Commit eeb1c37e48a937399699d788d413f12d8de9eb06
1 parent
3ae86f44
Exists in
master
and in
13 other branches
Add https support based on upstream config
Showing
5 changed files
with
70 additions
and
5 deletions
Show diff stats
README.md
| ... | ... | @@ -208,6 +208,43 @@ sudo /opt/gitlab/bin/gitlab-rails console |
| 208 | 208 | |
| 209 | 209 | This will only work after you have run `gitlab-ctl reconfigure` at least once. |
| 210 | 210 | |
| 211 | +### Enable HTTPS | |
| 212 | + | |
| 213 | +By default, omnibus-gitlab runs does not use HTTPS. If you want to enable HTTPS you can add the | |
| 214 | +following line to `/etc/gitlab/gitlab.rb`. | |
| 215 | + | |
| 216 | +```ruby | |
| 217 | +external_url "https://gitlab.example.com" | |
| 218 | +``` | |
| 219 | + | |
| 220 | +Redirect `HTTP` requests to `HTTPS`. | |
| 221 | + | |
| 222 | +```ruby | |
| 223 | +external_url "https://gitlab.example.com" | |
| 224 | +nginx['redirect_http_to_https'] = true | |
| 225 | +``` | |
| 226 | + | |
| 227 | +Change the default port and the ssl certificate locations. | |
| 228 | + | |
| 229 | +```ruby | |
| 230 | +external_url "https://gitlab.example.com:2443" | |
| 231 | +nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt" | |
| 232 | +nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key" | |
| 233 | +``` | |
| 234 | + | |
| 235 | +Create the default ssl certifcate directory and add the files: | |
| 236 | + | |
| 237 | +``` | |
| 238 | +sudo mkdir -p /etc/gitlab/ssl && sudo chmod 700 /etc/gitlab/ssl | |
| 239 | +sudo cp gitlab.example.com.crt gitlab.example.com.key /etc/gitlab/ssl/ | |
| 240 | +# run lokkit to open https on the firewall | |
| 241 | +sudo lokkit -s https | |
| 242 | +# if you are using a non standard https port | |
| 243 | +sudo lokkit -p 2443:tcp | |
| 244 | +``` | |
| 245 | + | |
| 246 | +Run `sudo gitlab-ctl reconfigure` for the change to take effect. | |
| 247 | + | |
| 211 | 248 | ## Building your own package |
| 212 | 249 | |
| 213 | 250 | See [the separate build documentation](doc/build.md). | ... | ... |
files/gitlab-cookbooks/gitlab/attributes/default.rb
| ... | ... | @@ -206,3 +206,7 @@ default['gitlab']['nginx']['gzip_types'] = [ "text/plain", "text/css", "applicat |
| 206 | 206 | default['gitlab']['nginx']['keepalive_timeout'] = 65 |
| 207 | 207 | default['gitlab']['nginx']['client_max_body_size'] = '250m' |
| 208 | 208 | default['gitlab']['nginx']['cache_max_size'] = '5000m' |
| 209 | +default['gitlab']['nginx']['redirect_http_to_https'] = false | |
| 210 | +default['gitlab']['nginx']['redirect_http_to_https_port'] = 80 | |
| 211 | +default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" | |
| 212 | +default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" | ... | ... |
files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
| ... | ... | @@ -94,6 +94,8 @@ module Gitlab |
| 94 | 94 | Gitlab['gitlab_rails']['gitlab_https'] = false |
| 95 | 95 | when "https" |
| 96 | 96 | Gitlab['gitlab_rails']['gitlab_https'] = true |
| 97 | + Gitlab['nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt" | |
| 98 | + Gitlab['nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key" | |
| 97 | 99 | else |
| 98 | 100 | raise "Unsupported external URL scheme: #{uri.scheme}" |
| 99 | 101 | end | ... | ... |
files/gitlab-cookbooks/gitlab/recipes/nginx.rb
| ... | ... | @@ -45,7 +45,13 @@ template nginx_vars[:gitlab_http_config] do |
| 45 | 45 | variables(nginx_vars.merge( |
| 46 | 46 | { |
| 47 | 47 | :fqdn => node['gitlab']['gitlab-rails']['gitlab_host'], |
| 48 | - :socket => node['gitlab']['unicorn']['socket'] | |
| 48 | + :https => node['gitlab']['gitlab-rails']['gitlab_https'], | |
| 49 | + :socket => node['gitlab']['unicorn']['socket'], | |
| 50 | + :port => node['gitlab']['gitlab-rails']['gitlab_port'], | |
| 51 | + :redirect_http_to_https => node['gitlab']['nginx']['redirect_http_to_https'], | |
| 52 | + :redirect_http_to_https_port => node['gitlab']['nginx']['redirect_http_to_https_port'], | |
| 53 | + :ssl_certificate => node['gitlab']['nginx']['ssl_certificate'], | |
| 54 | + :ssl_certificate_key => node['gitlab']['nginx']['ssl_certificate_key'] | |
| 49 | 55 | } |
| 50 | 56 | )) |
| 51 | 57 | notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx") | ... | ... |
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
| ... | ... | @@ -19,12 +19,29 @@ upstream gitlab { |
| 19 | 19 | server unix:<%= @socket %>; |
| 20 | 20 | } |
| 21 | 21 | |
| 22 | +<% if @https && @redirect_http_to_https %> | |
| 22 | 23 | server { |
| 23 | - listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea | |
| 24 | - server_name <%= @fqdn %>; # e.g., server_name source.example.com; | |
| 24 | + listen *:<%= @redirect_http_to_https_port %>; | |
| 25 | + server_name <%= @fqdn %>; | |
| 26 | + server_tokens off; | |
| 27 | + return 301 https://<%= @fqdn %>:<%= @port %>$request_uri; | |
| 28 | +} | |
| 29 | +<% end %> | |
| 30 | + | |
| 31 | +server { | |
| 32 | + listen *:<%= @port %>; | |
| 33 | + server_name <%= @fqdn %>; | |
| 25 | 34 | server_tokens off; # don't show the version number, a security best practice |
| 26 | 35 | root /opt/gitlab/embedded/service/gitlab-rails/public; |
| 27 | - | |
| 36 | + | |
| 37 | + <% if @https %> | |
| 38 | + ssl on; | |
| 39 | + ssl_certificate <%= @ssl_certificate %>; | |
| 40 | + ssl_certificate_key <%= @ssl_certificate_key %>; | |
| 41 | + ssl_ciphers RC4:HIGH:!aNULL:!MD5; | |
| 42 | + ssl_prefer_server_ciphers on; | |
| 43 | + <% end %> | |
| 44 | + | |
| 28 | 45 | # Increase this if you want to upload large attachments |
| 29 | 46 | # Or if you want to accept large git objects over http |
| 30 | 47 | client_max_body_size <%= @client_max_body_size %>; |
| ... | ... | @@ -56,4 +73,3 @@ server { |
| 56 | 73 | |
| 57 | 74 | error_page 502 /502.html; |
| 58 | 75 | } |
| 59 | - | ... | ... |