Merge branch 'master' of gitlab.com:gitlab-org/gitlab-ce

Dmitriy Zaporozhets
2 parents f38f0e9d 2751638f
Showing 3 changed files with 168 additions and 1 deletions Show diff stats
CHANGELOG
doc/install/installation.md
lib/support/nginx/gitlab-ssl
@@ -19,6 +19,7 @@ v 7.0.0
   - Update to rails 4.1
   - Improve performance of application for projects and groups with a lot of members
   - Formally support Ruby 2.1
+  - Include Nginx gitlab-ssl config
 v 6.9.2
   - Revert the commit that broke the LDAP user filter
@@ -294,7 +294,7 @@ Check if GitLab and its environment are configured correctly:
 ### Site Configuration
-Download an example site config:
+Copy the example site config:
     sudo cp lib/support/nginx/gitlab /etc/nginx/sites-available/gitlab
     sudo ln -s /etc/nginx/sites-available/gitlab /etc/nginx/sites-enabled/gitlab
@@ -305,6 +305,8 @@ Make sure to edit the config file to match your setup:
     # domain name of your host serving GitLab.
     sudo editor /etc/nginx/sites-available/gitlab
+**Note:** If you want to use https, replace the `gitlab` nginx config with `gitlab-ssl`.
+
 ### Restart
     sudo service nginx restart
@@ -0,0 +1,164 @@
+## GitLab
+## Contributors: randx, yin8086, sashkab, orkoden, axilleas
+##
+## Modified from nginx http version
+## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
+##
+## Lines starting with two hashes (##) are comments containing information
+## for configuration. One hash (#) comments are actual configuration parameters
+## which you can comment/uncomment to your liking.
+##
+###################################
+##        SSL configuration      ##
+###################################
+##
+## Optimal configuration is taken from:
+## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+## Make sure to read it and understand what each option does.
+##
+## [Optional] Generate a self-signed ssl certificate:
+##    mkdir /etc/nginx/ssl/
+##    cd /etc/nginx/ssl/
+##    sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
+##    sudo chmod o-r gitlab.key
+##
+## Edit `gitlab-shell/config.yml`:
+##  1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
+##  2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt`
+##  3) Set "self_signed_cert" to `true`
+## Edit `gitlab/config/gitlab.yml`:
+##  1) Define port for http "port: 443"
+##  2) Enable https "https: true"
+##  3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
+##
+##################################
+##        CHUNKED TRANSFER      ##
+##################################
+##
+## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
+## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
+## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
+## around this by tweaking this configuration file and either:
+## - installing an old version of Nginx with the chunkin module [2] compiled in, or
+## - using a newer version of Nginx.
+##
+## At the time of writing we do not know if either of these theoretical solutions works. As a workaround
+## users can use Git over SSH to push large files.
+##
+## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
+## [1] https://github.com/agentzh/chunkin-nginx-module#status
+## [2] https://github.com/agentzh/chunkin-nginx-module
+
+
+upstream gitlab {
+
+  ## Uncomment if you have set up unicorn to listen on a unix socket (recommended).
+  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
+
+  ## Uncomment if unicorn is configured to listen on a tcp port.
+  ## Check the port number in /home/git/gitlab/config/unicorn.rb
+  # server 127.0.0.1:8080;
+}
+
+## This is a normal HTTP host which redirects all traffic to the HTTPS host.
+server {
+  listen *:80;
+  ## Replace git.example.com with your FQDN.
+  server_name git.example.com;
+  server_tokens off;
+  ## root doesn't have to be a valid path since we are redirecting
+  root /nowhere;
+  rewrite ^ https://$server_name$request_uri permanent;
+}
+
+server {
+  listen 443 ssl;
+  ## Replace git.example.com with your FQDN.
+  server_name git.example.com;
+  server_tokens off;
+  root /home/git/gitlab/public;
+
+  ## Increase this if you want to upload large attachments
+  ## Or if you want to accept large git objects over http
+  client_max_body_size 20m;
+
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/gitlab.crt;
+  ssl_certificate_key /etc/nginx/ssl/gitlab.key;
+
+  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
+
+  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+  ssl_session_cache  builtin:1000  shared:SSL:10m;
+
+  ## Enable OCSP stapling to reduce the overhead and latency of running SSL.
+  ## Replace with your ssl_trusted_certificate. For more info see:
+  ## - https://medium.com/devops-programming/4445f4862461
+  ## - https://www.ruby-forum.com/topic/4419319
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
+  resolver 208.67.222.222 208.67.222.220 valid=300s;
+  resolver_timeout 10s;
+
+  ssl_prefer_server_ciphers   on;
+  ## [Optional] Generate a stronger DHE parameter (recommended):
+  ##   cd /etc/ssl/certs
+  ##   openssl dhparam -out dhparam.pem 2048
+  ##
+  # ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+  add_header Strict-Transport-Security max-age=63072000;
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+
+  ## Individual nginx logs for this GitLab vhost
+  access_log  /var/log/nginx/gitlab_access.log;
+  error_log   /var/log/nginx/gitlab_error.log;
+
+  location / {
+    ## Serve static files from defined root folder.
+    ## @gitlab is a named location for the upstream fallback, see below.
+    try_files $uri $uri/index.html $uri.html @gitlab;
+  }
+
+  ## If a file, which is not found in the root folder is requested,
+  ## then the proxy pass the request to the upsteam (gitlab unicorn).
+  location @gitlab {
+
+    ## If you use https make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-Ssl     on;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
+    proxy_pass http://gitlab;
+  }
+
+  ## Enable gzip compression as per rails guide:
+  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
+  ## WARNING: If you are using relative urls do remove the block below
+  ## See config/application.rb under "Relative url support" for the list of
+  ## other files that need to be changed for relative url support
+  location ~ ^/(assets)/ {
+    root /home/git/gitlab/public;
+    gzip_static on; # to serve pre-gzipped version
+    expires max;
+    add_header Cache-Control public;
+  }
+
+  error_page 502 /502.html;
+}
	@@ -19,6 +19,7 @@ v 7.0.0		@@ -19,6 +19,7 @@ v 7.0.0
19	- Update to rails 4.1	19	- Update to rails 4.1
20	- Improve performance of application for projects and groups with a lot of members	20	- Improve performance of application for projects and groups with a lot of members
21	- Formally support Ruby 2.1	21	- Formally support Ruby 2.1
		22	+ - Include Nginx gitlab-ssl config
22		23
23	v 6.9.2	24	v 6.9.2
24	- Revert the commit that broke the LDAP user filter	25	- Revert the commit that broke the LDAP user filter
@@ -0,0 +1,164 @@		@@ -0,0 +1,164 @@
	1	+## GitLab
	2	+## Contributors: randx, yin8086, sashkab, orkoden, axilleas
	3	+##
	4	+## Modified from nginx http version
	5	+## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
	6	+##
	7	+## Lines starting with two hashes (##) are comments containing information
	8	+## for configuration. One hash (#) comments are actual configuration parameters
	9	+## which you can comment/uncomment to your liking.
	10	+##
	11	+###################################
	12	+## SSL configuration ##
	13	+###################################
	14	+##
	15	+## Optimal configuration is taken from:
	16	+## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
	17	+## Make sure to read it and understand what each option does.
	18	+##
	19	+## [Optional] Generate a self-signed ssl certificate:
	20	+## mkdir /etc/nginx/ssl/
	21	+## cd /etc/nginx/ssl/
	22	+## sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
	23	+## sudo chmod o-r gitlab.key
	24	+##
	25	+## Edit `gitlab-shell/config.yml`:
	26	+## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
	27	+## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt`
	28	+## 3) Set "self_signed_cert" to `true`
	29	+## Edit `gitlab/config/gitlab.yml`:
	30	+## 1) Define port for http "port: 443"
	31	+## 2) Enable https "https: true"
	32	+## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
	33	+##
	34	+##################################
	35	+## CHUNKED TRANSFER ##
	36	+##################################
	37	+##
	38	+## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
	39	+## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
	40	+## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
	41	+## around this by tweaking this configuration file and either:
	42	+## - installing an old version of Nginx with the chunkin module [2] compiled in, or
	43	+## - using a newer version of Nginx.
	44	+##
	45	+## At the time of writing we do not know if either of these theoretical solutions works. As a workaround
	46	+## users can use Git over SSH to push large files.
	47	+##
	48	+## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
	49	+## [1] https://github.com/agentzh/chunkin-nginx-module#status
	50	+## [2] https://github.com/agentzh/chunkin-nginx-module
	51	+
	52	+
	53	+upstream gitlab {
	54	+
	55	+ ## Uncomment if you have set up unicorn to listen on a unix socket (recommended).
	56	+ server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
	57	+
	58	+ ## Uncomment if unicorn is configured to listen on a tcp port.
	59	+ ## Check the port number in /home/git/gitlab/config/unicorn.rb
	60	+ # server 127.0.0.1:8080;
	61	+}
	62	+
	63	+## This is a normal HTTP host which redirects all traffic to the HTTPS host.
	64	+server {
	65	+ listen *:80;
	66	+ ## Replace git.example.com with your FQDN.
	67	+ server_name git.example.com;
	68	+ server_tokens off;
	69	+ ## root doesn't have to be a valid path since we are redirecting
	70	+ root /nowhere;
	71	+ rewrite ^ https://$server_name$request_uri permanent;
	72	+}
	73	+
	74	+server {
	75	+ listen 443 ssl;
	76	+ ## Replace git.example.com with your FQDN.
	77	+ server_name git.example.com;
	78	+ server_tokens off;
	79	+ root /home/git/gitlab/public;
	80	+
	81	+ ## Increase this if you want to upload large attachments
	82	+ ## Or if you want to accept large git objects over http
	83	+ client_max_body_size 20m;
	84	+
	85	+ ## Strong SSL Security
	86	+ ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
	87	+ ssl on;
	88	+ ssl_certificate /etc/nginx/ssl/gitlab.crt;
	89	+ ssl_certificate_key /etc/nginx/ssl/gitlab.key;
	90	+
	91	+ ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
	92	+
	93	+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	94	+ ssl_session_cache builtin:1000 shared:SSL:10m;
	95	+
	96	+ ## Enable OCSP stapling to reduce the overhead and latency of running SSL.
	97	+ ## Replace with your ssl_trusted_certificate. For more info see:
	98	+ ## - https://medium.com/devops-programming/4445f4862461
	99	+ ## - https://www.ruby-forum.com/topic/4419319
	100	+ ssl_stapling on;
	101	+ ssl_stapling_verify on;
	102	+ ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
	103	+ resolver 208.67.222.222 208.67.222.220 valid=300s;
	104	+ resolver_timeout 10s;
	105	+
	106	+ ssl_prefer_server_ciphers on;
	107	+ ## [Optional] Generate a stronger DHE parameter (recommended):
	108	+ ## cd /etc/ssl/certs
	109	+ ## openssl dhparam -out dhparam.pem 2048
	110	+ ##
	111	+ # ssl_dhparam /etc/ssl/certs/dhparam.pem;
	112	+
	113	+ add_header Strict-Transport-Security max-age=63072000;
	114	+ add_header X-Frame-Options DENY;
	115	+ add_header X-Content-Type-Options nosniff;
	116	+
	117	+ ## Individual nginx logs for this GitLab vhost
	118	+ access_log /var/log/nginx/gitlab_access.log;
	119	+ error_log /var/log/nginx/gitlab_error.log;
	120	+
	121	+ location / {
	122	+ ## Serve static files from defined root folder.
	123	+ ## @gitlab is a named location for the upstream fallback, see below.
	124	+ try_files $uri $uri/index.html $uri.html @gitlab;
	125	+ }
	126	+
	127	+ ## If a file, which is not found in the root folder is requested,
	128	+ ## then the proxy pass the request to the upsteam (gitlab unicorn).
	129	+ location @gitlab {
	130	+
	131	+ ## If you use https make sure you disable gzip compression
	132	+ ## to be safe against BREACH attack.
	133	+ gzip off;
	134	+
	135	+ ## https://github.com/gitlabhq/gitlabhq/issues/694
	136	+ ## Some requests take more than 30 seconds.
	137	+ proxy_read_timeout 300;
	138	+ proxy_connect_timeout 300;
	139	+ proxy_redirect off;
	140	+
	141	+ proxy_set_header Host $http_host;
	142	+ proxy_set_header X-Real-IP $remote_addr;
	143	+ proxy_set_header X-Forwarded-Ssl on;
	144	+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	145	+ proxy_set_header X-Forwarded-Proto $scheme;
	146	+ proxy_set_header X-Frame-Options SAMEORIGIN;
	147	+
	148	+ proxy_pass http://gitlab;
	149	+ }
	150	+
	151	+ ## Enable gzip compression as per rails guide:
	152	+ ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
	153	+ ## WARNING: If you are using relative urls do remove the block below
	154	+ ## See config/application.rb under "Relative url support" for the list of
	155	+ ## other files that need to be changed for relative url support
	156	+ location ~ ^/(assets)/ {
	157	+ root /home/git/gitlab/public;
	158	+ gzip_static on; # to serve pre-gzipped version
	159	+ expires max;
	160	+ add_header Cache-Control public;
	161	+ }
	162	+
	163	+ error_page 502 /502.html;
	164	+}