Merge branch 'nginx' into 'master'

Nginx

Merge branch 'nginx' into 'master'
Nginx
Jacob Vosmaer
2 parents ff0fc888 5556dd77
Showing 10 changed files with 213 additions and 0 deletions Show diff stats
config/projects/gitlab.rb
files/gitlab-cookbooks/gitlab/attributes/default.rb
files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
files/gitlab-cookbooks/gitlab/recipes/default.rb
files/gitlab-cookbooks/gitlab/recipes/nginx.rb
files/gitlab-cookbooks/gitlab/recipes/nginx_disable.rb
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-log-run.erb
files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-run.erb
@@ -31,6 +31,7 @@ dependency &quot;preparation&quot;
 dependency "git"
 dependency "postgresql"
 dependency "redis"
+dependency "nginx"
 dependency "gitlab-shell"
 dependency "gitlab-rails"
 dependency "chef-gem"
@@ -138,3 +138,25 @@ default[&#39;gitlab&#39;][&#39;redis&#39;][&#39;username&#39;] = &quot;gitlab-redis&quot;
 default['gitlab']['redis']['shell'] = "/bin/nologin"
 default['gitlab']['redis']['home'] = "/var/opt/gitlab/redis"
 default['gitlab']['redis']['port'] = 6379
+
+
+####
+# Nginx
+####
+default['gitlab']['nginx']['enable'] = true
+default['gitlab']['nginx']['ha'] = false
+default['gitlab']['nginx']['dir'] = "/var/opt/gitlab/nginx"
+default['gitlab']['nginx']['log_directory'] = "/var/log/gitlab/nginx"
+default['gitlab']['nginx']['worker_processes'] = node['cpu']['total'].to_i
+default['gitlab']['nginx']['worker_connections'] = 10240
+default['gitlab']['nginx']['sendfile'] = 'on'
+default['gitlab']['nginx']['tcp_nopush'] = 'on'
+default['gitlab']['nginx']['tcp_nodelay'] = 'on'
+default['gitlab']['nginx']['gzip'] = "on"
+default['gitlab']['nginx']['gzip_http_version'] = "1.0"
+default['gitlab']['nginx']['gzip_comp_level'] = "2"
+default['gitlab']['nginx']['gzip_proxied'] = "any"
+default['gitlab']['nginx']['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
+default['gitlab']['nginx']['keepalive_timeout'] = 65
+default['gitlab']['nginx']['client_max_body_size'] = '250m'
+default['gitlab']['nginx']['cache_max_size'] = '5000m'
@@ -31,6 +31,7 @@ module Gitlab
   gitlab_rails Mash.new
   unicorn Mash.new
   sidekiq Mash.new
+  nginx Mash.new
   node nil
   class << self
@@ -79,6 +80,7 @@ module Gitlab
         "gitlab_rails",
         "unicorn",
         "sidekiq",
+        "nginx",
         "postgresql"
       ].each do |key|
         rkey = key.gsub('_', '-')
@@ -69,6 +69,7 @@ include_recipe &quot;runit&quot;
   "postgresql", # Postgresql depends on Redis because of `rake db:seed_fu`
   "unicorn",
   "sidekiq",
+  "nginx",
   "bootstrap",
 ].each do |service|
   if node["gitlab"][service]["enable"]
@@ -0,0 +1,74 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# Copyright:: Copyright (c) 2014 GitLab.com
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+nginx_dir = node['gitlab']['nginx']['dir']
+nginx_etc_dir = File.join(nginx_dir, "etc")
+nginx_log_dir = node['gitlab']['nginx']['log_directory']
+
+[
+  nginx_dir,
+  nginx_etc_dir,
+  nginx_log_dir,
+].each do |dir_name|
+  directory dir_name do
+    owner node['gitlab']['user']['username']
+    mode '0700'
+    recursive true
+  end
+end
+
+nginx_config = File.join(nginx_etc_dir, "nginx.conf")
+nginx_vars = node['gitlab']['nginx'].to_hash.merge({
+  :gitlab_http_config => File.join(nginx_etc_dir, "gitlab-http.conf"),
+})
+
+template nginx_vars[gitlab_http_config] do
+  source "nginx-gitlab-http.conf.erb"
+  owner "root"
+  group "root"
+  mode "0644"
+  variables(nginx_vars.merge(
+    {
+      :fqdn => node['gitlab']['gitlab-rails']['external_fqdn'],
+      :socket => node['gitlab']['unicorn']['socket']
+    }
+  ))
+  notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
+end
+
+template nginx_config do
+  source "nginx.conf.erb"
+  owner "root"
+  group "root"
+  mode "0644"
+  variables nginx_vars
+  notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
+end
+
+runit_service "nginx" do
+  down node['gitlab']['nginx']['ha']
+  options({
+    :log_directory => nginx_log_dir
+  }.merge(params))
+end
+
+if node['gitlab']['bootstrap']['enable']
+  execute "/opt/gitlab/bin/gitlab-ctl start nginx" do
+    retries 20
+  end
+end
@@ -0,0 +1,21 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+runit_service "nginx" do
+  action :disable
+end
+
@@ -0,0 +1,59 @@
+# GITLAB
+# Maintainer: @randx
+
+# CHUNKED TRANSFER
+# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not
+# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file)
+# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either
+# - installing an old version of Nginx with the chunkin module [2] compiled in, or
+# - using a newer version of Nginx.
+#
+# At the time of writing we do not know if either of these theoretical solutions works. As a workaround
+# users can use Git over SSH to push large files.
+#
+# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
+# [1] https://github.com/agentzh/chunkin-nginx-module#status
+# [2] https://github.com/agentzh/chunkin-nginx-module
+
+upstream gitlab {
+  server unix:<%= @socket %>;
+}
+
+server {
+  listen *:80 default_server;         # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea
+  server_name <%= @fqdn %>;     # e.g., server_name source.example.com;
+  server_tokens off;     # don't show the version number, a security best practice
+  root /opt/gitlab/embedded/service/gitlab-rails/public;
+  
+  # Increase this if you want to upload large attachments
+  # Or if you want to accept large git objects over http
+  client_max_body_size 5m;
+
+  # individual nginx logs for this gitlab vhost
+  access_log  <%= @log_directory %>/gitlab_access.log;
+  error_log   <%= @log_directory %>/gitlab_error.log;
+
+  location / {
+    # serve static files from defined root folder;.
+    # @gitlab is a named location for the upstream fallback, see below
+    try_files $uri $uri/index.html $uri.html @gitlab;
+  }
+
+  # if a file, which is not found in the root folder is requested,
+  # then the proxy pass the request to the upsteam (gitlab unicorn)
+  location @gitlab {
+    proxy_read_timeout 300; # Some requests take more than 30 seconds.
+    proxy_connect_timeout 300; # Some requests take more than 30 seconds.
+    proxy_redirect     off;
+
+    proxy_set_header   X-Forwarded-Proto $scheme;
+    proxy_set_header   Host              $http_host;
+    proxy_set_header   X-Real-IP         $remote_addr;
+    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+
+    proxy_pass http://gitlab;
+  }
+
+  error_page 502 /502.html;
+}
+
@@ -0,0 +1,27 @@
+user <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['user']['username']%>;
+worker_processes <%= @worker_processes %>;
+error_log /var/log/gitlab/nginx/error.log;
+
+daemon off;
+
+events {
+  worker_connections <%= @worker_connections %>;
+}
+
+http {
+  sendfile <%= @sendfile %>;
+  tcp_nopush <%= @tcp_nopush %>;
+  tcp_nodelay <%= @tcp_nodelay %>;
+
+  keepalive_timeout <%= @keepalive_timeout %>;
+
+  gzip <%= @gzip %>;
+  gzip_http_version <%= @gzip_http_version %>;
+  gzip_comp_level <%= @gzip_comp_level %>;
+  gzip_proxied <%= @gzip_proxied %>;
+  gzip_types <%= @gzip_types.join(' ') %>;
+
+  include /opt/gitlab/embedded/conf/mime.types;
+
+  include <%= @gitlab_http_config %>;
+}
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec svlogd -tt <%= @options[:log_directory] %>
@@ -0,0 +1,4 @@
+#!/bin/sh
+exec 2>&1
+exec chpst -P /opt/gitlab/embedded/sbin/nginx -c <%= File.join(node['gitlab']['nginx']['dir'], "etc", "nginx.conf") %>
+
	@@ -138,3 +138,25 @@ default['gitlab']['redis']['username'] = "gitlab-redis"		@@ -138,3 +138,25 @@ default['gitlab']['redis']['username'] = "gitlab-redis"
138	default['gitlab']['redis']['shell'] = "/bin/nologin"	138	default['gitlab']['redis']['shell'] = "/bin/nologin"
139	default['gitlab']['redis']['home'] = "/var/opt/gitlab/redis"	139	default['gitlab']['redis']['home'] = "/var/opt/gitlab/redis"
140	default['gitlab']['redis']['port'] = 6379	140	default['gitlab']['redis']['port'] = 6379
		141	+
		142	+
		143	+####
		144	+# Nginx
		145	+####
		146	+default['gitlab']['nginx']['enable'] = true
		147	+default['gitlab']['nginx']['ha'] = false
		148	+default['gitlab']['nginx']['dir'] = "/var/opt/gitlab/nginx"
		149	+default['gitlab']['nginx']['log_directory'] = "/var/log/gitlab/nginx"
		150	+default['gitlab']['nginx']['worker_processes'] = node['cpu']['total'].to_i
		151	+default['gitlab']['nginx']['worker_connections'] = 10240
		152	+default['gitlab']['nginx']['sendfile'] = 'on'
		153	+default['gitlab']['nginx']['tcp_nopush'] = 'on'
		154	+default['gitlab']['nginx']['tcp_nodelay'] = 'on'
		155	+default['gitlab']['nginx']['gzip'] = "on"
		156	+default['gitlab']['nginx']['gzip_http_version'] = "1.0"
		157	+default['gitlab']['nginx']['gzip_comp_level'] = "2"
		158	+default['gitlab']['nginx']['gzip_proxied'] = "any"
		159	+default['gitlab']['nginx']['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
		160	+default['gitlab']['nginx']['keepalive_timeout'] = 65
		161	+default['gitlab']['nginx']['client_max_body_size'] = '250m'
		162	+default['gitlab']['nginx']['cache_max_size'] = '5000m'
@@ -0,0 +1,74 @@		@@ -0,0 +1,74 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2012 Opscode, Inc.
	3	+# Copyright:: Copyright (c) 2014 GitLab.com
	4	+# License:: Apache License, Version 2.0
	5	+#
	6	+# Licensed under the Apache License, Version 2.0 (the "License");
	7	+# you may not use this file except in compliance with the License.
	8	+# You may obtain a copy of the License at
	9	+#
	10	+# http://www.apache.org/licenses/LICENSE-2.0
	11	+#
	12	+# Unless required by applicable law or agreed to in writing, software
	13	+# distributed under the License is distributed on an "AS IS" BASIS,
	14	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	15	+# See the License for the specific language governing permissions and
	16	+# limitations under the License.
	17	+#
	18	+
	19	+nginx_dir = node['gitlab']['nginx']['dir']
	20	+nginx_etc_dir = File.join(nginx_dir, "etc")
	21	+nginx_log_dir = node['gitlab']['nginx']['log_directory']
	22	+
	23	+[
	24	+ nginx_dir,
	25	+ nginx_etc_dir,
	26	+ nginx_log_dir,
	27	+].each do \|dir_name\|
	28	+ directory dir_name do
	29	+ owner node['gitlab']['user']['username']
	30	+ mode '0700'
	31	+ recursive true
	32	+ end
	33	+end
	34	+
	35	+nginx_config = File.join(nginx_etc_dir, "nginx.conf")
	36	+nginx_vars = node['gitlab']['nginx'].to_hash.merge({
	37	+ :gitlab_http_config => File.join(nginx_etc_dir, "gitlab-http.conf"),
	38	+})
	39	+
	40	+template nginx_vars[gitlab_http_config] do
	41	+ source "nginx-gitlab-http.conf.erb"
	42	+ owner "root"
	43	+ group "root"
	44	+ mode "0644"
	45	+ variables(nginx_vars.merge(
	46	+ {
	47	+ :fqdn => node['gitlab']['gitlab-rails']['external_fqdn'],
	48	+ :socket => node['gitlab']['unicorn']['socket']
	49	+ }
	50	+ ))
	51	+ notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
	52	+end
	53	+
	54	+template nginx_config do
	55	+ source "nginx.conf.erb"
	56	+ owner "root"
	57	+ group "root"
	58	+ mode "0644"
	59	+ variables nginx_vars
	60	+ notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
	61	+end
	62	+
	63	+runit_service "nginx" do
	64	+ down node['gitlab']['nginx']['ha']
	65	+ options({
	66	+ :log_directory => nginx_log_dir
	67	+ }.merge(params))
	68	+end
	69	+
	70	+if node['gitlab']['bootstrap']['enable']
	71	+ execute "/opt/gitlab/bin/gitlab-ctl start nginx" do
	72	+ retries 20
	73	+ end
	74	+end
@@ -0,0 +1,21 @@		@@ -0,0 +1,21 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2012 Opscode, Inc.
	3	+# License:: Apache License, Version 2.0
	4	+#
	5	+# Licensed under the Apache License, Version 2.0 (the "License");
	6	+# you may not use this file except in compliance with the License.
	7	+# You may obtain a copy of the License at
	8	+#
	9	+# http://www.apache.org/licenses/LICENSE-2.0
	10	+#
	11	+# Unless required by applicable law or agreed to in writing, software
	12	+# distributed under the License is distributed on an "AS IS" BASIS,
	13	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	+# See the License for the specific language governing permissions and
	15	+# limitations under the License.
	16	+#
	17	+
	18	+runit_service "nginx" do
	19	+ action :disable
	20	+end
	21	+
@@ -0,0 +1,59 @@		@@ -0,0 +1,59 @@
	1	+# GITLAB
	2	+# Maintainer: @randx
	3	+
	4	+# CHUNKED TRANSFER
	5	+# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not
	6	+# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file)
	7	+# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either
	8	+# - installing an old version of Nginx with the chunkin module [2] compiled in, or
	9	+# - using a newer version of Nginx.
	10	+#
	11	+# At the time of writing we do not know if either of these theoretical solutions works. As a workaround
	12	+# users can use Git over SSH to push large files.
	13	+#
	14	+# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
	15	+# [1] https://github.com/agentzh/chunkin-nginx-module#status
	16	+# [2] https://github.com/agentzh/chunkin-nginx-module
	17	+
	18	+upstream gitlab {
	19	+ server unix:<%= @socket %>;
	20	+}
	21	+
	22	+server {
	23	+ listen :80 default_server; # e.g., listen 192.168.1.1:80; In most cases :80 is a good idea
	24	+ server_name <%= @fqdn %>; # e.g., server_name source.example.com;
	25	+ server_tokens off; # don't show the version number, a security best practice
	26	+ root /opt/gitlab/embedded/service/gitlab-rails/public;
	27	+
	28	+ # Increase this if you want to upload large attachments
	29	+ # Or if you want to accept large git objects over http
	30	+ client_max_body_size 5m;
	31	+
	32	+ # individual nginx logs for this gitlab vhost
	33	+ access_log <%= @log_directory %>/gitlab_access.log;
	34	+ error_log <%= @log_directory %>/gitlab_error.log;
	35	+
	36	+ location / {
	37	+ # serve static files from defined root folder;.
	38	+ # @gitlab is a named location for the upstream fallback, see below
	39	+ try_files $uri $uri/index.html $uri.html @gitlab;
	40	+ }
	41	+
	42	+ # if a file, which is not found in the root folder is requested,
	43	+ # then the proxy pass the request to the upsteam (gitlab unicorn)
	44	+ location @gitlab {
	45	+ proxy_read_timeout 300; # Some requests take more than 30 seconds.
	46	+ proxy_connect_timeout 300; # Some requests take more than 30 seconds.
	47	+ proxy_redirect off;
	48	+
	49	+ proxy_set_header X-Forwarded-Proto $scheme;
	50	+ proxy_set_header Host $http_host;
	51	+ proxy_set_header X-Real-IP $remote_addr;
	52	+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	53	+
	54	+ proxy_pass http://gitlab;
	55	+ }
	56	+
	57	+ error_page 502 /502.html;
	58	+}
	59	+
@@ -0,0 +1,27 @@		@@ -0,0 +1,27 @@
	1	+user <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['user']['username']%>;
	2	+worker_processes <%= @worker_processes %>;
	3	+error_log /var/log/gitlab/nginx/error.log;
	4	+
	5	+daemon off;
	6	+
	7	+events {
	8	+ worker_connections <%= @worker_connections %>;
	9	+}
	10	+
	11	+http {
	12	+ sendfile <%= @sendfile %>;
	13	+ tcp_nopush <%= @tcp_nopush %>;
	14	+ tcp_nodelay <%= @tcp_nodelay %>;
	15	+
	16	+ keepalive_timeout <%= @keepalive_timeout %>;
	17	+
	18	+ gzip <%= @gzip %>;
	19	+ gzip_http_version <%= @gzip_http_version %>;
	20	+ gzip_comp_level <%= @gzip_comp_level %>;
	21	+ gzip_proxied <%= @gzip_proxied %>;
	22	+ gzip_types <%= @gzip_types.join(' ') %>;
	23	+
	24	+ include /opt/gitlab/embedded/conf/mime.types;
	25	+
	26	+ include <%= @gitlab_http_config %>;
	27	+}
@@ -0,0 +1,2 @@		@@ -0,0 +1,2 @@
	1	+#!/bin/sh
	2	+exec svlogd -tt <%= @options[:log_directory] %>
@@ -0,0 +1,4 @@		@@ -0,0 +1,4 @@
	1	+#!/bin/sh
	2	+exec 2>&1
	3	+exec chpst -P /opt/gitlab/embedded/sbin/nginx -c <%= File.join(node['gitlab']['nginx']['dir'], "etc", "nginx.conf") %>
	4	+