From f109fa859f08f55c94f3992d6b9b8523c43d4280 Mon Sep 17 00:00:00 2001 From: Jacob Vosmaer Date: Fri, 15 Aug 2014 12:07:04 +0200 Subject: [PATCH] Allow more than one NGINX listen address --- CHANGELOG | 1 + README.md | 9 +++++++++ files/gitlab-cookbooks/gitlab/attributes/default.rb | 2 +- files/gitlab-cookbooks/gitlab/libraries/gitlab.rb | 10 ++++++++++ files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb | 4 +++- 5 files changed, 24 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index d591241..a106d18 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -11,6 +11,7 @@ omnibus-gitlab repository. - Update openssl to 1.0.1i - Fix missing sidekiq.log in the GitLab admin interface - Defer more gitlab.yml defaults to upstream +- Allow more than one NGINX listen address 7.1.0 - Build: explicitly use .forward for sending notifications diff --git a/README.md b/README.md index 1152d38..59dd22c 100644 --- a/README.md +++ b/README.md @@ -437,6 +437,15 @@ unicorn['worker_processes'] = 3 unicorn['worker_timeout'] = 60 ``` +### Setting the NGINX listen address or addresses + +By default NGINX will accept incoming connections on all local IPv4 addresses. +You can change the list of addresses in `/etc/gitlab/gitlab.rb`. + +```ruby +nginx['listen_addresses'] = ["0.0.0.0", "[::]"] # listen on all IPv4 and IPv6 addresses +``` + ## Backups ### Creating an application backup diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb index 779ab44..61ef417 100644 --- a/files/gitlab-cookbooks/gitlab/attributes/default.rb +++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb @@ -261,7 +261,7 @@ default['gitlab']['nginx']['ssl_prefer_server_ciphers'] = "on" default['gitlab']['nginx']['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html default['gitlab']['nginx']['ssl_session_cache'] = "shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html default['gitlab']['nginx']['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html -default['gitlab']['nginx']['listen_address'] = '*' +default['gitlab']['nginx']['listen_addresses'] = ['*'] ### # Logging diff --git a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb index d7a295c..0eb5363 100644 --- a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb +++ b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb @@ -147,6 +147,15 @@ module Gitlab end end + def parse_nginx_listen_address + return unless nginx['listen_address'] + + # The user specified a custom NGINX listen address with the legacy + # listen_address option. We have to convert it to the new + # listen_addresses setting. + nginx['listen_addresses'] = [nginx['listen_address']] + end + def generate_hash results = { "gitlab" => {} } [ @@ -176,6 +185,7 @@ module Gitlab parse_git_data_dir parse_udp_log_shipping parse_redis_settings + parse_nginx_listen_address # The last step is to convert underscores to hyphens in top-level keys generate_hash end diff --git a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb index 0219d29..6f623ff 100644 --- a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb +++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb @@ -35,7 +35,9 @@ server { <% end %> server { - listen <%= @listen_address %>:<%= @port %>; +<% @listen_addresses.each do |listen_address| %> + listen <%= listen_address %>:<%= @port %>; +<% end %> server_name <%= @fqdn %>; server_tokens off; # don't show the version number, a security best practice root /opt/gitlab/embedded/service/gitlab-rails/public; -- libgit2 0.21.2