend http://127.0.0.1:8080"
+gitlab_git_http_server_repo_root='/home/git/repositories'
+gitlab_git_http_server_log="$app_root/log/gitlab-git-http-server.log"
 shell_path="/bin/bash"

 # Read configuration variable file if it is present
@ -72,6 +76,11 @@ check_pids(){
  else
    spid=0
  fi
+  if [ -f "$gitlab_git_http_server_pid_path" ]; then
+    hpid=$(cat "$gitlab_git_http_server_pid_path")
+  else
+    hpid=0
+  fi
  if [ "$mail_room_enabled" = true ]; then
    if [ -f "$mail_room_pid_path" ]; then
      mpid=$(cat "$mail_room_pid_path")
@ -85,7 +94,7 @@ check_pids(){
 wait_for_pids(){
  # We are sleeping a bit here mostly because sidekiq is slow at writing it's pid
  i=0;
-  while [ ! -f $web_server_pid_path ] || [ ! -f $sidekiq_pid_path ] || { [ "$mail_room_enabled" = true ] && [ ! -f $mail_room_pid_path ]; }; do
+  while [ ! -f $web_server_pid_path ] || [ ! -f $sidekiq_pid_path ] || [ ! -f $gitlab_git_http_server_pid_path ] || { [ "$mail_room_enabled" = true ] && [ ! -f $mail_room_pid_path ]; }; do
    sleep 0.1;
    i=$((i+1))
    if [ $((i%10)) = 0 ]; then
@ -120,6 +129,12 @@ check_status(){
  else
    sidekiq_status="-1"
  fi
+  if [ $hpid -ne 0 ]; then
+    kill -0 "$hpid" 2>/dev/null
+    gitlab_git_http_server_status="$?"
+  else
+    gitlab_git_http_server_status="-1"
+  fi
  if [ "$mail_room_enabled" = true ]; then
    if [ $mpid -ne 0 ]; then
      kill -0 "$mpid" 2>/dev/null
@ -128,7 +143,7 @@ check_status(){
      mail_room_status="-1"
    fi
  fi
-  if [ $web_status = 0 ] && [ $sidekiq_status = 0 ] && { [ "$mail_room_enabled" != true ] || [ $mail_room_status = 0 ]; }; then
+  if [ $web_status = 0 ] && [ $sidekiq_status = 0 ] && [ $gitlab_git_http_server_status = 0 ] && { [ "$mail_room_enabled" != true ] || [ $mail_room_status = 0 ]; }; then
    gitlab_status=0
  else
    # http://refspecs.linuxbase.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html
@ -156,6 +171,13 @@ check_stale_pids(){
      exit 1
    fi
  fi
+  if [ "$hpid" != "0" ] && [ "$gitlab_git_http_server_status" != "0" ]; then
+    echo "Removing stale gitlab-git-http-server pid. This is most likely caused by gitlab-git-http-server crashing the last time it ran."
+    if ! rm "$gitlab_git_http_server_pid_path"; then
+      echo "Unable to remove stale pid, exiting"
+      exit 1
+    fi
+  fi
  if [ "$mail_room_enabled" = true ] && [ "$mpid" != "0" ] && [ "$mail_room_status" != "0" ]; then
    echo "Removing stale MailRoom job dispatcher pid. This is most likely caused by MailRoom crashing the last time it ran."
    if ! rm "$mail_room_pid_path"; then
@ -168,7 +190,7 @@ check_stale_pids(){
 ## If no parts of the service is running, bail out.
 exit_if_not_running(){
  check_stale_pids
-  if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then
+  if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_git_http_server_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then
    echo "GitLab is not running."
    exit
  fi
@ -184,6 +206,9 @@ start_gitlab() {
  if [ "$sidekiq_status" != "0" ]; then
    echo "Starting GitLab Sidekiq"
  fi
+  if [ "$gitlab_git_http_server_status" != "0" ]; then
+    echo "Starting gitlab-git-http-server"
+  fi
  if [ "$mail_room_enabled" = true ] && [ "$mail_room_status" != "0" ]; then
    echo "Starting GitLab MailRoom"
  fi
@ -205,6 +230,17 @@ start_gitlab() {
    RAILS_ENV=$RAILS_ENV bin/background_jobs start &
  fi

+  if [ "$gitlab_git_http_server_status" = "0" ]; then
+    echo "The gitlab-git-http-server is already running with pid $spid, not restarting"
+  else
+    # No need to remove a socket, gitlab-git-http-server does this itself
+    $app_root/bin/daemon_with_pidfile $gitlab_git_http_server_pid_path  \
+      $app_root/../gitlab-git-http-server/gitlab-git-http-server \
+        $gitlab_git_http_server_options \
+        $gitlab_git_http_server_repo_root \
+      >> $gitlab_git_http_server_log 2>&1 &
+  fi
+
  if [ "$mail_room_enabled" = true ]; then
    # If MailRoom is already running, don't start it again.
    if [ "$mail_room_status" = "0" ]; then
@ -226,33 +262,27 @@ stop_gitlab() {

  if [ "$web_status" = "0" ]; then
    echo "Shutting down GitLab Unicorn"
+    RAILS_ENV=$RAILS_ENV bin/web stop
  fi
  if [ "$sidekiq_status" = "0" ]; then
    echo "Shutting down GitLab Sidekiq"
+    RAILS_ENV=$RAILS_ENV bin/background_jobs stop
+  fi
+  if [ "$gitlab_git_http_server_status" = "0" ]; then
+    echo "Shutting down gitlab-git-http-server"
+    kill $(cat $gitlab_git_http_server_pid_path)
  fi
  if [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; then
    echo "Shutting down GitLab MailRoom"
-  fi
-
-  # If the Unicorn web server is running, tell it to stop;
-  if [ "$web_status" = "0" ]; then
-     RAILS_ENV=$RAILS_ENV bin/web stop
-  fi
-  # And do the same thing for the Sidekiq.
-  if [ "$sidekiq_status" = "0" ]; then
-    RAILS_ENV=$RAILS_ENV bin/background_jobs stop
-  fi
-  # And do the same thing for the MailRoom.
-  if [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; then
    RAILS_ENV=$RAILS_ENV bin/mail_room stop
  fi

  # If something needs to be stopped, lets wait for it to stop. Never use SIGKILL in a script.
-  while [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; do
+  while [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_git_http_server_status" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; do
    sleep 1
    check_status
    printf "."
-    if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then
+    if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_git_http_server_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then
      printf "\n"
      break
    fi
@ -262,6 +292,7 @@ stop_gitlab() {
  # Cleaning up unused pids
  rm "$web_server_pid_path" 2>/dev/null
  # rm "$sidekiq_pid_path" 2>/dev/null # Sidekiq seems to be cleaning up it's own pid.
+  rm -f "$gitlab_git_http_server_pid_path"
  if [ "$mail_room_enabled" = true ]; then
    rm "$mail_room_pid_path" 2>/dev/null
  fi
@ -272,7 +303,7 @@ stop_gitlab() {
 ## Prints the status of GitLab and it's components.
 print_status() {
  check_status
-  if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then
+  if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_git_http_server_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then
    echo "GitLab is not running."
    return
  fi
@ -286,6 +317,11 @@ print_status() {
  else
      printf "The GitLab Sidekiq job dispatcher is \033[31mnot running\033[0m.\n"
  fi
+  if [ "$gitlab_git_http_server_status" = "0" ]; then
+      echo "The gitlab-git-http-server with pid $hpid is running."
+  else
+      printf "The gitlab-git-http-server is \033[31mnot running\033[0m.\n"
+  fi
  if [ "$mail_room_enabled" = true ]; then
    if [ "$mail_room_status" = "0" ]; then
        echo "The GitLab MailRoom email processor with pid $mpid is running."
@ -324,7 +360,7 @@ reload_gitlab(){
 ## Restarts Sidekiq and Unicorn.
 restart_gitlab(){
  check_status
-  if [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; then
+  if [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_git_http_server" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; then
    stop_gitlab
  fi
  start_gitlab
--- a/lib/support/init.d/gitlab.default.example
+++ b/lib/support/init.d/gitlab.default.example
@ -30,6 +30,16 @@ web_server_pid_path="$pid_path/unicorn.pid"
 # The default is "$pid_path/sidekiq.pid"
 sidekiq_pid_path="$pid_path/sidekiq.pid"

+gitlab_git_http_server_pid_path="$pid_path/gitlab-git-http-server.pid"
+# The -listenXxx settings determine where gitlab-git-http-server
+# listens for connections from NGINX. To listen on localhost:8181, write
+# '-listenNetwork tcp -listenAddr localhost:8181'.
+# The -authBackend setting tells gitlab-git-http-server where it can reach
+# Unicorn.
+gitlab_git_http_server_options="-listenUmask 0 -listenNetwork unix -listenAddr $socket_path/gitlab-git-http-server.socket -authBackend http://127.0.0.1:8080"
+gitlab_git_http_server_repo_root="/home/git/repositories"
+gitlab_git_http_server_log="$app_root/log/gitlab-git-http-server.log"
+
 # mail_room_enabled specifies whether mail_room, which is used to process incoming email, is enabled.
 # This is required for the Reply by email feature.
 # The default is "false"
--- a/lib/support/nginx/gitlab
+++ b/lib/support/nginx/gitlab
@ -38,10 +38,9 @@ upstream gitlab {
  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
 }

-## Experimental: gitlab-git-http-server
-# upstream gitlab-git-http-server {
-#   server localhost:8181;
-# }
+upstream gitlab-git-http-server {
+  server unix:/home/git/gitlab/tmp/sockets/gitlab-git-http-server.socket fail_timeout=0;
+}

 ## Normal HTTP host
 server {
@ -114,25 +113,24 @@ server {
    proxy_pass http://gitlab;
  }

-  ## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn
-  # location ~ [-\/\w\.]+\.git\/ {
-  #   ## If you use HTTPS make sure you disable gzip compression
-  #   ## to be safe against BREACH attack.
-  #   # gzip off;
+  location ~ [-\/\w\.]+\.git\/ {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    # gzip off;

-  #   ## https://github.com/gitlabhq/gitlabhq/issues/694
-  #   ## Some requests take more than 30 seconds.
-  #   proxy_read_timeout      300;
-  #   proxy_connect_timeout   300;
-  #   proxy_redirect          off;
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;

-  #   proxy_set_header    Host                $http_host;
-  #   proxy_set_header    X-Real-IP           $remote_addr;
-  #   proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-  #   proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;

-  #   proxy_pass http://gitlab-git-http-server;
-  # }
+    proxy_pass http://gitlab-git-http-server;
+  }

  ## Enable gzip compression as per rails guide:
  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
@ -42,10 +42,9 @@ upstream gitlab {
  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
 }

-## Experimental: gitlab-git-http-server
-# upstream gitlab-git-http-server {
-#   server localhost:8181;
-# }
+upstream gitlab-git-http-server {
+  server unix:/home/git/gitlab/tmp/sockets/gitlab-git-http-server.socket fail_timeout=0;
+}

 ## Redirects all HTTP traffic to the HTTPS host
 server {
@ -161,25 +160,24 @@ server {
    proxy_pass http://gitlab;
  }

-  ## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn
-  # location ~ [-\/\w\.]+\.git\/ {
-  #   ## If you use HTTPS make sure you disable gzip compression
-  #   ## to be safe against BREACH attack.
-  #   gzip off;
+  location ~ [-\/\w\.]+\.git\/ {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    gzip off;

-  #   ## https://github.com/gitlabhq/gitlabhq/issues/694
-  #   ## Some requests take more than 30 seconds.
-  #   proxy_read_timeout      300;
-  #   proxy_connect_timeout   300;
-  #   proxy_redirect          off;
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;

-  #   proxy_set_header    Host                $http_host;
-  #   proxy_set_header    X-Real-IP           $remote_addr;
-  #   proxy_set_header    X-Forwarded-Ssl     on;
-  #   proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-  #   proxy_set_header    X-Forwarded-Proto   $scheme;
-  #   proxy_pass http://gitlab-git-http-server;
-  # }
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-Ssl     on;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_pass http://gitlab-git-http-server;
+  }

  ## Enable gzip compression as per rails guide:
  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression