From 69b90eb4411f23e05fa5cd76a12b9e9eb48b946a Mon Sep 17 00:00:00 2001 From: Jacob Vosmaer Date: Tue, 11 Feb 2014 18:12:57 +0100 Subject: [PATCH] Add GitLab nginx template --- files/gitlab-cookbooks/gitlab/recipes/nginx.rb | 112 +++++++++++++++------------------------------------------------------------------------------------------------- files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb | 40 ++-------------------------------------- 3 files changed, 76 insertions(+), 135 deletions(-) create mode 100644 files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb diff --git a/files/gitlab-cookbooks/gitlab/recipes/nginx.rb b/files/gitlab-cookbooks/gitlab/recipes/nginx.rb index 45a80d5..b9a66e2 100644 --- a/files/gitlab-cookbooks/gitlab/recipes/nginx.rb +++ b/files/gitlab-cookbooks/gitlab/recipes/nginx.rb @@ -18,19 +18,11 @@ nginx_dir = node['gitlab']['nginx']['dir'] nginx_etc_dir = File.join(nginx_dir, "etc") -nginx_cache_dir = File.join(nginx_dir, "cache") -nginx_cache_tmp_dir = File.join(nginx_dir, "cache-tmp") -nginx_html_dir = File.join(nginx_dir, "html") -nginx_ca_dir = File.join(nginx_dir, "ca") nginx_log_dir = node['gitlab']['nginx']['log_directory'] [ nginx_dir, nginx_etc_dir, - nginx_cache_dir, - nginx_cache_tmp_dir, - nginx_html_dir, - nginx_ca_dir, nginx_log_dir, ].each do |dir_name| directory dir_name do @@ -40,95 +32,22 @@ nginx_log_dir = node['gitlab']['nginx']['log_directory'] end end -ssl_keyfile = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}.key") -ssl_crtfile = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}.crt") -ssl_signing_conf = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}-ssl.conf") - -unless File.exists?(ssl_keyfile) && File.exists?(ssl_crtfile) && File.exists?(ssl_signing_conf) - file ssl_keyfile do - owner "root" - group "root" - mode "0644" - content `/opt/gitlab/embedded/bin/openssl genrsa 2048` - not_if { File.exists?(ssl_keyfile) } - end - - file ssl_signing_conf do - owner "root" - group "root" - mode "0644" - not_if { File.exists?(ssl_signing_conf) } - content <<-EOH - [ req ] - distinguished_name = req_distinguished_name - prompt = no - - [ req_distinguished_name ] - C = #{node['gitlab']['nginx']['ssl_country_name']} - ST = #{node['gitlab']['nginx']['ssl_state_name']} - L = #{node['gitlab']['nginx']['ssl_locality_name']} - O = #{node['gitlab']['nginx']['ssl_company_name']} - OU = #{node['gitlab']['nginx']['ssl_organizational_unit_name']} - CN = #{node['gitlab']['nginx']['server_name']} - emailAddress = #{node['gitlab']['nginx']['ssl_email_address']} - EOH - end - - ruby_block "create crtfile" do - block do - r = Chef::Resource::File.new(ssl_crtfile, run_context) - r.owner "root" - r.group "root" - r.mode "0644" - r.content `/opt/gitlab/embedded/bin/openssl req -config '#{ssl_signing_conf}' -new -x509 -nodes -sha1 -days 3650 -key #{ssl_keyfile}` - r.not_if { File.exists?(ssl_crtfile) } - r.run_action(:create) - end - end -end - -node.default['gitlab']['nginx']['ssl_certificate'] ||= ssl_crtfile -node.default['gitlab']['nginx']['ssl_certificate_key'] ||= ssl_keyfile - -remote_directory nginx_html_dir do - source "html" - files_backup false - files_owner "root" - files_group "root" - files_mode "0644" - owner node['gitlab']['user']['username'] - mode "0700" -end - nginx_config = File.join(nginx_etc_dir, "nginx.conf") nginx_vars = node['gitlab']['nginx'].to_hash.merge({ - :chef_https_config => File.join(nginx_etc_dir, "chef_https_lb.conf"), - :chef_http_config => File.join(nginx_etc_dir, "chef_http_lb.conf") + :gitlab_http_config => File.join(nginx_etc_dir, "gitlab-http.conf"), }) -# We will always render an HTTP and HTTPS config for the Chef API but the HTTP -# config file will only be active if the user set `nginx['enable_non_ssl']` to -# true. Default behavior is to redirect all HTTP requests to HTTPS. -["https", "http"].each do |server_proto| - config_key = "chef_#{server_proto}_config".to_sym - lb_config = nginx_vars[config_key] - - server_port = (server_proto == 'https') ? - nginx_vars['ssl_port'] : - nginx_vars['non_ssl_port'] - - template lb_config do - source "nginx_chef_api_lb.conf.erb" - owner "root" - group "root" - mode "0644" - variables(nginx_vars.merge({ - :server_proto => server_proto, - :server_port => server_port - })) - notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx") - end - +template gitlab_http_config do + source "nginx-gitlab-http.conf.erb" + owner "root" + group "root" + mode "0644" + variables(nginx_vars.merge( + { + :fqdn => node['gitlab']['gitlab-rails']['external_fqdn'] + } + )) + notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx") end template nginx_config do @@ -148,8 +67,7 @@ runit_service "nginx" do end if node['gitlab']['bootstrap']['enable'] - execute "/opt/gitlab/bin/gitlab-ctl start nginx" do - retries 20 - end + execute "/opt/gitlab/bin/gitlab-ctl start nginx" do + retries 20 + end end - diff --git a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb new file mode 100644 index 0000000..3db33c6 --- /dev/null +++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb @@ -0,0 +1,59 @@ +# GITLAB +# Maintainer: @randx + +# CHUNKED TRANSFER +# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not +# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file) +# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either +# - installing an old version of Nginx with the chunkin module [2] compiled in, or +# - using a newer version of Nginx. +# +# At the time of writing we do not know if either of these theoretical solutions works. As a workaround +# users can use Git over SSH to push large files. +# +# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 +# [1] https://github.com/agentzh/chunkin-nginx-module#status +# [2] https://github.com/agentzh/chunkin-nginx-module + +upstream gitlab { + server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; +} + +server { + listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea + server_name <%= @fqdn %>; # e.g., server_name source.example.com; + server_tokens off; # don't show the version number, a security best practice + root /opt/gitlab/embedded/service/gitlab-rails/public; + + # Increase this if you want to upload large attachments + # Or if you want to accept large git objects over http + client_max_body_size 5m; + + # individual nginx logs for this gitlab vhost + access_log <%= @log_directory %>/gitlab_access.log; + error_log <%= @log_directory %>/gitlab_error.log; + + location / { + # serve static files from defined root folder;. + # @gitlab is a named location for the upstream fallback, see below + try_files $uri $uri/index.html $uri.html @gitlab; + } + + # if a file, which is not found in the root folder is requested, + # then the proxy pass the request to the upsteam (gitlab unicorn) + location @gitlab { + proxy_read_timeout 300; # Some requests take more than 30 seconds. + proxy_connect_timeout 300; # Some requests take more than 30 seconds. + proxy_redirect off; + + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://gitlab; + } + + error_page 502 /502.html; +} + diff --git a/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb index 34df81a..8378189 100644 --- a/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb +++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb @@ -1,6 +1,6 @@ user <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['user']['username']%>; worker_processes <%= @worker_processes %>; -error_log /var/log/gitlab/nginx/error.log<%= node['gitlab']['lb']['debug'] ? " debug" : "" %>; +error_log /var/log/gitlab/nginx/error.log; daemon off; @@ -9,10 +9,6 @@ events { } http { - log_format opscode '$remote_addr - $remote_user [$time_local] ' - '"$request" $status "$request_time" $body_bytes_sent ' - '"$http_referer" "$http_user_agent" "$upstream_addr" "$upstream_status" "$upstream_response_time" "$http_x_chef_version" "$http_x_ops_sign" "$http_x_ops_userid" "$http_x_ops_timestamp" "$http_x_ops_content_hash" $request_length'; - sendfile <%= @sendfile %>; tcp_nopush <%= @tcp_nopush %>; tcp_nodelay <%= @tcp_nodelay %>; @@ -27,37 +23,5 @@ http { include /opt/gitlab/embedded/conf/mime.types; - <%- node['gitlab']['lb']['upstream'].each do |uname, servers| -%> - upstream <%= uname.gsub(/-/, '_') %> { - <%- servers.each do |server| -%> - server <%= server %>:<%= node['gitlab'][uname]['port'] %>; - <%- end -%> - } - <%- end -%> - - # external lb config for Chef API - <%- if node['gitlab']['lb']['enable'] -%> - proxy_cache_path <%= File.join(@dir, "cache") %> levels=1:2 keys_zone=webui-cache:50m max_size=<%= @cache_max_size %> inactive=600m; - proxy_temp_path <%= File.join(@dir, "cache-tmp") %>; - - # We support three options: serve nothing on non_ssl_port (80), - # redirect to https, or actually serve the API. - <%- if @non_ssl_port -%> - <%- if @enable_non_ssl -%> - - # Chef HTTP API - include <%= @chef_http_config %>; - <%- else -%> - - server { - listen <%= @non_ssl_port %>; - access_log /var/log/gitlab/nginx/rewrite-port-<%= @non_ssl_port %>.log; - return 301 https://$host:<%= @ssl_port %>$request_uri; - } - <%- end -%> - <%- end -%> - - # Chef HTTPS API - include <%= @chef_https_config %>; - <%- end -%> + include <%= @gitlab_http_config %> } -- libgit2 0.21.2