Add GitLab nginx template

Jacob Vosmaer
1 parent df94b2c5
Showing 3 changed files with 76 additions and 135 deletions Show diff stats
files/gitlab-cookbooks/gitlab/recipes/nginx.rb
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
@@ -18,19 +18,11 @@
  
 nginx_dir = node['gitlab']['nginx']['dir']
 nginx_etc_dir = File.join(nginx_dir, "etc")
-nginx_cache_dir = File.join(nginx_dir, "cache")
-nginx_cache_tmp_dir = File.join(nginx_dir, "cache-tmp")
-nginx_html_dir = File.join(nginx_dir, "html")
-nginx_ca_dir = File.join(nginx_dir, "ca")
 nginx_log_dir = node['gitlab']['nginx']['log_directory']
  
 [
   nginx_dir,
   nginx_etc_dir,
-  nginx_cache_dir,
-  nginx_cache_tmp_dir,
-  nginx_html_dir,
-  nginx_ca_dir,
   nginx_log_dir,
 ].each do |dir_name|
   directory dir_name do
@@ -40,95 +32,22 @@ nginx_log_dir = node[&#39;gitlab&#39;][&#39;nginx&#39;][&#39;log_directory&#39;]
   end
 end
  
-ssl_keyfile = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}.key")
-ssl_crtfile = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}.crt")
-ssl_signing_conf = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}-ssl.conf")
-
-unless File.exists?(ssl_keyfile) && File.exists?(ssl_crtfile) && File.exists?(ssl_signing_conf)
-  file ssl_keyfile do
-    owner "root"
-    group "root"
-    mode "0644"
-    content `/opt/gitlab/embedded/bin/openssl genrsa 2048`
-    not_if { File.exists?(ssl_keyfile) }
-  end
-
-  file ssl_signing_conf do
-    owner "root"
-    group "root"
-    mode "0644"
-    not_if { File.exists?(ssl_signing_conf) }
-    content <<-EOH
-  [ req ]
-  distinguished_name = req_distinguished_name
-  prompt = no
-
-  [ req_distinguished_name ]
-  C                      = #{node['gitlab']['nginx']['ssl_country_name']}
-  ST                     = #{node['gitlab']['nginx']['ssl_state_name']}
-  L                      = #{node['gitlab']['nginx']['ssl_locality_name']}
-  O                      = #{node['gitlab']['nginx']['ssl_company_name']}
-  OU                     = #{node['gitlab']['nginx']['ssl_organizational_unit_name']}
-  CN                     = #{node['gitlab']['nginx']['server_name']}
-  emailAddress           = #{node['gitlab']['nginx']['ssl_email_address']}
-  EOH
-  end
-
-  ruby_block "create crtfile" do
-    block do
-      r = Chef::Resource::File.new(ssl_crtfile, run_context)
-      r.owner "root"
-      r.group "root"
-      r.mode "0644"
-      r.content `/opt/gitlab/embedded/bin/openssl req -config '#{ssl_signing_conf}' -new -x509 -nodes -sha1 -days 3650 -key #{ssl_keyfile}`
-      r.not_if { File.exists?(ssl_crtfile) }
-      r.run_action(:create)
-    end
-  end
-end
-
-node.default['gitlab']['nginx']['ssl_certificate'] ||= ssl_crtfile
-node.default['gitlab']['nginx']['ssl_certificate_key'] ||= ssl_keyfile
-
-remote_directory nginx_html_dir do
-  source "html"
-  files_backup false
-  files_owner "root"
-  files_group "root"
-  files_mode "0644"
-  owner node['gitlab']['user']['username']
-  mode "0700"
-end
-
 nginx_config = File.join(nginx_etc_dir, "nginx.conf")
 nginx_vars = node['gitlab']['nginx'].to_hash.merge({
-  :chef_https_config => File.join(nginx_etc_dir, "chef_https_lb.conf"),
-  :chef_http_config => File.join(nginx_etc_dir, "chef_http_lb.conf")
+  :gitlab_http_config => File.join(nginx_etc_dir, "gitlab-http.conf"),
 })
  
-# We will always render an HTTP and HTTPS config for the Chef API but the HTTP
-# config file will only be active if the user set `nginx['enable_non_ssl']` to
-# true. Default behavior is to redirect all HTTP requests to HTTPS.
-["https", "http"].each do |server_proto|
-  config_key = "chef_#{server_proto}_config".to_sym
-  lb_config = nginx_vars[config_key]
-
-  server_port = (server_proto == 'https') ?
-                 nginx_vars['ssl_port'] :
-                 nginx_vars['non_ssl_port']
-
-  template lb_config do
-    source "nginx_chef_api_lb.conf.erb"
-    owner "root"
-    group "root"
-    mode "0644"
-    variables(nginx_vars.merge({
-      :server_proto => server_proto,
-      :server_port => server_port
-    }))
-    notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
-  end
-
+template gitlab_http_config do
+  source "nginx-gitlab-http.conf.erb"
+  owner "root"
+  group "root"
+  mode "0644"
+  variables(nginx_vars.merge(
+    {
+      :fqdn => node['gitlab']['gitlab-rails']['external_fqdn']
+    }
+  ))
+  notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
 end
  
 template nginx_config do
@@ -148,8 +67,7 @@ runit_service &quot;nginx&quot; do
 end
  
 if node['gitlab']['bootstrap']['enable']
-	execute "/opt/gitlab/bin/gitlab-ctl start nginx" do
-		retries 20
-	end
+  execute "/opt/gitlab/bin/gitlab-ctl start nginx" do
+    retries 20
+  end
 end
-
@@ -0,0 +1,59 @@
+# GITLAB
+# Maintainer: @randx
+
+# CHUNKED TRANSFER
+# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not
+# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file)
+# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either
+# - installing an old version of Nginx with the chunkin module [2] compiled in, or
+# - using a newer version of Nginx.
+#
+# At the time of writing we do not know if either of these theoretical solutions works. As a workaround
+# users can use Git over SSH to push large files.
+#
+# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
+# [1] https://github.com/agentzh/chunkin-nginx-module#status
+# [2] https://github.com/agentzh/chunkin-nginx-module
+
+upstream gitlab {
+  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
+}
+
+server {
+  listen *:80 default_server;         # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea
+  server_name <%= @fqdn %>;     # e.g., server_name source.example.com;
+  server_tokens off;     # don't show the version number, a security best practice
+  root /opt/gitlab/embedded/service/gitlab-rails/public;
+  
+  # Increase this if you want to upload large attachments
+  # Or if you want to accept large git objects over http
+  client_max_body_size 5m;
+
+  # individual nginx logs for this gitlab vhost
+  access_log  <%= @log_directory %>/gitlab_access.log;
+  error_log   <%= @log_directory %>/gitlab_error.log;
+
+  location / {
+    # serve static files from defined root folder;.
+    # @gitlab is a named location for the upstream fallback, see below
+    try_files $uri $uri/index.html $uri.html @gitlab;
+  }
+
+  # if a file, which is not found in the root folder is requested,
+  # then the proxy pass the request to the upsteam (gitlab unicorn)
+  location @gitlab {
+    proxy_read_timeout 300; # Some requests take more than 30 seconds.
+    proxy_connect_timeout 300; # Some requests take more than 30 seconds.
+    proxy_redirect     off;
+
+    proxy_set_header   X-Forwarded-Proto $scheme;
+    proxy_set_header   Host              $http_host;
+    proxy_set_header   X-Real-IP         $remote_addr;
+    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+
+    proxy_pass http://gitlab;
+  }
+
+  error_page 502 /502.html;
+}
+
 user <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['user']['username']%>;
 worker_processes <%= @worker_processes %>;
-error_log /var/log/gitlab/nginx/error.log<%= node['gitlab']['lb']['debug'] ? " debug" : "" %>;
+error_log /var/log/gitlab/nginx/error.log;
  
 daemon off;
  
@@ -9,10 +9,6 @@ events {
 }
  
 http {
-  log_format opscode '$remote_addr - $remote_user [$time_local]  '
-                    '"$request" $status "$request_time" $body_bytes_sent '
-                    '"$http_referer" "$http_user_agent" "$upstream_addr" "$upstream_status" "$upstream_response_time" "$http_x_chef_version" "$http_x_ops_sign" "$http_x_ops_userid" "$http_x_ops_timestamp" "$http_x_ops_content_hash" $request_length';
-
   sendfile <%= @sendfile %>;
   tcp_nopush <%= @tcp_nopush %>;
   tcp_nodelay <%= @tcp_nodelay %>;
@@ -27,37 +23,5 @@ http {
  
   include /opt/gitlab/embedded/conf/mime.types;
  
-  <%- node['gitlab']['lb']['upstream'].each do |uname, servers| -%>
-  upstream <%= uname.gsub(/-/, '_') %> {
-    <%- servers.each do |server| -%>
-    server <%= server %>:<%= node['gitlab'][uname]['port'] %>;
-    <%- end -%>
-  }
-  <%- end -%>
-
-  # external lb config for Chef API
-  <%- if node['gitlab']['lb']['enable'] -%>
-  proxy_cache_path  <%= File.join(@dir, "cache") %> levels=1:2 keys_zone=webui-cache:50m max_size=<%= @cache_max_size %> inactive=600m;
-  proxy_temp_path <%= File.join(@dir, "cache-tmp") %>;
-
-  # We support three options: serve nothing on non_ssl_port (80),
-  # redirect to https, or actually serve the API.
-  <%- if @non_ssl_port -%>
-  <%- if @enable_non_ssl -%>
-
-  # Chef HTTP API
-  include <%= @chef_http_config %>;
-  <%- else -%>
-
-  server {
-    listen <%= @non_ssl_port %>;
-    access_log /var/log/gitlab/nginx/rewrite-port-<%= @non_ssl_port %>.log;
-    return 301 https://$host:<%= @ssl_port %>$request_uri;
-  }
-  <%- end -%>
-  <%-  end -%>
-
-  # Chef HTTPS API
-  include <%= @chef_https_config %>;
-  <%- end -%>
+  include <%= @gitlab_http_config %>
 }
...	...	@@ -18,19 +18,11 @@
18	18
19	19	nginx_dir = node['gitlab']['nginx']['dir']
20	20	nginx_etc_dir = File.join(nginx_dir, "etc")
21		-nginx_cache_dir = File.join(nginx_dir, "cache")
22		-nginx_cache_tmp_dir = File.join(nginx_dir, "cache-tmp")
23		-nginx_html_dir = File.join(nginx_dir, "html")
24		-nginx_ca_dir = File.join(nginx_dir, "ca")
25	21	nginx_log_dir = node['gitlab']['nginx']['log_directory']
26	22
27	23	[
28	24	nginx_dir,
29	25	nginx_etc_dir,
30		- nginx_cache_dir,
31		- nginx_cache_tmp_dir,
32		- nginx_html_dir,
33		- nginx_ca_dir,
34	26	nginx_log_dir,
35	27	].each do \|dir_name\|
36	28	directory dir_name do
...	...	@@ -40,95 +32,22 @@ nginx_log_dir = node['gitlab']['nginx']['log_directory']
40	32	end
41	33	end
42	34
43		-ssl_keyfile = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}.key")
44		-ssl_crtfile = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}.crt")
45		-ssl_signing_conf = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}-ssl.conf")
46		-
47		-unless File.exists?(ssl_keyfile) && File.exists?(ssl_crtfile) && File.exists?(ssl_signing_conf)
48		- file ssl_keyfile do
49		- owner "root"
50		- group "root"
51		- mode "0644"
52		- content `/opt/gitlab/embedded/bin/openssl genrsa 2048`
53		- not_if { File.exists?(ssl_keyfile) }
54		- end
55		-
56		- file ssl_signing_conf do
57		- owner "root"
58		- group "root"
59		- mode "0644"
60		- not_if { File.exists?(ssl_signing_conf) }
61		- content <<-EOH
62		- [ req ]
63		- distinguished_name = req_distinguished_name
64		- prompt = no
65		-
66		- [ req_distinguished_name ]
67		- C = #{node['gitlab']['nginx']['ssl_country_name']}
68		- ST = #{node['gitlab']['nginx']['ssl_state_name']}
69		- L = #{node['gitlab']['nginx']['ssl_locality_name']}
70		- O = #{node['gitlab']['nginx']['ssl_company_name']}
71		- OU = #{node['gitlab']['nginx']['ssl_organizational_unit_name']}
72		- CN = #{node['gitlab']['nginx']['server_name']}
73		- emailAddress = #{node['gitlab']['nginx']['ssl_email_address']}
74		- EOH
75		- end
76		-
77		- ruby_block "create crtfile" do
78		- block do
79		- r = Chef::Resource::File.new(ssl_crtfile, run_context)
80		- r.owner "root"
81		- r.group "root"
82		- r.mode "0644"
83		- r.content `/opt/gitlab/embedded/bin/openssl req -config '#{ssl_signing_conf}' -new -x509 -nodes -sha1 -days 3650 -key #{ssl_keyfile}`
84		- r.not_if { File.exists?(ssl_crtfile) }
85		- r.run_action(:create)
86		- end
87		- end
88		-end
89		-
90		-node.default['gitlab']['nginx']['ssl_certificate'] \|\|= ssl_crtfile
91		-node.default['gitlab']['nginx']['ssl_certificate_key'] \|\|= ssl_keyfile
92		-
93		-remote_directory nginx_html_dir do
94		- source "html"
95		- files_backup false
96		- files_owner "root"
97		- files_group "root"
98		- files_mode "0644"
99		- owner node['gitlab']['user']['username']
100		- mode "0700"
101		-end
102		-
103	35	nginx_config = File.join(nginx_etc_dir, "nginx.conf")
104	36	nginx_vars = node['gitlab']['nginx'].to_hash.merge({
105		- :chef_https_config => File.join(nginx_etc_dir, "chef_https_lb.conf"),
106		- :chef_http_config => File.join(nginx_etc_dir, "chef_http_lb.conf")
	37	+ :gitlab_http_config => File.join(nginx_etc_dir, "gitlab-http.conf"),
107	38	})
108	39
109		-# We will always render an HTTP and HTTPS config for the Chef API but the HTTP
110		-# config file will only be active if the user set `nginx['enable_non_ssl']` to
111		-# true. Default behavior is to redirect all HTTP requests to HTTPS.
112		-["https", "http"].each do \|server_proto\|
113		- config_key = "chef_#{server_proto}_config".to_sym
114		- lb_config = nginx_vars[config_key]
115		-
116		- server_port = (server_proto == 'https') ?
117		- nginx_vars['ssl_port'] :
118		- nginx_vars['non_ssl_port']
119		-
120		- template lb_config do
121		- source "nginx_chef_api_lb.conf.erb"
122		- owner "root"
123		- group "root"
124		- mode "0644"
125		- variables(nginx_vars.merge({
126		- :server_proto => server_proto,
127		- :server_port => server_port
128		- }))
129		- notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
130		- end
131		-
	40	+template gitlab_http_config do
	41	+ source "nginx-gitlab-http.conf.erb"
	42	+ owner "root"
	43	+ group "root"
	44	+ mode "0644"
	45	+ variables(nginx_vars.merge(
	46	+ {
	47	+ :fqdn => node['gitlab']['gitlab-rails']['external_fqdn']
	48	+ }
	49	+ ))
	50	+ notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
132	51	end
133	52
134	53	template nginx_config do
...	...	@@ -148,8 +67,7 @@ runit_service "nginx" do
148	67	end
149	68
150	69	if node['gitlab']['bootstrap']['enable']
151		- execute "/opt/gitlab/bin/gitlab-ctl start nginx" do
152		- retries 20
153		- end
	70	+ execute "/opt/gitlab/bin/gitlab-ctl start nginx" do
	71	+ retries 20
	72	+ end
154	73	end
155		-
...	...
...	...	@@ -0,0 +1,59 @@
	1	+# GITLAB
	2	+# Maintainer: @randx
	3	+
	4	+# CHUNKED TRANSFER
	5	+# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not
	6	+# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file)
	7	+# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either
	8	+# - installing an old version of Nginx with the chunkin module [2] compiled in, or
	9	+# - using a newer version of Nginx.
	10	+#
	11	+# At the time of writing we do not know if either of these theoretical solutions works. As a workaround
	12	+# users can use Git over SSH to push large files.
	13	+#
	14	+# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
	15	+# [1] https://github.com/agentzh/chunkin-nginx-module#status
	16	+# [2] https://github.com/agentzh/chunkin-nginx-module
	17	+
	18	+upstream gitlab {
	19	+ server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
	20	+}
	21	+
	22	+server {
	23	+ listen :80 default_server; # e.g., listen 192.168.1.1:80; In most cases :80 is a good idea
	24	+ server_name <%= @fqdn %>; # e.g., server_name source.example.com;
	25	+ server_tokens off; # don't show the version number, a security best practice
	26	+ root /opt/gitlab/embedded/service/gitlab-rails/public;
	27	+
	28	+ # Increase this if you want to upload large attachments
	29	+ # Or if you want to accept large git objects over http
	30	+ client_max_body_size 5m;
	31	+
	32	+ # individual nginx logs for this gitlab vhost
	33	+ access_log <%= @log_directory %>/gitlab_access.log;
	34	+ error_log <%= @log_directory %>/gitlab_error.log;
	35	+
	36	+ location / {
	37	+ # serve static files from defined root folder;.
	38	+ # @gitlab is a named location for the upstream fallback, see below
	39	+ try_files $uri $uri/index.html $uri.html @gitlab;
	40	+ }
	41	+
	42	+ # if a file, which is not found in the root folder is requested,
	43	+ # then the proxy pass the request to the upsteam (gitlab unicorn)
	44	+ location @gitlab {
	45	+ proxy_read_timeout 300; # Some requests take more than 30 seconds.
	46	+ proxy_connect_timeout 300; # Some requests take more than 30 seconds.
	47	+ proxy_redirect off;
	48	+
	49	+ proxy_set_header X-Forwarded-Proto $scheme;
	50	+ proxy_set_header Host $http_host;
	51	+ proxy_set_header X-Real-IP $remote_addr;
	52	+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	53	+
	54	+ proxy_pass http://gitlab;
	55	+ }
	56	+
	57	+ error_page 502 /502.html;
	58	+}
	59	+
...	...
1	1	user <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['user']['username']%>;
2	2	worker_processes <%= @worker_processes %>;
3		-error_log /var/log/gitlab/nginx/error.log<%= node['gitlab']['lb']['debug'] ? " debug" : "" %>;
	3	+error_log /var/log/gitlab/nginx/error.log;
4	4
5	5	daemon off;
6	6
...	...	@@ -9,10 +9,6 @@ events {
9	9	}
10	10
11	11	http {
12		- log_format opscode '$remote_addr - $remote_user [$time_local] '
13		- '"$request" $status "$request_time" $body_bytes_sent '
14		- '"$http_referer" "$http_user_agent" "$upstream_addr" "$upstream_status" "$upstream_response_time" "$http_x_chef_version" "$http_x_ops_sign" "$http_x_ops_userid" "$http_x_ops_timestamp" "$http_x_ops_content_hash" $request_length';
15		-
16	12	sendfile <%= @sendfile %>;
17	13	tcp_nopush <%= @tcp_nopush %>;
18	14	tcp_nodelay <%= @tcp_nodelay %>;
...	...	@@ -27,37 +23,5 @@ http {
27	23
28	24	include /opt/gitlab/embedded/conf/mime.types;
29	25
30		- <%- node['gitlab']['lb']['upstream'].each do \|uname, servers\| -%>
31		- upstream <%= uname.gsub(/-/, '_') %> {
32		- <%- servers.each do \|server\| -%>
33		- server <%= server %>:<%= node['gitlab'][uname]['port'] %>;
34		- <%- end -%>
35		- }
36		- <%- end -%>
37		-
38		- # external lb config for Chef API
39		- <%- if node['gitlab']['lb']['enable'] -%>
40		- proxy_cache_path <%= File.join(@dir, "cache") %> levels=1:2 keys_zone=webui-cache:50m max_size=<%= @cache_max_size %> inactive=600m;
41		- proxy_temp_path <%= File.join(@dir, "cache-tmp") %>;
42		-
43		- # We support three options: serve nothing on non_ssl_port (80),
44		- # redirect to https, or actually serve the API.
45		- <%- if @non_ssl_port -%>
46		- <%- if @enable_non_ssl -%>
47		-
48		- # Chef HTTP API
49		- include <%= @chef_http_config %>;
50		- <%- else -%>
51		-
52		- server {
53		- listen <%= @non_ssl_port %>;
54		- access_log /var/log/gitlab/nginx/rewrite-port-<%= @non_ssl_port %>.log;
55		- return 301 https://$host:<%= @ssl_port %>$request_uri;
56		- }
57		- <%- end -%>
58		- <%- end -%>
59		-
60		- # Chef HTTPS API
61		- include <%= @chef_https_config %>;
62		- <%- end -%>
	26	+ include <%= @gitlab_http_config %>
63	27	}
...	...