From eeb1c37e48a937399699d788d413f12d8de9eb06 Mon Sep 17 00:00:00 2001 From: Chuck Schweizer Date: Sat, 15 Mar 2014 17:27:58 -0500 Subject: [PATCH] Add https support based on upstream config --- README.md | 37 +++++++++++++++++++++++++++++++++++++ files/gitlab-cookbooks/gitlab/attributes/default.rb | 4 ++++ files/gitlab-cookbooks/gitlab/libraries/gitlab.rb | 2 ++ files/gitlab-cookbooks/gitlab/recipes/nginx.rb | 8 +++++++- files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb | 24 ++++++++++++++++++++---- 5 files changed, 70 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 96a1df7..bfb225b 100644 --- a/README.md +++ b/README.md @@ -208,6 +208,43 @@ sudo /opt/gitlab/bin/gitlab-rails console This will only work after you have run `gitlab-ctl reconfigure` at least once. +### Enable HTTPS + +By default, omnibus-gitlab runs does not use HTTPS. If you want to enable HTTPS you can add the +following line to `/etc/gitlab/gitlab.rb`. + +```ruby +external_url "https://gitlab.example.com" +``` + +Redirect `HTTP` requests to `HTTPS`. + +```ruby +external_url "https://gitlab.example.com" +nginx['redirect_http_to_https'] = true +``` + +Change the default port and the ssl certificate locations. + +```ruby +external_url "https://gitlab.example.com:2443" +nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt" +nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key" +``` + +Create the default ssl certifcate directory and add the files: + +``` +sudo mkdir -p /etc/gitlab/ssl && sudo chmod 700 /etc/gitlab/ssl +sudo cp gitlab.example.com.crt gitlab.example.com.key /etc/gitlab/ssl/ +# run lokkit to open https on the firewall +sudo lokkit -s https +# if you are using a non standard https port +sudo lokkit -p 2443:tcp +``` + +Run `sudo gitlab-ctl reconfigure` for the change to take effect. + ## Building your own package See [the separate build documentation](doc/build.md). diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb index b8ac815..d7062da 100644 --- a/files/gitlab-cookbooks/gitlab/attributes/default.rb +++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb @@ -206,3 +206,7 @@ default['gitlab']['nginx']['gzip_types'] = [ "text/plain", "text/css", "applicat default['gitlab']['nginx']['keepalive_timeout'] = 65 default['gitlab']['nginx']['client_max_body_size'] = '250m' default['gitlab']['nginx']['cache_max_size'] = '5000m' +default['gitlab']['nginx']['redirect_http_to_https'] = false +default['gitlab']['nginx']['redirect_http_to_https_port'] = 80 +default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" +default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" diff --git a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb index ab45972..03d2ea2 100644 --- a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb +++ b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb @@ -94,6 +94,8 @@ module Gitlab Gitlab['gitlab_rails']['gitlab_https'] = false when "https" Gitlab['gitlab_rails']['gitlab_https'] = true + Gitlab['nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt" + Gitlab['nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key" else raise "Unsupported external URL scheme: #{uri.scheme}" end diff --git a/files/gitlab-cookbooks/gitlab/recipes/nginx.rb b/files/gitlab-cookbooks/gitlab/recipes/nginx.rb index 6c29781..42c1e70 100644 --- a/files/gitlab-cookbooks/gitlab/recipes/nginx.rb +++ b/files/gitlab-cookbooks/gitlab/recipes/nginx.rb @@ -45,7 +45,13 @@ template nginx_vars[:gitlab_http_config] do variables(nginx_vars.merge( { :fqdn => node['gitlab']['gitlab-rails']['gitlab_host'], - :socket => node['gitlab']['unicorn']['socket'] + :https => node['gitlab']['gitlab-rails']['gitlab_https'], + :socket => node['gitlab']['unicorn']['socket'], + :port => node['gitlab']['gitlab-rails']['gitlab_port'], + :redirect_http_to_https => node['gitlab']['nginx']['redirect_http_to_https'], + :redirect_http_to_https_port => node['gitlab']['nginx']['redirect_http_to_https_port'], + :ssl_certificate => node['gitlab']['nginx']['ssl_certificate'], + :ssl_certificate_key => node['gitlab']['nginx']['ssl_certificate_key'] } )) notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx") diff --git a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb index 73abe34..d2635aa 100644 --- a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb +++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb @@ -19,12 +19,29 @@ upstream gitlab { server unix:<%= @socket %>; } +<% if @https && @redirect_http_to_https %> server { - listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea - server_name <%= @fqdn %>; # e.g., server_name source.example.com; + listen *:<%= @redirect_http_to_https_port %>; + server_name <%= @fqdn %>; + server_tokens off; + return 301 https://<%= @fqdn %>:<%= @port %>$request_uri; +} +<% end %> + +server { + listen *:<%= @port %>; + server_name <%= @fqdn %>; server_tokens off; # don't show the version number, a security best practice root /opt/gitlab/embedded/service/gitlab-rails/public; - + + <% if @https %> + ssl on; + ssl_certificate <%= @ssl_certificate %>; + ssl_certificate_key <%= @ssl_certificate_key %>; + ssl_ciphers RC4:HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + <% end %> + # Increase this if you want to upload large attachments # Or if you want to accept large git objects over http client_max_body_size <%= @client_max_body_size %>; @@ -56,4 +73,3 @@ server { error_page 502 /502.html; } - -- libgit2 0.21.2