Commit eeb1c37e48a937399699d788d413f12d8de9eb06
1 parent
3ae86f44
Exists in
master
and in
13 other branches
Add https support based on upstream config
Showing
5 changed files
with
70 additions
and
5 deletions
Show diff stats
README.md
| @@ -208,6 +208,43 @@ sudo /opt/gitlab/bin/gitlab-rails console | @@ -208,6 +208,43 @@ sudo /opt/gitlab/bin/gitlab-rails console | ||
| 208 | 208 | ||
| 209 | This will only work after you have run `gitlab-ctl reconfigure` at least once. | 209 | This will only work after you have run `gitlab-ctl reconfigure` at least once. |
| 210 | 210 | ||
| 211 | +### Enable HTTPS | ||
| 212 | + | ||
| 213 | +By default, omnibus-gitlab runs does not use HTTPS. If you want to enable HTTPS you can add the | ||
| 214 | +following line to `/etc/gitlab/gitlab.rb`. | ||
| 215 | + | ||
| 216 | +```ruby | ||
| 217 | +external_url "https://gitlab.example.com" | ||
| 218 | +``` | ||
| 219 | + | ||
| 220 | +Redirect `HTTP` requests to `HTTPS`. | ||
| 221 | + | ||
| 222 | +```ruby | ||
| 223 | +external_url "https://gitlab.example.com" | ||
| 224 | +nginx['redirect_http_to_https'] = true | ||
| 225 | +``` | ||
| 226 | + | ||
| 227 | +Change the default port and the ssl certificate locations. | ||
| 228 | + | ||
| 229 | +```ruby | ||
| 230 | +external_url "https://gitlab.example.com:2443" | ||
| 231 | +nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt" | ||
| 232 | +nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key" | ||
| 233 | +``` | ||
| 234 | + | ||
| 235 | +Create the default ssl certifcate directory and add the files: | ||
| 236 | + | ||
| 237 | +``` | ||
| 238 | +sudo mkdir -p /etc/gitlab/ssl && sudo chmod 700 /etc/gitlab/ssl | ||
| 239 | +sudo cp gitlab.example.com.crt gitlab.example.com.key /etc/gitlab/ssl/ | ||
| 240 | +# run lokkit to open https on the firewall | ||
| 241 | +sudo lokkit -s https | ||
| 242 | +# if you are using a non standard https port | ||
| 243 | +sudo lokkit -p 2443:tcp | ||
| 244 | +``` | ||
| 245 | + | ||
| 246 | +Run `sudo gitlab-ctl reconfigure` for the change to take effect. | ||
| 247 | + | ||
| 211 | ## Building your own package | 248 | ## Building your own package |
| 212 | 249 | ||
| 213 | See [the separate build documentation](doc/build.md). | 250 | See [the separate build documentation](doc/build.md). |
files/gitlab-cookbooks/gitlab/attributes/default.rb
| @@ -206,3 +206,7 @@ default['gitlab']['nginx']['gzip_types'] = [ "text/plain", "text/css", "applicat | @@ -206,3 +206,7 @@ default['gitlab']['nginx']['gzip_types'] = [ "text/plain", "text/css", "applicat | ||
| 206 | default['gitlab']['nginx']['keepalive_timeout'] = 65 | 206 | default['gitlab']['nginx']['keepalive_timeout'] = 65 |
| 207 | default['gitlab']['nginx']['client_max_body_size'] = '250m' | 207 | default['gitlab']['nginx']['client_max_body_size'] = '250m' |
| 208 | default['gitlab']['nginx']['cache_max_size'] = '5000m' | 208 | default['gitlab']['nginx']['cache_max_size'] = '5000m' |
| 209 | +default['gitlab']['nginx']['redirect_http_to_https'] = false | ||
| 210 | +default['gitlab']['nginx']['redirect_http_to_https_port'] = 80 | ||
| 211 | +default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" | ||
| 212 | +default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" |
files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
| @@ -94,6 +94,8 @@ module Gitlab | @@ -94,6 +94,8 @@ module Gitlab | ||
| 94 | Gitlab['gitlab_rails']['gitlab_https'] = false | 94 | Gitlab['gitlab_rails']['gitlab_https'] = false |
| 95 | when "https" | 95 | when "https" |
| 96 | Gitlab['gitlab_rails']['gitlab_https'] = true | 96 | Gitlab['gitlab_rails']['gitlab_https'] = true |
| 97 | + Gitlab['nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt" | ||
| 98 | + Gitlab['nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key" | ||
| 97 | else | 99 | else |
| 98 | raise "Unsupported external URL scheme: #{uri.scheme}" | 100 | raise "Unsupported external URL scheme: #{uri.scheme}" |
| 99 | end | 101 | end |
files/gitlab-cookbooks/gitlab/recipes/nginx.rb
| @@ -45,7 +45,13 @@ template nginx_vars[:gitlab_http_config] do | @@ -45,7 +45,13 @@ template nginx_vars[:gitlab_http_config] do | ||
| 45 | variables(nginx_vars.merge( | 45 | variables(nginx_vars.merge( |
| 46 | { | 46 | { |
| 47 | :fqdn => node['gitlab']['gitlab-rails']['gitlab_host'], | 47 | :fqdn => node['gitlab']['gitlab-rails']['gitlab_host'], |
| 48 | - :socket => node['gitlab']['unicorn']['socket'] | 48 | + :https => node['gitlab']['gitlab-rails']['gitlab_https'], |
| 49 | + :socket => node['gitlab']['unicorn']['socket'], | ||
| 50 | + :port => node['gitlab']['gitlab-rails']['gitlab_port'], | ||
| 51 | + :redirect_http_to_https => node['gitlab']['nginx']['redirect_http_to_https'], | ||
| 52 | + :redirect_http_to_https_port => node['gitlab']['nginx']['redirect_http_to_https_port'], | ||
| 53 | + :ssl_certificate => node['gitlab']['nginx']['ssl_certificate'], | ||
| 54 | + :ssl_certificate_key => node['gitlab']['nginx']['ssl_certificate_key'] | ||
| 49 | } | 55 | } |
| 50 | )) | 56 | )) |
| 51 | notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx") | 57 | notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx") |
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
| @@ -19,12 +19,29 @@ upstream gitlab { | @@ -19,12 +19,29 @@ upstream gitlab { | ||
| 19 | server unix:<%= @socket %>; | 19 | server unix:<%= @socket %>; |
| 20 | } | 20 | } |
| 21 | 21 | ||
| 22 | +<% if @https && @redirect_http_to_https %> | ||
| 22 | server { | 23 | server { |
| 23 | - listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea | ||
| 24 | - server_name <%= @fqdn %>; # e.g., server_name source.example.com; | 24 | + listen *:<%= @redirect_http_to_https_port %>; |
| 25 | + server_name <%= @fqdn %>; | ||
| 26 | + server_tokens off; | ||
| 27 | + return 301 https://<%= @fqdn %>:<%= @port %>$request_uri; | ||
| 28 | +} | ||
| 29 | +<% end %> | ||
| 30 | + | ||
| 31 | +server { | ||
| 32 | + listen *:<%= @port %>; | ||
| 33 | + server_name <%= @fqdn %>; | ||
| 25 | server_tokens off; # don't show the version number, a security best practice | 34 | server_tokens off; # don't show the version number, a security best practice |
| 26 | root /opt/gitlab/embedded/service/gitlab-rails/public; | 35 | root /opt/gitlab/embedded/service/gitlab-rails/public; |
| 27 | - | 36 | + |
| 37 | + <% if @https %> | ||
| 38 | + ssl on; | ||
| 39 | + ssl_certificate <%= @ssl_certificate %>; | ||
| 40 | + ssl_certificate_key <%= @ssl_certificate_key %>; | ||
| 41 | + ssl_ciphers RC4:HIGH:!aNULL:!MD5; | ||
| 42 | + ssl_prefer_server_ciphers on; | ||
| 43 | + <% end %> | ||
| 44 | + | ||
| 28 | # Increase this if you want to upload large attachments | 45 | # Increase this if you want to upload large attachments |
| 29 | # Or if you want to accept large git objects over http | 46 | # Or if you want to accept large git objects over http |
| 30 | client_max_body_size <%= @client_max_body_size %>; | 47 | client_max_body_size <%= @client_max_body_size %>; |
| @@ -56,4 +73,3 @@ server { | @@ -56,4 +73,3 @@ server { | ||
| 56 | 73 | ||
| 57 | error_page 502 /502.html; | 74 | error_page 502 /502.html; |
| 58 | } | 75 | } |
| 59 | - |