## GitLab
## Contributors: randx, yin8086, sashkab, orkoden, axilleas
##
## Modified from nginx http version
## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
##
## Lines starting with two hashes (##) are comments containing information
## for configuration. One hash (#) comments are actual configuration parameters
## which you can comment/uncomment to your liking.
##
###################################
##        SSL configuration      ##
###################################
##
## Optimal configuration is taken from:
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
## Make sure to read it and understand what each option does.
##
## [Optional] Generate a self-signed ssl certificate:
##    mkdir /etc/nginx/ssl/
##    cd /etc/nginx/ssl/
##    sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
##    sudo chmod o-r gitlab.key
##
## Edit `gitlab-shell/config.yml`:
##  1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
##  2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt`
##  3) Set "self_signed_cert" to `true`
## Edit `gitlab/config/gitlab.yml`:
##  1) Define port for http "port: 443"
##  2) Enable https "https: true"
##  3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
##
##################################
##        CHUNKED TRANSFER      ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
## At the time of writing we do not know if either of these theoretical solutions works. As a workaround
## users can use Git over SSH to push large files.
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module


upstream gitlab {

  ## Uncomment if you have set up unicorn to listen on a unix socket (recommended).
  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;

  ## Uncomment if unicorn is configured to listen on a tcp port.
  ## Check the port number in /home/git/gitlab/config/unicorn.rb
  # server 127.0.0.1:8080;
}

## This is a normal HTTP host which redirects all traffic to the HTTPS host.
server {
  listen *:80;
  ## Replace git.example.com with your FQDN.
  server_name git.example.com;
  server_tokens off;
  ## root doesn't have to be a valid path since we are redirecting
  root /nowhere;
  rewrite ^ https://$server_name$request_uri permanent;
}

server {
  listen 443 ssl;
  ## Replace git.example.com with your FQDN.
  server_name git.example.com;
  server_tokens off;
  root /home/git/gitlab/public;

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
  client_max_body_size 20m;

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl on;
  ssl_certificate /etc/nginx/ssl/gitlab.crt;
  ssl_certificate_key /etc/nginx/ssl/gitlab.key;

  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';

  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache  builtin:1000  shared:SSL:10m;

  ## Enable OCSP stapling to reduce the overhead and latency of running SSL.
  ## Replace with your ssl_trusted_certificate. For more info see:
  ## - https://medium.com/devops-programming/4445f4862461
  ## - https://www.ruby-forum.com/topic/4419319
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  resolver 208.67.222.222 208.67.222.220 valid=300s;
  resolver_timeout 10s;

  ssl_prefer_server_ciphers   on;
  ## [Optional] Generate a stronger DHE parameter (recommended):
  ##   cd /etc/ssl/certs
  ##   openssl dhparam -out dhparam.pem 2048
  ##
  # ssl_dhparam /etc/ssl/certs/dhparam.pem;

  add_header Strict-Transport-Security max-age=63072000;
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

  location / {
    ## Serve static files from defined root folder.
    ## @gitlab is a named location for the upstream fallback, see below.
    try_files $uri $uri/index.html $uri.html @gitlab;
  }

  ## If a file, which is not found in the root folder is requested,
  ## then the proxy pass the request to the upsteam (gitlab unicorn).
  location @gitlab {

    ## If you use https make sure you disable gzip compression
    ## to be safe against BREACH attack.
    gzip off;

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;

    proxy_pass http://gitlab;
  }

  ## Enable gzip compression as per rails guide:
  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
  ## WARNING: If you are using relative urls do remove the block below
  ## See config/application.rb under "Relative url support" for the list of
  ## other files that need to be changed for relative url support
  location ~ ^/(assets)/ {
    root /home/git/gitlab/public;
    gzip_static on; # to serve pre-gzipped version
    expires max;
    add_header Cache-Control public;
  }

  error_page 502 /502.html;
}