Add GitLab nginx template

Jacob Vosmaer
1 parent df94b2c5
Showing 3 changed files with 76 additions and 135 deletions Show diff stats
files/gitlab-cookbooks/gitlab/recipes/nginx.rb
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
@@ -18,19 +18,11 @@
 nginx_dir = node['gitlab']['nginx']['dir']
 nginx_etc_dir = File.join(nginx_dir, "etc")
-nginx_cache_dir = File.join(nginx_dir, "cache")
-nginx_cache_tmp_dir = File.join(nginx_dir, "cache-tmp")
-nginx_html_dir = File.join(nginx_dir, "html")
-nginx_ca_dir = File.join(nginx_dir, "ca")
 nginx_log_dir = node['gitlab']['nginx']['log_directory']
 [
   nginx_dir,
   nginx_etc_dir,
-  nginx_cache_dir,
-  nginx_cache_tmp_dir,
-  nginx_html_dir,
-  nginx_ca_dir,
   nginx_log_dir,
 ].each do |dir_name|
   directory dir_name do
@@ -40,95 +32,22 @@ nginx_log_dir = node[&#39;gitlab&#39;][&#39;nginx&#39;][&#39;log_directory&#39;]
   end
 end
-ssl_keyfile = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}.key")
-ssl_crtfile = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}.crt")
-ssl_signing_conf = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}-ssl.conf")
-
-unless File.exists?(ssl_keyfile) && File.exists?(ssl_crtfile) && File.exists?(ssl_signing_conf)
-  file ssl_keyfile do
-    owner "root"
-    group "root"
-    mode "0644"
-    content `/opt/gitlab/embedded/bin/openssl genrsa 2048`
-    not_if { File.exists?(ssl_keyfile) }
-  end
-
-  file ssl_signing_conf do
-    owner "root"
-    group "root"
-    mode "0644"
-    not_if { File.exists?(ssl_signing_conf) }
-    content <<-EOH
-  [ req ]
-  distinguished_name = req_distinguished_name
-  prompt = no
-
-  [ req_distinguished_name ]
-  C                      = #{node['gitlab']['nginx']['ssl_country_name']}
-  ST                     = #{node['gitlab']['nginx']['ssl_state_name']}
-  L                      = #{node['gitlab']['nginx']['ssl_locality_name']}
-  O                      = #{node['gitlab']['nginx']['ssl_company_name']}
-  OU                     = #{node['gitlab']['nginx']['ssl_organizational_unit_name']}
-  CN                     = #{node['gitlab']['nginx']['server_name']}
-  emailAddress           = #{node['gitlab']['nginx']['ssl_email_address']}
-  EOH
-  end
-
-  ruby_block "create crtfile" do
-    block do
-      r = Chef::Resource::File.new(ssl_crtfile, run_context)
-      r.owner "root"
-      r.group "root"
-      r.mode "0644"
-      r.content `/opt/gitlab/embedded/bin/openssl req -config '#{ssl_signing_conf}' -new -x509 -nodes -sha1 -days 3650 -key #{ssl_keyfile}`
-      r.not_if { File.exists?(ssl_crtfile) }
-      r.run_action(:create)
-    end
-  end
-end
-
-node.default['gitlab']['nginx']['ssl_certificate'] ||= ssl_crtfile
-node.default['gitlab']['nginx']['ssl_certificate_key'] ||= ssl_keyfile
-
-remote_directory nginx_html_dir do
-  source "html"
-  files_backup false
-  files_owner "root"
-  files_group "root"
-  files_mode "0644"
-  owner node['gitlab']['user']['username']
-  mode "0700"
-end
-
 nginx_config = File.join(nginx_etc_dir, "nginx.conf")
 nginx_vars = node['gitlab']['nginx'].to_hash.merge({
-  :chef_https_config => File.join(nginx_etc_dir, "chef_https_lb.conf"),
-  :chef_http_config => File.join(nginx_etc_dir, "chef_http_lb.conf")
+  :gitlab_http_config => File.join(nginx_etc_dir, "gitlab-http.conf"),
 })
-# We will always render an HTTP and HTTPS config for the Chef API but the HTTP
-# config file will only be active if the user set `nginx['enable_non_ssl']` to
-# true. Default behavior is to redirect all HTTP requests to HTTPS.
-["https", "http"].each do |server_proto|
-  config_key = "chef_#{server_proto}_config".to_sym
-  lb_config = nginx_vars[config_key]
-
-  server_port = (server_proto == 'https') ?
-                 nginx_vars['ssl_port'] :
-                 nginx_vars['non_ssl_port']
-
-  template lb_config do
-    source "nginx_chef_api_lb.conf.erb"
-    owner "root"
-    group "root"
-    mode "0644"
-    variables(nginx_vars.merge({
-      :server_proto => server_proto,
-      :server_port => server_port
-    }))
-    notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
-  end
-
+template gitlab_http_config do
+  source "nginx-gitlab-http.conf.erb"
+  owner "root"
+  group "root"
+  mode "0644"
+  variables(nginx_vars.merge(
+    {
+      :fqdn => node['gitlab']['gitlab-rails']['external_fqdn']
+    }
+  ))
+  notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
 end
 template nginx_config do
@@ -148,8 +67,7 @@ runit_service &quot;nginx&quot; do
 end
 if node['gitlab']['bootstrap']['enable']
-	execute "/opt/gitlab/bin/gitlab-ctl start nginx" do
-		retries 20
-	end
+  execute "/opt/gitlab/bin/gitlab-ctl start nginx" do
+    retries 20
+  end
 end
-
@@ -0,0 +1,59 @@
+# GITLAB
+# Maintainer: @randx
+
+# CHUNKED TRANSFER
+# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not
+# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file)
+# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either
+# - installing an old version of Nginx with the chunkin module [2] compiled in, or
+# - using a newer version of Nginx.
+#
+# At the time of writing we do not know if either of these theoretical solutions works. As a workaround
+# users can use Git over SSH to push large files.
+#
+# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
+# [1] https://github.com/agentzh/chunkin-nginx-module#status
+# [2] https://github.com/agentzh/chunkin-nginx-module
+
+upstream gitlab {
+  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
+}
+
+server {
+  listen *:80 default_server;         # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea
+  server_name <%= @fqdn %>;     # e.g., server_name source.example.com;
+  server_tokens off;     # don't show the version number, a security best practice
+  root /opt/gitlab/embedded/service/gitlab-rails/public;
+  
+  # Increase this if you want to upload large attachments
+  # Or if you want to accept large git objects over http
+  client_max_body_size 5m;
+
+  # individual nginx logs for this gitlab vhost
+  access_log  <%= @log_directory %>/gitlab_access.log;
+  error_log   <%= @log_directory %>/gitlab_error.log;
+
+  location / {
+    # serve static files from defined root folder;.
+    # @gitlab is a named location for the upstream fallback, see below
+    try_files $uri $uri/index.html $uri.html @gitlab;
+  }
+
+  # if a file, which is not found in the root folder is requested,
+  # then the proxy pass the request to the upsteam (gitlab unicorn)
+  location @gitlab {
+    proxy_read_timeout 300; # Some requests take more than 30 seconds.
+    proxy_connect_timeout 300; # Some requests take more than 30 seconds.
+    proxy_redirect     off;
+
+    proxy_set_header   X-Forwarded-Proto $scheme;
+    proxy_set_header   Host              $http_host;
+    proxy_set_header   X-Real-IP         $remote_addr;
+    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+
+    proxy_pass http://gitlab;
+  }
+
+  error_page 502 /502.html;
+}
+
 user <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['user']['username']%>;
 worker_processes <%= @worker_processes %>;
-error_log /var/log/gitlab/nginx/error.log<%= node['gitlab']['lb']['debug'] ? " debug" : "" %>;
+error_log /var/log/gitlab/nginx/error.log;
 daemon off;
@@ -9,10 +9,6 @@ events {
 }
 http {
-  log_format opscode '$remote_addr - $remote_user [$time_local]  '
-                    '"$request" $status "$request_time" $body_bytes_sent '
-                    '"$http_referer" "$http_user_agent" "$upstream_addr" "$upstream_status" "$upstream_response_time" "$http_x_chef_version" "$http_x_ops_sign" "$http_x_ops_userid" "$http_x_ops_timestamp" "$http_x_ops_content_hash" $request_length';
-
   sendfile <%= @sendfile %>;
   tcp_nopush <%= @tcp_nopush %>;
   tcp_nodelay <%= @tcp_nodelay %>;
@@ -27,37 +23,5 @@ http {
   include /opt/gitlab/embedded/conf/mime.types;
-  <%- node['gitlab']['lb']['upstream'].each do |uname, servers| -%>
-  upstream <%= uname.gsub(/-/, '_') %> {
-    <%- servers.each do |server| -%>
-    server <%= server %>:<%= node['gitlab'][uname]['port'] %>;
-    <%- end -%>
-  }
-  <%- end -%>
-
-  # external lb config for Chef API
-  <%- if node['gitlab']['lb']['enable'] -%>
-  proxy_cache_path  <%= File.join(@dir, "cache") %> levels=1:2 keys_zone=webui-cache:50m max_size=<%= @cache_max_size %> inactive=600m;
-  proxy_temp_path <%= File.join(@dir, "cache-tmp") %>;
-
-  # We support three options: serve nothing on non_ssl_port (80),
-  # redirect to https, or actually serve the API.
-  <%- if @non_ssl_port -%>
-  <%- if @enable_non_ssl -%>
-
-  # Chef HTTP API
-  include <%= @chef_http_config %>;
-  <%- else -%>
-
-  server {
-    listen <%= @non_ssl_port %>;
-    access_log /var/log/gitlab/nginx/rewrite-port-<%= @non_ssl_port %>.log;
-    return 301 https://$host:<%= @ssl_port %>$request_uri;
-  }
-  <%- end -%>
-  <%-  end -%>
-
-  # Chef HTTPS API
-  include <%= @chef_https_config %>;
-  <%- end -%>
+  include <%= @gitlab_http_config %>
 }
	@@ -18,19 +18,11 @@		@@ -18,19 +18,11 @@
18		18
19	nginx_dir = node['gitlab']['nginx']['dir']	19	nginx_dir = node['gitlab']['nginx']['dir']
20	nginx_etc_dir = File.join(nginx_dir, "etc")	20	nginx_etc_dir = File.join(nginx_dir, "etc")
21	-nginx_cache_dir = File.join(nginx_dir, "cache")
22	-nginx_cache_tmp_dir = File.join(nginx_dir, "cache-tmp")
23	-nginx_html_dir = File.join(nginx_dir, "html")
24	-nginx_ca_dir = File.join(nginx_dir, "ca")
25	nginx_log_dir = node['gitlab']['nginx']['log_directory']	21	nginx_log_dir = node['gitlab']['nginx']['log_directory']
26		22
27	[	23	[
28	nginx_dir,	24	nginx_dir,
29	nginx_etc_dir,	25	nginx_etc_dir,
30	- nginx_cache_dir,
31	- nginx_cache_tmp_dir,
32	- nginx_html_dir,
33	- nginx_ca_dir,
34	nginx_log_dir,	26	nginx_log_dir,
35	].each do \|dir_name\|	27	].each do \|dir_name\|
36	directory dir_name do	28	directory dir_name do
	@@ -40,95 +32,22 @@ nginx_log_dir = node['gitlab']['nginx']['log_directory']		@@ -40,95 +32,22 @@ nginx_log_dir = node['gitlab']['nginx']['log_directory']
40	end	32	end
41	end	33	end
42		34
43	-ssl_keyfile = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}.key")
44	-ssl_crtfile = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}.crt")
45	-ssl_signing_conf = File.join(nginx_ca_dir, "#{node['gitlab']['nginx']['server_name']}-ssl.conf")
46	-
47	-unless File.exists?(ssl_keyfile) && File.exists?(ssl_crtfile) && File.exists?(ssl_signing_conf)
48	- file ssl_keyfile do
49	- owner "root"
50	- group "root"
51	- mode "0644"
52	- content `/opt/gitlab/embedded/bin/openssl genrsa 2048`
53	- not_if { File.exists?(ssl_keyfile) }
54	- end
55	-
56	- file ssl_signing_conf do
57	- owner "root"
58	- group "root"
59	- mode "0644"
60	- not_if { File.exists?(ssl_signing_conf) }
61	- content <<-EOH
62	- [ req ]
63	- distinguished_name = req_distinguished_name
64	- prompt = no
65	-
66	- [ req_distinguished_name ]
67	- C = #{node['gitlab']['nginx']['ssl_country_name']}
68	- ST = #{node['gitlab']['nginx']['ssl_state_name']}
69	- L = #{node['gitlab']['nginx']['ssl_locality_name']}
70	- O = #{node['gitlab']['nginx']['ssl_company_name']}
71	- OU = #{node['gitlab']['nginx']['ssl_organizational_unit_name']}
72	- CN = #{node['gitlab']['nginx']['server_name']}
73	- emailAddress = #{node['gitlab']['nginx']['ssl_email_address']}
74	- EOH
75	- end
76	-
77	- ruby_block "create crtfile" do
78	- block do
79	- r = Chef::Resource::File.new(ssl_crtfile, run_context)
80	- r.owner "root"
81	- r.group "root"
82	- r.mode "0644"
83	- r.content `/opt/gitlab/embedded/bin/openssl req -config '#{ssl_signing_conf}' -new -x509 -nodes -sha1 -days 3650 -key #{ssl_keyfile}`
84	- r.not_if { File.exists?(ssl_crtfile) }
85	- r.run_action(:create)
86	- end
87	- end
88	-end
89	-
90	-node.default['gitlab']['nginx']['ssl_certificate'] \|\|= ssl_crtfile
91	-node.default['gitlab']['nginx']['ssl_certificate_key'] \|\|= ssl_keyfile
92	-
93	-remote_directory nginx_html_dir do
94	- source "html"
95	- files_backup false
96	- files_owner "root"
97	- files_group "root"
98	- files_mode "0644"
99	- owner node['gitlab']['user']['username']
100	- mode "0700"
101	-end
102	-
103	nginx_config = File.join(nginx_etc_dir, "nginx.conf")	35	nginx_config = File.join(nginx_etc_dir, "nginx.conf")
104	nginx_vars = node['gitlab']['nginx'].to_hash.merge({	36	nginx_vars = node['gitlab']['nginx'].to_hash.merge({
105	- :chef_https_config => File.join(nginx_etc_dir, "chef_https_lb.conf"),
106	- :chef_http_config => File.join(nginx_etc_dir, "chef_http_lb.conf")	37	+ :gitlab_http_config => File.join(nginx_etc_dir, "gitlab-http.conf"),
107	})	38	})
108		39
109	-# We will always render an HTTP and HTTPS config for the Chef API but the HTTP
110	-# config file will only be active if the user set `nginx['enable_non_ssl']` to
111	-# true. Default behavior is to redirect all HTTP requests to HTTPS.
112	-["https", "http"].each do \|server_proto\|
113	- config_key = "chef_#{server_proto}_config".to_sym
114	- lb_config = nginx_vars[config_key]
115	-
116	- server_port = (server_proto == 'https') ?
117	- nginx_vars['ssl_port'] :
118	- nginx_vars['non_ssl_port']
119	-
120	- template lb_config do
121	- source "nginx_chef_api_lb.conf.erb"
122	- owner "root"
123	- group "root"
124	- mode "0644"
125	- variables(nginx_vars.merge({
126	- :server_proto => server_proto,
127	- :server_port => server_port
128	- }))
129	- notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
130	- end
131	-	40	+template gitlab_http_config do
		41	+ source "nginx-gitlab-http.conf.erb"
		42	+ owner "root"
		43	+ group "root"
		44	+ mode "0644"
		45	+ variables(nginx_vars.merge(
		46	+ {
		47	+ :fqdn => node['gitlab']['gitlab-rails']['external_fqdn']
		48	+ }
		49	+ ))
		50	+ notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
132	end	51	end
133		52
134	template nginx_config do	53	template nginx_config do
	@@ -148,8 +67,7 @@ runit_service "nginx" do		@@ -148,8 +67,7 @@ runit_service "nginx" do
148	end	67	end
149		68
150	if node['gitlab']['bootstrap']['enable']	69	if node['gitlab']['bootstrap']['enable']
151	- execute "/opt/gitlab/bin/gitlab-ctl start nginx" do
152	- retries 20
153	- end	70	+ execute "/opt/gitlab/bin/gitlab-ctl start nginx" do
		71	+ retries 20
		72	+ end
154	end	73	end
155	-
@@ -0,0 +1,59 @@		@@ -0,0 +1,59 @@
	1	+# GITLAB
	2	+# Maintainer: @randx
	3	+
	4	+# CHUNKED TRANSFER
	5	+# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not
	6	+# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file)
	7	+# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either
	8	+# - installing an old version of Nginx with the chunkin module [2] compiled in, or
	9	+# - using a newer version of Nginx.
	10	+#
	11	+# At the time of writing we do not know if either of these theoretical solutions works. As a workaround
	12	+# users can use Git over SSH to push large files.
	13	+#
	14	+# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
	15	+# [1] https://github.com/agentzh/chunkin-nginx-module#status
	16	+# [2] https://github.com/agentzh/chunkin-nginx-module
	17	+
	18	+upstream gitlab {
	19	+ server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
	20	+}
	21	+
	22	+server {
	23	+ listen :80 default_server; # e.g., listen 192.168.1.1:80; In most cases :80 is a good idea
	24	+ server_name <%= @fqdn %>; # e.g., server_name source.example.com;
	25	+ server_tokens off; # don't show the version number, a security best practice
	26	+ root /opt/gitlab/embedded/service/gitlab-rails/public;
	27	+
	28	+ # Increase this if you want to upload large attachments
	29	+ # Or if you want to accept large git objects over http
	30	+ client_max_body_size 5m;
	31	+
	32	+ # individual nginx logs for this gitlab vhost
	33	+ access_log <%= @log_directory %>/gitlab_access.log;
	34	+ error_log <%= @log_directory %>/gitlab_error.log;
	35	+
	36	+ location / {
	37	+ # serve static files from defined root folder;.
	38	+ # @gitlab is a named location for the upstream fallback, see below
	39	+ try_files $uri $uri/index.html $uri.html @gitlab;
	40	+ }
	41	+
	42	+ # if a file, which is not found in the root folder is requested,
	43	+ # then the proxy pass the request to the upsteam (gitlab unicorn)
	44	+ location @gitlab {
	45	+ proxy_read_timeout 300; # Some requests take more than 30 seconds.
	46	+ proxy_connect_timeout 300; # Some requests take more than 30 seconds.
	47	+ proxy_redirect off;
	48	+
	49	+ proxy_set_header X-Forwarded-Proto $scheme;
	50	+ proxy_set_header Host $http_host;
	51	+ proxy_set_header X-Real-IP $remote_addr;
	52	+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	53	+
	54	+ proxy_pass http://gitlab;
	55	+ }
	56	+
	57	+ error_page 502 /502.html;
	58	+}
	59	+
1	user <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['user']['username']%>;	1	user <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['user']['username']%>;
2	worker_processes <%= @worker_processes %>;	2	worker_processes <%= @worker_processes %>;
3	-error_log /var/log/gitlab/nginx/error.log<%= node['gitlab']['lb']['debug'] ? " debug" : "" %>;	3	+error_log /var/log/gitlab/nginx/error.log;
4		4
5	daemon off;	5	daemon off;
6		6
	@@ -9,10 +9,6 @@ events {		@@ -9,10 +9,6 @@ events {
9	}	9	}
10		10
11	http {	11	http {
12	- log_format opscode '$remote_addr - $remote_user [$time_local] '
13	- '"$request" $status "$request_time" $body_bytes_sent '
14	- '"$http_referer" "$http_user_agent" "$upstream_addr" "$upstream_status" "$upstream_response_time" "$http_x_chef_version" "$http_x_ops_sign" "$http_x_ops_userid" "$http_x_ops_timestamp" "$http_x_ops_content_hash" $request_length';
15	-
16	sendfile <%= @sendfile %>;	12	sendfile <%= @sendfile %>;
17	tcp_nopush <%= @tcp_nopush %>;	13	tcp_nopush <%= @tcp_nopush %>;
18	tcp_nodelay <%= @tcp_nodelay %>;	14	tcp_nodelay <%= @tcp_nodelay %>;
	@@ -27,37 +23,5 @@ http {		@@ -27,37 +23,5 @@ http {
27		23
28	include /opt/gitlab/embedded/conf/mime.types;	24	include /opt/gitlab/embedded/conf/mime.types;
29		25
30	- <%- node['gitlab']['lb']['upstream'].each do \|uname, servers\| -%>
31	- upstream <%= uname.gsub(/-/, '_') %> {
32	- <%- servers.each do \|server\| -%>
33	- server <%= server %>:<%= node['gitlab'][uname]['port'] %>;
34	- <%- end -%>
35	- }
36	- <%- end -%>
37	-
38	- # external lb config for Chef API
39	- <%- if node['gitlab']['lb']['enable'] -%>
40	- proxy_cache_path <%= File.join(@dir, "cache") %> levels=1:2 keys_zone=webui-cache:50m max_size=<%= @cache_max_size %> inactive=600m;
41	- proxy_temp_path <%= File.join(@dir, "cache-tmp") %>;
42	-
43	- # We support three options: serve nothing on non_ssl_port (80),
44	- # redirect to https, or actually serve the API.
45	- <%- if @non_ssl_port -%>
46	- <%- if @enable_non_ssl -%>
47	-
48	- # Chef HTTP API
49	- include <%= @chef_http_config %>;
50	- <%- else -%>
51	-
52	- server {
53	- listen <%= @non_ssl_port %>;
54	- access_log /var/log/gitlab/nginx/rewrite-port-<%= @non_ssl_port %>.log;
55	- return 301 https://$host:<%= @ssl_port %>$request_uri;
56	- }
57	- <%- end -%>
58	- <%- end -%>
59	-
60	- # Chef HTTPS API
61	- include <%= @chef_https_config %>;
62	- <%- end -%>	26	+ include <%= @gitlab_http_config %>
63	}	27	}