Commit eeb1c37e48a937399699d788d413f12d8de9eb06

Authored by Chuck Schweizer
1 parent 3ae86f44

Add https support based on upstream config

@@ -208,6 +208,43 @@ sudo /opt/gitlab/bin/gitlab-rails console @@ -208,6 +208,43 @@ sudo /opt/gitlab/bin/gitlab-rails console
208 208
209 This will only work after you have run `gitlab-ctl reconfigure` at least once. 209 This will only work after you have run `gitlab-ctl reconfigure` at least once.
210 210
  211 +### Enable HTTPS
  212 +
  213 +By default, omnibus-gitlab runs does not use HTTPS. If you want to enable HTTPS you can add the
  214 +following line to `/etc/gitlab/gitlab.rb`.
  215 +
  216 +```ruby
  217 +external_url "https://gitlab.example.com"
  218 +```
  219 +
  220 +Redirect `HTTP` requests to `HTTPS`.
  221 +
  222 +```ruby
  223 +external_url "https://gitlab.example.com"
  224 +nginx['redirect_http_to_https'] = true
  225 +```
  226 +
  227 +Change the default port and the ssl certificate locations.
  228 +
  229 +```ruby
  230 +external_url "https://gitlab.example.com:2443"
  231 +nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt"
  232 +nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key"
  233 +```
  234 +
  235 +Create the default ssl certifcate directory and add the files:
  236 +
  237 +```
  238 +sudo mkdir -p /etc/gitlab/ssl && sudo chmod 700 /etc/gitlab/ssl
  239 +sudo cp gitlab.example.com.crt gitlab.example.com.key /etc/gitlab/ssl/
  240 +# run lokkit to open https on the firewall
  241 +sudo lokkit -s https
  242 +# if you are using a non standard https port
  243 +sudo lokkit -p 2443:tcp
  244 +```
  245 +
  246 +Run `sudo gitlab-ctl reconfigure` for the change to take effect.
  247 +
211 ## Building your own package 248 ## Building your own package
212 249
213 See [the separate build documentation](doc/build.md). 250 See [the separate build documentation](doc/build.md).
files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -206,3 +206,7 @@ default['gitlab']['nginx']['gzip_types'] = [ "text/plain", "text/css", "applicat @@ -206,3 +206,7 @@ default['gitlab']['nginx']['gzip_types'] = [ "text/plain", "text/css", "applicat
206 default['gitlab']['nginx']['keepalive_timeout'] = 65 206 default['gitlab']['nginx']['keepalive_timeout'] = 65
207 default['gitlab']['nginx']['client_max_body_size'] = '250m' 207 default['gitlab']['nginx']['client_max_body_size'] = '250m'
208 default['gitlab']['nginx']['cache_max_size'] = '5000m' 208 default['gitlab']['nginx']['cache_max_size'] = '5000m'
  209 +default['gitlab']['nginx']['redirect_http_to_https'] = false
  210 +default['gitlab']['nginx']['redirect_http_to_https_port'] = 80
  211 +default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
  212 +default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
@@ -94,6 +94,8 @@ module Gitlab @@ -94,6 +94,8 @@ module Gitlab
94 Gitlab['gitlab_rails']['gitlab_https'] = false 94 Gitlab['gitlab_rails']['gitlab_https'] = false
95 when "https" 95 when "https"
96 Gitlab['gitlab_rails']['gitlab_https'] = true 96 Gitlab['gitlab_rails']['gitlab_https'] = true
  97 + Gitlab['nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
  98 + Gitlab['nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
97 else 99 else
98 raise "Unsupported external URL scheme: #{uri.scheme}" 100 raise "Unsupported external URL scheme: #{uri.scheme}"
99 end 101 end
files/gitlab-cookbooks/gitlab/recipes/nginx.rb
@@ -45,7 +45,13 @@ template nginx_vars[:gitlab_http_config] do @@ -45,7 +45,13 @@ template nginx_vars[:gitlab_http_config] do
45 variables(nginx_vars.merge( 45 variables(nginx_vars.merge(
46 { 46 {
47 :fqdn => node['gitlab']['gitlab-rails']['gitlab_host'], 47 :fqdn => node['gitlab']['gitlab-rails']['gitlab_host'],
48 - :socket => node['gitlab']['unicorn']['socket'] 48 + :https => node['gitlab']['gitlab-rails']['gitlab_https'],
  49 + :socket => node['gitlab']['unicorn']['socket'],
  50 + :port => node['gitlab']['gitlab-rails']['gitlab_port'],
  51 + :redirect_http_to_https => node['gitlab']['nginx']['redirect_http_to_https'],
  52 + :redirect_http_to_https_port => node['gitlab']['nginx']['redirect_http_to_https_port'],
  53 + :ssl_certificate => node['gitlab']['nginx']['ssl_certificate'],
  54 + :ssl_certificate_key => node['gitlab']['nginx']['ssl_certificate_key']
49 } 55 }
50 )) 56 ))
51 notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx") 57 notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
@@ -19,12 +19,29 @@ upstream gitlab { @@ -19,12 +19,29 @@ upstream gitlab {
19 server unix:<%= @socket %>; 19 server unix:<%= @socket %>;
20 } 20 }
21 21
  22 +<% if @https && @redirect_http_to_https %>
22 server { 23 server {
23 - listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea  
24 - server_name <%= @fqdn %>; # e.g., server_name source.example.com; 24 + listen *:<%= @redirect_http_to_https_port %>;
  25 + server_name <%= @fqdn %>;
  26 + server_tokens off;
  27 + return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
  28 +}
  29 +<% end %>
  30 +
  31 +server {
  32 + listen *:<%= @port %>;
  33 + server_name <%= @fqdn %>;
25 server_tokens off; # don't show the version number, a security best practice 34 server_tokens off; # don't show the version number, a security best practice
26 root /opt/gitlab/embedded/service/gitlab-rails/public; 35 root /opt/gitlab/embedded/service/gitlab-rails/public;
27 - 36 +
  37 + <% if @https %>
  38 + ssl on;
  39 + ssl_certificate <%= @ssl_certificate %>;
  40 + ssl_certificate_key <%= @ssl_certificate_key %>;
  41 + ssl_ciphers RC4:HIGH:!aNULL:!MD5;
  42 + ssl_prefer_server_ciphers on;
  43 + <% end %>
  44 +
28 # Increase this if you want to upload large attachments 45 # Increase this if you want to upload large attachments
29 # Or if you want to accept large git objects over http 46 # Or if you want to accept large git objects over http
30 client_max_body_size <%= @client_max_body_size %>; 47 client_max_body_size <%= @client_max_body_size %>;
@@ -56,4 +73,3 @@ server { @@ -56,4 +73,3 @@ server {
56 73
57 error_page 502 /502.html; 74 error_page 502 /502.html;
58 } 75 }
59 -