Commit eeb1c37e48a937399699d788d413f12d8de9eb06
1 parent
3ae86f44
Exists in
master
and in
13 other branches
Add https support based on upstream config
Showing
5 changed files
with
70 additions
and
5 deletions
Show diff stats
README.md
@@ -208,6 +208,43 @@ sudo /opt/gitlab/bin/gitlab-rails console | @@ -208,6 +208,43 @@ sudo /opt/gitlab/bin/gitlab-rails console | ||
208 | 208 | ||
209 | This will only work after you have run `gitlab-ctl reconfigure` at least once. | 209 | This will only work after you have run `gitlab-ctl reconfigure` at least once. |
210 | 210 | ||
211 | +### Enable HTTPS | ||
212 | + | ||
213 | +By default, omnibus-gitlab runs does not use HTTPS. If you want to enable HTTPS you can add the | ||
214 | +following line to `/etc/gitlab/gitlab.rb`. | ||
215 | + | ||
216 | +```ruby | ||
217 | +external_url "https://gitlab.example.com" | ||
218 | +``` | ||
219 | + | ||
220 | +Redirect `HTTP` requests to `HTTPS`. | ||
221 | + | ||
222 | +```ruby | ||
223 | +external_url "https://gitlab.example.com" | ||
224 | +nginx['redirect_http_to_https'] = true | ||
225 | +``` | ||
226 | + | ||
227 | +Change the default port and the ssl certificate locations. | ||
228 | + | ||
229 | +```ruby | ||
230 | +external_url "https://gitlab.example.com:2443" | ||
231 | +nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt" | ||
232 | +nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key" | ||
233 | +``` | ||
234 | + | ||
235 | +Create the default ssl certifcate directory and add the files: | ||
236 | + | ||
237 | +``` | ||
238 | +sudo mkdir -p /etc/gitlab/ssl && sudo chmod 700 /etc/gitlab/ssl | ||
239 | +sudo cp gitlab.example.com.crt gitlab.example.com.key /etc/gitlab/ssl/ | ||
240 | +# run lokkit to open https on the firewall | ||
241 | +sudo lokkit -s https | ||
242 | +# if you are using a non standard https port | ||
243 | +sudo lokkit -p 2443:tcp | ||
244 | +``` | ||
245 | + | ||
246 | +Run `sudo gitlab-ctl reconfigure` for the change to take effect. | ||
247 | + | ||
211 | ## Building your own package | 248 | ## Building your own package |
212 | 249 | ||
213 | See [the separate build documentation](doc/build.md). | 250 | See [the separate build documentation](doc/build.md). |
files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -206,3 +206,7 @@ default['gitlab']['nginx']['gzip_types'] = [ "text/plain", "text/css", "applicat | @@ -206,3 +206,7 @@ default['gitlab']['nginx']['gzip_types'] = [ "text/plain", "text/css", "applicat | ||
206 | default['gitlab']['nginx']['keepalive_timeout'] = 65 | 206 | default['gitlab']['nginx']['keepalive_timeout'] = 65 |
207 | default['gitlab']['nginx']['client_max_body_size'] = '250m' | 207 | default['gitlab']['nginx']['client_max_body_size'] = '250m' |
208 | default['gitlab']['nginx']['cache_max_size'] = '5000m' | 208 | default['gitlab']['nginx']['cache_max_size'] = '5000m' |
209 | +default['gitlab']['nginx']['redirect_http_to_https'] = false | ||
210 | +default['gitlab']['nginx']['redirect_http_to_https_port'] = 80 | ||
211 | +default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" | ||
212 | +default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" |
files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
@@ -94,6 +94,8 @@ module Gitlab | @@ -94,6 +94,8 @@ module Gitlab | ||
94 | Gitlab['gitlab_rails']['gitlab_https'] = false | 94 | Gitlab['gitlab_rails']['gitlab_https'] = false |
95 | when "https" | 95 | when "https" |
96 | Gitlab['gitlab_rails']['gitlab_https'] = true | 96 | Gitlab['gitlab_rails']['gitlab_https'] = true |
97 | + Gitlab['nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt" | ||
98 | + Gitlab['nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key" | ||
97 | else | 99 | else |
98 | raise "Unsupported external URL scheme: #{uri.scheme}" | 100 | raise "Unsupported external URL scheme: #{uri.scheme}" |
99 | end | 101 | end |
files/gitlab-cookbooks/gitlab/recipes/nginx.rb
@@ -45,7 +45,13 @@ template nginx_vars[:gitlab_http_config] do | @@ -45,7 +45,13 @@ template nginx_vars[:gitlab_http_config] do | ||
45 | variables(nginx_vars.merge( | 45 | variables(nginx_vars.merge( |
46 | { | 46 | { |
47 | :fqdn => node['gitlab']['gitlab-rails']['gitlab_host'], | 47 | :fqdn => node['gitlab']['gitlab-rails']['gitlab_host'], |
48 | - :socket => node['gitlab']['unicorn']['socket'] | 48 | + :https => node['gitlab']['gitlab-rails']['gitlab_https'], |
49 | + :socket => node['gitlab']['unicorn']['socket'], | ||
50 | + :port => node['gitlab']['gitlab-rails']['gitlab_port'], | ||
51 | + :redirect_http_to_https => node['gitlab']['nginx']['redirect_http_to_https'], | ||
52 | + :redirect_http_to_https_port => node['gitlab']['nginx']['redirect_http_to_https_port'], | ||
53 | + :ssl_certificate => node['gitlab']['nginx']['ssl_certificate'], | ||
54 | + :ssl_certificate_key => node['gitlab']['nginx']['ssl_certificate_key'] | ||
49 | } | 55 | } |
50 | )) | 56 | )) |
51 | notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx") | 57 | notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx") |
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
@@ -19,12 +19,29 @@ upstream gitlab { | @@ -19,12 +19,29 @@ upstream gitlab { | ||
19 | server unix:<%= @socket %>; | 19 | server unix:<%= @socket %>; |
20 | } | 20 | } |
21 | 21 | ||
22 | +<% if @https && @redirect_http_to_https %> | ||
22 | server { | 23 | server { |
23 | - listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea | ||
24 | - server_name <%= @fqdn %>; # e.g., server_name source.example.com; | 24 | + listen *:<%= @redirect_http_to_https_port %>; |
25 | + server_name <%= @fqdn %>; | ||
26 | + server_tokens off; | ||
27 | + return 301 https://<%= @fqdn %>:<%= @port %>$request_uri; | ||
28 | +} | ||
29 | +<% end %> | ||
30 | + | ||
31 | +server { | ||
32 | + listen *:<%= @port %>; | ||
33 | + server_name <%= @fqdn %>; | ||
25 | server_tokens off; # don't show the version number, a security best practice | 34 | server_tokens off; # don't show the version number, a security best practice |
26 | root /opt/gitlab/embedded/service/gitlab-rails/public; | 35 | root /opt/gitlab/embedded/service/gitlab-rails/public; |
27 | - | 36 | + |
37 | + <% if @https %> | ||
38 | + ssl on; | ||
39 | + ssl_certificate <%= @ssl_certificate %>; | ||
40 | + ssl_certificate_key <%= @ssl_certificate_key %>; | ||
41 | + ssl_ciphers RC4:HIGH:!aNULL:!MD5; | ||
42 | + ssl_prefer_server_ciphers on; | ||
43 | + <% end %> | ||
44 | + | ||
28 | # Increase this if you want to upload large attachments | 45 | # Increase this if you want to upload large attachments |
29 | # Or if you want to accept large git objects over http | 46 | # Or if you want to accept large git objects over http |
30 | client_max_body_size <%= @client_max_body_size %>; | 47 | client_max_body_size <%= @client_max_body_size %>; |
@@ -56,4 +73,3 @@ server { | @@ -56,4 +73,3 @@ server { | ||
56 | 73 | ||
57 | error_page 502 /502.html; | 74 | error_page 502 /502.html; |
58 | } | 75 | } |
59 | - |