Move gitlab-ssl nginx config from gitlab-recipes
This commit is contained in:
parent
7e41eca38a
commit
7be6b8ca73
|
@ -19,6 +19,7 @@ v 7.0.0
|
||||||
- Update to rails 4.1
|
- Update to rails 4.1
|
||||||
- Improve performance of application for projects and groups with a lot of members
|
- Improve performance of application for projects and groups with a lot of members
|
||||||
- Formally support Ruby 2.1
|
- Formally support Ruby 2.1
|
||||||
|
- Include Nginx gitlab-ssl config
|
||||||
|
|
||||||
v 6.9.2
|
v 6.9.2
|
||||||
- Revert the commit that broke the LDAP user filter
|
- Revert the commit that broke the LDAP user filter
|
||||||
|
|
|
@ -294,7 +294,7 @@ Check if GitLab and its environment are configured correctly:
|
||||||
|
|
||||||
### Site Configuration
|
### Site Configuration
|
||||||
|
|
||||||
Download an example site config:
|
Copy the example site config:
|
||||||
|
|
||||||
sudo cp lib/support/nginx/gitlab /etc/nginx/sites-available/gitlab
|
sudo cp lib/support/nginx/gitlab /etc/nginx/sites-available/gitlab
|
||||||
sudo ln -s /etc/nginx/sites-available/gitlab /etc/nginx/sites-enabled/gitlab
|
sudo ln -s /etc/nginx/sites-available/gitlab /etc/nginx/sites-enabled/gitlab
|
||||||
|
@ -305,6 +305,8 @@ Make sure to edit the config file to match your setup:
|
||||||
# domain name of your host serving GitLab.
|
# domain name of your host serving GitLab.
|
||||||
sudo editor /etc/nginx/sites-available/gitlab
|
sudo editor /etc/nginx/sites-available/gitlab
|
||||||
|
|
||||||
|
**Note:** If you want to use https, replace the `gitlab` nginx config with `gitlab-ssl`.
|
||||||
|
|
||||||
### Restart
|
### Restart
|
||||||
|
|
||||||
sudo service nginx restart
|
sudo service nginx restart
|
||||||
|
|
|
@ -0,0 +1,164 @@
|
||||||
|
## GitLab
|
||||||
|
## Contributors: randx, yin8086, sashkab, orkoden, axilleas
|
||||||
|
##
|
||||||
|
## Modified from nginx http version
|
||||||
|
## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
|
||||||
|
##
|
||||||
|
## Lines starting with two hashes (##) are comments containing information
|
||||||
|
## for configuration. One hash (#) comments are actual configuration parameters
|
||||||
|
## which you can comment/uncomment to your liking.
|
||||||
|
##
|
||||||
|
###################################
|
||||||
|
## SSL configuration ##
|
||||||
|
###################################
|
||||||
|
##
|
||||||
|
## Optimal configuration is taken from:
|
||||||
|
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||||
|
## Make sure to read it and understand what each option does.
|
||||||
|
##
|
||||||
|
## [Optional] Generate a self-signed ssl certificate:
|
||||||
|
## mkdir /etc/nginx/ssl/
|
||||||
|
## cd /etc/nginx/ssl/
|
||||||
|
## sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
|
||||||
|
## sudo chmod o-r gitlab.key
|
||||||
|
##
|
||||||
|
## Edit `gitlab-shell/config.yml`:
|
||||||
|
## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
|
||||||
|
## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt`
|
||||||
|
## 3) Set "self_signed_cert" to `true`
|
||||||
|
## Edit `gitlab/config/gitlab.yml`:
|
||||||
|
## 1) Define port for http "port: 443"
|
||||||
|
## 2) Enable https "https: true"
|
||||||
|
## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
|
||||||
|
##
|
||||||
|
##################################
|
||||||
|
## CHUNKED TRANSFER ##
|
||||||
|
##################################
|
||||||
|
##
|
||||||
|
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
|
||||||
|
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
|
||||||
|
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
|
||||||
|
## around this by tweaking this configuration file and either:
|
||||||
|
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
|
||||||
|
## - using a newer version of Nginx.
|
||||||
|
##
|
||||||
|
## At the time of writing we do not know if either of these theoretical solutions works. As a workaround
|
||||||
|
## users can use Git over SSH to push large files.
|
||||||
|
##
|
||||||
|
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
|
||||||
|
## [1] https://github.com/agentzh/chunkin-nginx-module#status
|
||||||
|
## [2] https://github.com/agentzh/chunkin-nginx-module
|
||||||
|
|
||||||
|
|
||||||
|
upstream gitlab {
|
||||||
|
|
||||||
|
## Uncomment if you have set up unicorn to listen on a unix socket (recommended).
|
||||||
|
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
|
||||||
|
|
||||||
|
## Uncomment if unicorn is configured to listen on a tcp port.
|
||||||
|
## Check the port number in /home/git/gitlab/config/unicorn.rb
|
||||||
|
# server 127.0.0.1:8080;
|
||||||
|
}
|
||||||
|
|
||||||
|
## This is a normal HTTP host which redirects all traffic to the HTTPS host.
|
||||||
|
server {
|
||||||
|
listen *:80;
|
||||||
|
## Replace git.example.com with your FQDN.
|
||||||
|
server_name git.example.com;
|
||||||
|
server_tokens off;
|
||||||
|
## root doesn't have to be a valid path since we are redirecting
|
||||||
|
root /nowhere;
|
||||||
|
rewrite ^ https://$server_name$request_uri permanent;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
## Replace git.example.com with your FQDN.
|
||||||
|
server_name git.example.com;
|
||||||
|
server_tokens off;
|
||||||
|
root /home/git/gitlab/public;
|
||||||
|
|
||||||
|
## Increase this if you want to upload large attachments
|
||||||
|
## Or if you want to accept large git objects over http
|
||||||
|
client_max_body_size 20m;
|
||||||
|
|
||||||
|
## Strong SSL Security
|
||||||
|
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||||
|
ssl on;
|
||||||
|
ssl_certificate /etc/nginx/ssl/gitlab.crt;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/gitlab.key;
|
||||||
|
|
||||||
|
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_session_cache builtin:1000 shared:SSL:10m;
|
||||||
|
|
||||||
|
## Enable OCSP stapling to reduce the overhead and latency of running SSL.
|
||||||
|
## Replace with your ssl_trusted_certificate. For more info see:
|
||||||
|
## - https://medium.com/devops-programming/4445f4862461
|
||||||
|
## - https://www.ruby-forum.com/topic/4419319
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
|
||||||
|
resolver 208.67.222.222 208.67.222.220 valid=300s;
|
||||||
|
resolver_timeout 10s;
|
||||||
|
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
## [Optional] Generate a stronger DHE parameter (recommended):
|
||||||
|
## cd /etc/ssl/certs
|
||||||
|
## openssl dhparam -out dhparam.pem 2048
|
||||||
|
##
|
||||||
|
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security max-age=63072000;
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
|
||||||
|
## Individual nginx logs for this GitLab vhost
|
||||||
|
access_log /var/log/nginx/gitlab_access.log;
|
||||||
|
error_log /var/log/nginx/gitlab_error.log;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
## Serve static files from defined root folder.
|
||||||
|
## @gitlab is a named location for the upstream fallback, see below.
|
||||||
|
try_files $uri $uri/index.html $uri.html @gitlab;
|
||||||
|
}
|
||||||
|
|
||||||
|
## If a file, which is not found in the root folder is requested,
|
||||||
|
## then the proxy pass the request to the upsteam (gitlab unicorn).
|
||||||
|
location @gitlab {
|
||||||
|
|
||||||
|
## If you use https make sure you disable gzip compression
|
||||||
|
## to be safe against BREACH attack.
|
||||||
|
gzip off;
|
||||||
|
|
||||||
|
## https://github.com/gitlabhq/gitlabhq/issues/694
|
||||||
|
## Some requests take more than 30 seconds.
|
||||||
|
proxy_read_timeout 300;
|
||||||
|
proxy_connect_timeout 300;
|
||||||
|
proxy_redirect off;
|
||||||
|
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Ssl on;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||||
|
|
||||||
|
proxy_pass http://gitlab;
|
||||||
|
}
|
||||||
|
|
||||||
|
## Enable gzip compression as per rails guide:
|
||||||
|
## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
|
||||||
|
## WARNING: If you are using relative urls do remove the block below
|
||||||
|
## See config/application.rb under "Relative url support" for the list of
|
||||||
|
## other files that need to be changed for relative url support
|
||||||
|
location ~ ^/(assets)/ {
|
||||||
|
root /home/git/gitlab/public;
|
||||||
|
gzip_static on; # to serve pre-gzipped version
|
||||||
|
expires max;
|
||||||
|
add_header Cache-Control public;
|
||||||
|
}
|
||||||
|
|
||||||
|
error_page 502 /502.html;
|
||||||
|
}
|
Loading…
Reference in New Issue