Commit 2751638f2408dc485c392a42c394a29e06ad3433
Exists in
spb-stable
and in
2 other branches
Merge branch 'gitlab-ssl-nginx' into 'master'
Move nginx ssl config from gitlab recipes I removed references to puma and did a minor cleanup :) Also updated the README in gitlab-recipes to point here. Once this gets merged I'll remove it from there.
Showing
3 changed files
with
168 additions
and
1 deletions
Show diff stats
CHANGELOG
| ... | ... | @@ -19,6 +19,7 @@ v 7.0.0 |
| 19 | 19 | - Update to rails 4.1 |
| 20 | 20 | - Improve performance of application for projects and groups with a lot of members |
| 21 | 21 | - Formally support Ruby 2.1 |
| 22 | + - Include Nginx gitlab-ssl config | |
| 22 | 23 | |
| 23 | 24 | v 6.9.2 |
| 24 | 25 | - Revert the commit that broke the LDAP user filter | ... | ... |
doc/install/installation.md
| ... | ... | @@ -294,7 +294,7 @@ Check if GitLab and its environment are configured correctly: |
| 294 | 294 | |
| 295 | 295 | ### Site Configuration |
| 296 | 296 | |
| 297 | -Download an example site config: | |
| 297 | +Copy the example site config: | |
| 298 | 298 | |
| 299 | 299 | sudo cp lib/support/nginx/gitlab /etc/nginx/sites-available/gitlab |
| 300 | 300 | sudo ln -s /etc/nginx/sites-available/gitlab /etc/nginx/sites-enabled/gitlab |
| ... | ... | @@ -305,6 +305,8 @@ Make sure to edit the config file to match your setup: |
| 305 | 305 | # domain name of your host serving GitLab. |
| 306 | 306 | sudo editor /etc/nginx/sites-available/gitlab |
| 307 | 307 | |
| 308 | +**Note:** If you want to use https, replace the `gitlab` nginx config with `gitlab-ssl`. | |
| 309 | + | |
| 308 | 310 | ### Restart |
| 309 | 311 | |
| 310 | 312 | sudo service nginx restart | ... | ... |
| ... | ... | @@ -0,0 +1,164 @@ |
| 1 | +## GitLab | |
| 2 | +## Contributors: randx, yin8086, sashkab, orkoden, axilleas | |
| 3 | +## | |
| 4 | +## Modified from nginx http version | |
| 5 | +## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ | |
| 6 | +## | |
| 7 | +## Lines starting with two hashes (##) are comments containing information | |
| 8 | +## for configuration. One hash (#) comments are actual configuration parameters | |
| 9 | +## which you can comment/uncomment to your liking. | |
| 10 | +## | |
| 11 | +################################### | |
| 12 | +## SSL configuration ## | |
| 13 | +################################### | |
| 14 | +## | |
| 15 | +## Optimal configuration is taken from: | |
| 16 | +## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
| 17 | +## Make sure to read it and understand what each option does. | |
| 18 | +## | |
| 19 | +## [Optional] Generate a self-signed ssl certificate: | |
| 20 | +## mkdir /etc/nginx/ssl/ | |
| 21 | +## cd /etc/nginx/ssl/ | |
| 22 | +## sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key | |
| 23 | +## sudo chmod o-r gitlab.key | |
| 24 | +## | |
| 25 | +## Edit `gitlab-shell/config.yml`: | |
| 26 | +## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com` | |
| 27 | +## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt` | |
| 28 | +## 3) Set "self_signed_cert" to `true` | |
| 29 | +## Edit `gitlab/config/gitlab.yml`: | |
| 30 | +## 1) Define port for http "port: 443" | |
| 31 | +## 2) Enable https "https: true" | |
| 32 | +## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm" | |
| 33 | +## | |
| 34 | +################################## | |
| 35 | +## CHUNKED TRANSFER ## | |
| 36 | +################################## | |
| 37 | +## | |
| 38 | +## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] | |
| 39 | +## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object | |
| 40 | +## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get | |
| 41 | +## around this by tweaking this configuration file and either: | |
| 42 | +## - installing an old version of Nginx with the chunkin module [2] compiled in, or | |
| 43 | +## - using a newer version of Nginx. | |
| 44 | +## | |
| 45 | +## At the time of writing we do not know if either of these theoretical solutions works. As a workaround | |
| 46 | +## users can use Git over SSH to push large files. | |
| 47 | +## | |
| 48 | +## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 | |
| 49 | +## [1] https://github.com/agentzh/chunkin-nginx-module#status | |
| 50 | +## [2] https://github.com/agentzh/chunkin-nginx-module | |
| 51 | + | |
| 52 | + | |
| 53 | +upstream gitlab { | |
| 54 | + | |
| 55 | + ## Uncomment if you have set up unicorn to listen on a unix socket (recommended). | |
| 56 | + server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; | |
| 57 | + | |
| 58 | + ## Uncomment if unicorn is configured to listen on a tcp port. | |
| 59 | + ## Check the port number in /home/git/gitlab/config/unicorn.rb | |
| 60 | + # server 127.0.0.1:8080; | |
| 61 | +} | |
| 62 | + | |
| 63 | +## This is a normal HTTP host which redirects all traffic to the HTTPS host. | |
| 64 | +server { | |
| 65 | + listen *:80; | |
| 66 | + ## Replace git.example.com with your FQDN. | |
| 67 | + server_name git.example.com; | |
| 68 | + server_tokens off; | |
| 69 | + ## root doesn't have to be a valid path since we are redirecting | |
| 70 | + root /nowhere; | |
| 71 | + rewrite ^ https://$server_name$request_uri permanent; | |
| 72 | +} | |
| 73 | + | |
| 74 | +server { | |
| 75 | + listen 443 ssl; | |
| 76 | + ## Replace git.example.com with your FQDN. | |
| 77 | + server_name git.example.com; | |
| 78 | + server_tokens off; | |
| 79 | + root /home/git/gitlab/public; | |
| 80 | + | |
| 81 | + ## Increase this if you want to upload large attachments | |
| 82 | + ## Or if you want to accept large git objects over http | |
| 83 | + client_max_body_size 20m; | |
| 84 | + | |
| 85 | + ## Strong SSL Security | |
| 86 | + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
| 87 | + ssl on; | |
| 88 | + ssl_certificate /etc/nginx/ssl/gitlab.crt; | |
| 89 | + ssl_certificate_key /etc/nginx/ssl/gitlab.key; | |
| 90 | + | |
| 91 | + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; | |
| 92 | + | |
| 93 | + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| 94 | + ssl_session_cache builtin:1000 shared:SSL:10m; | |
| 95 | + | |
| 96 | + ## Enable OCSP stapling to reduce the overhead and latency of running SSL. | |
| 97 | + ## Replace with your ssl_trusted_certificate. For more info see: | |
| 98 | + ## - https://medium.com/devops-programming/4445f4862461 | |
| 99 | + ## - https://www.ruby-forum.com/topic/4419319 | |
| 100 | + ssl_stapling on; | |
| 101 | + ssl_stapling_verify on; | |
| 102 | + ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; | |
| 103 | + resolver 208.67.222.222 208.67.222.220 valid=300s; | |
| 104 | + resolver_timeout 10s; | |
| 105 | + | |
| 106 | + ssl_prefer_server_ciphers on; | |
| 107 | + ## [Optional] Generate a stronger DHE parameter (recommended): | |
| 108 | + ## cd /etc/ssl/certs | |
| 109 | + ## openssl dhparam -out dhparam.pem 2048 | |
| 110 | + ## | |
| 111 | + # ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
| 112 | + | |
| 113 | + add_header Strict-Transport-Security max-age=63072000; | |
| 114 | + add_header X-Frame-Options DENY; | |
| 115 | + add_header X-Content-Type-Options nosniff; | |
| 116 | + | |
| 117 | + ## Individual nginx logs for this GitLab vhost | |
| 118 | + access_log /var/log/nginx/gitlab_access.log; | |
| 119 | + error_log /var/log/nginx/gitlab_error.log; | |
| 120 | + | |
| 121 | + location / { | |
| 122 | + ## Serve static files from defined root folder. | |
| 123 | + ## @gitlab is a named location for the upstream fallback, see below. | |
| 124 | + try_files $uri $uri/index.html $uri.html @gitlab; | |
| 125 | + } | |
| 126 | + | |
| 127 | + ## If a file, which is not found in the root folder is requested, | |
| 128 | + ## then the proxy pass the request to the upsteam (gitlab unicorn). | |
| 129 | + location @gitlab { | |
| 130 | + | |
| 131 | + ## If you use https make sure you disable gzip compression | |
| 132 | + ## to be safe against BREACH attack. | |
| 133 | + gzip off; | |
| 134 | + | |
| 135 | + ## https://github.com/gitlabhq/gitlabhq/issues/694 | |
| 136 | + ## Some requests take more than 30 seconds. | |
| 137 | + proxy_read_timeout 300; | |
| 138 | + proxy_connect_timeout 300; | |
| 139 | + proxy_redirect off; | |
| 140 | + | |
| 141 | + proxy_set_header Host $http_host; | |
| 142 | + proxy_set_header X-Real-IP $remote_addr; | |
| 143 | + proxy_set_header X-Forwarded-Ssl on; | |
| 144 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| 145 | + proxy_set_header X-Forwarded-Proto $scheme; | |
| 146 | + proxy_set_header X-Frame-Options SAMEORIGIN; | |
| 147 | + | |
| 148 | + proxy_pass http://gitlab; | |
| 149 | + } | |
| 150 | + | |
| 151 | + ## Enable gzip compression as per rails guide: | |
| 152 | + ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression | |
| 153 | + ## WARNING: If you are using relative urls do remove the block below | |
| 154 | + ## See config/application.rb under "Relative url support" for the list of | |
| 155 | + ## other files that need to be changed for relative url support | |
| 156 | + location ~ ^/(assets)/ { | |
| 157 | + root /home/git/gitlab/public; | |
| 158 | + gzip_static on; # to serve pre-gzipped version | |
| 159 | + expires max; | |
| 160 | + add_header Cache-Control public; | |
| 161 | + } | |
| 162 | + | |
| 163 | + error_page 502 /502.html; | |
| 164 | +} | ... | ... |