Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
S
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kirill Smelkov
slapos
Commits
8426aca3
Commit
8426aca3
authored
Nov 12, 2015
by
Kirill Smelkov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
.
parent
e6b926f1
Changes
9
Hide whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
104 additions
and
48 deletions
+104
-48
software/gitlab/gitlab-parameters.cfg
software/gitlab/gitlab-parameters.cfg
+11
-6
software/gitlab/instance-gitlab.cfg.in
software/gitlab/instance-gitlab.cfg.in
+46
-7
software/gitlab/instance.cfg.in
software/gitlab/instance.cfg.in
+1
-0
software/gitlab/macrolib.cfg.in
software/gitlab/macrolib.cfg.in
+9
-0
software/gitlab/software.cfg
software/gitlab/software.cfg
+4
-5
software/gitlab/template/gitlab-shell-config.yml.in
software/gitlab/template/gitlab-shell-config.yml.in
+1
-2
software/gitlab/template/gitlab.yml.in
software/gitlab/template/gitlab.yml.in
+4
-7
software/gitlab/template/nginx-gitlab-http.conf.in
software/gitlab/template/nginx-gitlab-http.conf.in
+26
-20
software/gitlab/template/nginx.conf.in
software/gitlab/template/nginx.conf.in
+2
-1
No files found.
software/gitlab/gitlab-parameters.cfg
View file @
8426aca3
# Parameters (and defaults) for a GitLab instance
# Parameters (and defaults) for a GitLab instance
# TODO autogenerate from:
# TODO autogenerate from:
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
# XXX actual defaults:
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/attributes/default.rb
#
# (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-83-gf194960)
[gitlab-parameters]
[gitlab-parameters]
# gitlab instance parameters
# gitlab instance parameters
...
@@ -12,12 +16,6 @@
...
@@ -12,12 +16,6 @@
configuration.external_url = http://lab.example.com
configuration.external_url = http://lab.example.com
# TODO move to proper place and merge related from omnibus
# XXX https can be deduces from schema in external_url, at least not in
# separate frontend case
configuration.https = false
configuration.rate_limit_requests_per_period = 10
configuration.rate_limit_requests_per_period = 10
configuration.rate_limit_period = 60
configuration.rate_limit_period = 60
...
@@ -90,6 +88,13 @@ configuration.nginx_redirect_http_to_https = false
...
@@ -90,6 +88,13 @@ configuration.nginx_redirect_http_to_https = false
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
# we don't need - we talk directly to frontend only
configuration.nginx_ssl_ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
configuration.nginx_ssl_prefer_server_ciphers = no
configuration.nginx_ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
# the following is not default
configuration.nginx_ssl_session_cache = builtin:1000 shared:SSL:10m
configuration.nginx_proxy_read_timeout = 300
configuration.nginx_proxy_read_timeout = 300
configuration.nginx_proxy_connect_timeout = 300
configuration.nginx_proxy_connect_timeout = 300
...
...
software/gitlab/instance-gitlab.cfg.in
View file @
8426aca3
...
@@ -26,6 +26,8 @@ parts =
...
@@ -26,6 +26,8 @@ parts =
service-unicorn
service-unicorn
service-sidekiq
service-sidekiq
certificate-authority
service-nginx
service-nginx
service-postgresql
service-postgresql
service-redis
service-redis
...
@@ -64,11 +66,15 @@ configuration.nginx_worker_processes = {{ multiprocessing.cpu_count() }}
...
@@ -64,11 +66,15 @@ configuration.nginx_worker_processes = {{ multiprocessing.cpu_count() }}
# for convenience
# for convenience
[external-url]
recipe = slapos.cookbook:urlparse
url = ${instance-parameter:configuration.external_url}
[backend-info]
[backend-info]
host = ${instance-parameter:ipv6-random}
host = ${instance-parameter:ipv6-random}
port = 7777
port = 7777
#
TODO http -? https
#
whether to use http or https - determined by external url
url =
http
://[${:host}]:${:port}
url =
${external-url:scheme}
://[${:host}]:${:port}
# current slapuserX
# current slapuserX
user = {{ pwd.getpwuid(os.getuid())[0] }}
user = {{ pwd.getpwuid(os.getuid())[0] }}
...
@@ -114,9 +120,9 @@ var = ${directory:var}/gitlab
...
@@ -114,9 +120,9 @@ var = ${directory:var}/gitlab
tmp = ${:var}/tmp
tmp = ${:var}/tmp
uploads = ${:var}/uploads
uploads = ${:var}/uploads
assets = ${:var}/assets
assets = ${:var}/assets
repositories = ${directory:
srv
}/repositories
repositories = ${directory:
var
}/repositories
# XXX goes away (?) satellites = ${directory:
srv
}/satellites
# XXX goes away (?) satellites = ${directory:
var
}/satellites
backup = ${directory:
srv
}/backup
backup = ${directory:
var
}/backup
# gitlab-shell: etc/ log/ gitlab_shell_secret ...
# gitlab-shell: etc/ log/ gitlab_shell_secret ...
...
@@ -134,7 +140,7 @@ secret = ${secrets:secrets}/gitlab_shell_secret
...
@@ -134,7 +140,7 @@ secret = ${secrets:secrets}/gitlab_shell_secret
# place to keep all secrets
# place to keep all secrets
[secrets]
[secrets]
recipe = slapos.cookbook:mkdirectory
recipe = slapos.cookbook:mkdirectory
secrets = ${directory:
srv
}/secrets
secrets = ${directory:
var
}/secrets
mode = 0700
mode = 0700
...
@@ -151,6 +157,7 @@ context =
...
@@ -151,6 +157,7 @@ context =
raw autogenerated # This file was autogenerated. (DO NOT EDIT - changes will be lost)
raw autogenerated # This file was autogenerated. (DO NOT EDIT - changes will be lost)
section instance_parameter instance-parameter
section instance_parameter instance-parameter
section backend_info backend-info
section backend_info backend-info
import urlparse urlparse
${:context-extra}
${:context-extra}
context-extra =
context-extra =
...
@@ -175,7 +182,6 @@ context-extra =
...
@@ -175,7 +182,6 @@ context-extra =
section gitlab gitlab
section gitlab gitlab
section gitlab_shell gitlab-shell
section gitlab_shell gitlab-shell
section gitlab_shell_work gitlab-shell-work
section gitlab_shell_work gitlab-shell-work
import urlparse urlparse
[resque.yml]
[resque.yml]
<= gitlab-etc-template
<= gitlab-etc-template
...
@@ -186,6 +192,8 @@ context-extra =
...
@@ -186,6 +192,8 @@ context-extra =
[smtp_settings.rb]
[smtp_settings.rb]
<= gitlab-etc-template
<= gitlab-etc-template
template= {{ smtp_settings_rb_in }}
template= {{ smtp_settings_rb_in }}
# contains smtp password
mode = 0600
[rack_attack.rb]
[rack_attack.rb]
<= gitlab-etc-template
<= gitlab-etc-template
...
@@ -210,6 +218,7 @@ context-extra =
...
@@ -210,6 +218,7 @@ context-extra =
section unicorn unicorn
section unicorn unicorn
section service_redis service-redis
section service_redis service-redis
raw redis_bin {{ redis_bin }}
raw redis_bin {{ redis_bin }}
import urllib urllib
[nginx-etc-template]
[nginx-etc-template]
...
@@ -509,6 +518,36 @@ command-line = ${gitlab-sidekiq:wrapper-path}
...
@@ -509,6 +518,36 @@ command-line = ${gitlab-sidekiq:wrapper-path}
# Nginx frontend #
# Nginx frontend #
######################
######################
# self-signed certificate, if we use https
[ssl]
recipe = slapos.cookbook:mkdirectory
ssl = ${directory:srv}/ssl
requests= ${:ssl}/requests
private = ${:ssl}/private
certs = ${:ssl}/certs
newcerts= ${:ssl}/newcerts
crl = ${:ssl}/crl
[certificate-authority]
recipe = slapos.cookbook:certificate_authority
wrapper = ${directory:service}/certificate_authority
openssl-binary = {{ openssl_bin }}
ca-dir = ${ssl:ssl}
requests-directory = ${ssl:requests}
ca-private = ${ssl:private}
ca-certs = ${ssl:certs}
ca-newcerts = ${ssl:newcerts}
ca-crl = ${ssl:crl}
email = ${instance-parameter:configuration.email_from}
#[ca-nginx]
#recipe = slapos.cookbook:certificate_authority.request
#key-file=
#cert-file=
name = <domain-name>
# srv/nginx/ prefix + etc/ log/ ...
# srv/nginx/ prefix + etc/ log/ ...
[nginx]
[nginx]
recipe = slapos.cookbook:mkdirectory
recipe = slapos.cookbook:mkdirectory
...
...
software/gitlab/instance.cfg.in
View file @
8426aca3
...
@@ -34,6 +34,7 @@ context =
...
@@ -34,6 +34,7 @@ context =
# XXX git vs git_location
# XXX git vs git_location
raw git_location ${git:location}
raw git_location ${git:location}
raw ruby_location ${bundler-4gitlab:ruby-location}
raw ruby_location ${bundler-4gitlab:ruby-location}
raw openssl_bin ${openssl-output:openssl}
raw nginx_bin ${nginx-output:nginx}
raw nginx_bin ${nginx-output:nginx}
raw mime_types ${nginx-output:mime}
raw mime_types ${nginx-output:mime}
raw postgresql_location ${postgresql92:location}
raw postgresql_location ${postgresql92:location}
...
...
software/gitlab/macrolib.cfg.in
View file @
8426aca3
...
@@ -7,3 +7,12 @@
...
@@ -7,3 +7,12 @@
NOTE macros can return only strings - that's why '' is used for false #}
NOTE macros can return only strings - that's why '' is used for false #}
{% macro cfg_bool(name) %}{{ 'true' if (cfg(name).lower() in ('true', 'yes')) else '' }}{% endmacro %}
{% macro cfg_bool(name) %}{{ 'true' if (cfg(name).lower() in ('true', 'yes')) else '' }}{% endmacro %}
{# deduce whether to use https from external url
( here - becasue we cannot use jinja2 logic in instance-gitlab.cfg.in to
process instance parameters ) #}
{% set external_url = urlparse.urlparse(cfg('external_url')) %}
{% set cfg_https = (true if external_url.scheme == 'https' else false) %}
{# for convenience #}
{% set fqdn = external_url.hostname %}
software/gitlab/software.cfg
View file @
8426aca3
...
@@ -10,6 +10,7 @@ extends =
...
@@ -10,6 +10,7 @@ extends =
../../component/icu/buildout.cfg
../../component/icu/buildout.cfg
../../component/pkgconfig/buildout.cfg
../../component/pkgconfig/buildout.cfg
../../component/nodejs/buildout.cfg
../../component/nodejs/buildout.cfg
../../component/openssl/buildout.cfg
../../component/nginx/buildout.cfg
../../component/nginx/buildout.cfg
parts =
parts =
...
@@ -83,16 +84,14 @@ git-executable = ${git:location}/bin/git
...
@@ -83,16 +84,14 @@ git-executable = ${git:location}/bin/git
[gitlab-repository]
[gitlab-repository]
<= git-repository
<= git-repository
repository = https://gitlab.com/gitlab-org/gitlab-ce.git
repository = https://gitlab.com/gitlab-org/gitlab-ce.git
revision = v8.1.
3-9-g0350a36f28bfb19fddf570c9f77e181e32efc149
revision = v8.1.
4-1-g4d7216aa3c8b950521ed9b7aea44debaa0c3afd4
location = ${buildout:parts-directory}/gitlab
location = ${buildout:parts-directory}/gitlab
[gitlab-shell-repository]
[gitlab-shell-repository]
<= git-repository
<= git-repository
repository = https://lab.nexedi.com/kirr/gitlab-shell.git
repository = https://lab.nexedi.com/kirr/gitlab-shell.git
# FIXME pin gitlab-shell version properly (wrt gitlab) ?
#revision = v2.6.6-11-g9f53a532d4a0a565f591c62b5e62a2fb698a0fbe
#revision = v2.6.5-8-g6add33352316af566cec5d827981f1783c59b7f4
revision = 8b6db0f7
#branch = next
revision = 2ad30257
location = ${buildout:parts-directory}/gitlab-shell
location = ${buildout:parts-directory}/gitlab-shell
[gitlab-workhorse-repository]
[gitlab-workhorse-repository]
...
...
software/gitlab/template/gitlab-shell-config.yml.in
View file @
8426aca3
...
@@ -8,8 +8,7 @@
...
@@ -8,8 +8,7 @@
user: {{ backend_info.user }}
user: {{ backend_info.user }}
# Url to gitlab instance. Used for api calls. Should end with a slash.
# Url to gitlab instance. Used for api calls. Should end with a slash.
#gitlab_url: "http://127.0.0.1:8888"
gitlab_url: "http+unix://{{ urllib.quote_plus(unicorn.socket) }}/"
gitlab_socket: {{ unicorn.socket }}
http_settings:
http_settings:
{# we don't need any
{# we don't need any
...
...
software/gitlab/template/gitlab.yml.in
View file @
8426aca3
...
@@ -4,7 +4,7 @@
...
@@ -4,7 +4,7 @@
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
# (last updated for omnibus-gitlab <version> XXX)
# (last updated for omnibus-gitlab <version> XXX)
{% from 'macrolib.cfg.in' import cfg with context %}
{% from 'macrolib.cfg.in' import cfg
, cfg_https, external_url
with context %}
production: &base
production: &base
#
#
...
@@ -14,13 +14,10 @@ production: &base
...
@@ -14,13 +14,10 @@ production: &base
## GitLab settings
## GitLab settings
gitlab:
gitlab:
## Web server settings (note: host is the FQDN, do not include http://)
## Web server settings (note: host is the FQDN, do not include http://)
{% set url = urlparse.urlparse(cfg('external_url')) %}
{% set default_port = {'http': 80, 'https': 443} %}
{% set default_port = {'http': 80, 'https': 443} %}
host: {{ url.hostname }}
host: {{ external_url.hostname }}
port: {{ url.port or default_port[url.scheme] }}
port: {{ external_url.port or default_port[external_url.scheme] }}
# TODO
https: {{ cfg_https }}
#https: <%= @gitlab_https %>
https: false
# XXX temp workaround for gitlab not building correct url for host being ipv6 addr
# XXX temp workaround for gitlab not building correct url for host being ipv6 addr
url: {{ backend_info.url }}
url: {{ backend_info.url }}
...
...
software/gitlab/template/nginx-gitlab-http.conf.in
View file @
8426aca3
...
@@ -3,7 +3,8 @@
...
@@ -3,7 +3,8 @@
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
# (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9)
# (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9)
{% from 'macrolib.cfg.in' import cfg, cfg_bool with context %}
{% from 'macrolib.cfg.in' import cfg, cfg_bool, cfg_https, fqdn with context %}
upstream gitlab {
upstream gitlab {
server unix:{{ unicorn.socket }} fail_timeout=0;
server unix:{{ unicorn.socket }} fail_timeout=0;
...
@@ -13,7 +14,10 @@ upstream gitlab-git-http-server {
...
@@ -13,7 +14,10 @@ upstream gitlab-git-http-server {
server unix:{{ gitlab_workhorse.socket }};
server unix:{{ gitlab_workhorse.socket }};
}
}
{% if cfg_bool('https') and cfg_bool('nginx_redirect_http_to_https') %}
{# not needed for us - the frontend can do the redirection and also
gitlab/nginx speaks HSTS on https port so when we access https port via http
protocol, it gets redirected to https
{% if cfg_https and cfg_bool('nginx_redirect_http_to_https') %}
## Redirects all HTTP traffic to the HTTPS host
## Redirects all HTTP traffic to the HTTPS host
server {
server {
<% @listen_addresses.each do |listen_address| %>
<% @listen_addresses.each do |listen_address| %>
...
@@ -26,9 +30,10 @@ server {
...
@@ -26,9 +30,10 @@ server {
error_log <%= @log_directory %>/gitlab_error.log;
error_log <%= @log_directory %>/gitlab_error.log;
}
}
{% endif %}
{% endif %}
#}
server {
server {
listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_
bool('https')
%} ssl spdy{% endif %};
listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_
https
%} ssl spdy{% endif %};
{# we don't use: kerbeeros
{# we don't use: kerbeeros
<% if @kerberos_enabled && @kerberos_use_dedicated_port %>
<% if @kerberos_enabled && @kerberos_use_dedicated_port %>
...
@@ -36,8 +41,7 @@ server {
...
@@ -36,8 +41,7 @@ server {
<% end %>
<% end %>
#}
#}
# XXX fqdn
server_name {{ fqdn }};
server_name <%= @fqdn %>;
server_tokens off; ## Don't show the nginx version number, a security best practice
server_tokens off; ## Don't show the nginx version number, a security best practice
root {{ gitlab_work.location }}/public;
root {{ gitlab_work.location }}/public;
...
@@ -45,7 +49,7 @@ server {
...
@@ -45,7 +49,7 @@ server {
## Or if you want to accept large git objects over http
## Or if you want to accept large git objects over http
client_max_body_size {{ cfg('nginx_client_max_body_size') }};
client_max_body_size {{ cfg('nginx_client_max_body_size') }};
{% if cfg_
bool('https')
%}
{% if cfg_
https
%}
## Strong SSL Security
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
ssl on;
...
@@ -60,11 +64,13 @@ server {
...
@@ -60,11 +64,13 @@ server {
#}
#}
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
ssl_ciphers '<%= @ssl_ciphers %>';
# XXX the above isnot relevant for us - we are begind frontend and clients
ssl_protocols <%= @ssl_protocols %>;
# directly connects to frontend
ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
ssl_ciphers '{{ cfg("nginx_ssl_ciphers") }}';
ssl_session_cache <%= @ssl_session_cache %>;
ssl_protocols {{ cfg('nginx_ssl_protocols') }};
ssl_session_timeout <%= @ssl_session_timeout %>;
ssl_prefer_server_ciphers {{ cfg('nginx_ssl_prefer_server_ciphers') }};
ssl_session_cache {{ cfg('nginx_ssl_session_cache') }};
ssl_session_timeout {{ cfg('ssl_session_timeout') }};
{# XXX do we need ssl_dharm ?
{# XXX do we need ssl_dharm ?
{% if cfg_bool('ssl_dhparam') %}
{% if cfg_bool('ssl_dhparam') %}
...
@@ -86,7 +92,7 @@ server {
...
@@ -86,7 +92,7 @@ server {
location /uploads/ {
location /uploads/ {
## If you use HTTPS make sure you disable gzip compression
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
## to be safe against BREACH attack.
{{ 'gzip off' if cfg_
bool('https')
else ''}}
{{ 'gzip off' if cfg_
https
else ''}}
## https://github.com/gitlabhq/gitlabhq/issues/694
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
## Some requests take more than 30 seconds.
...
@@ -96,11 +102,11 @@ server {
...
@@ -96,11 +102,11 @@ server {
proxy_set_header Host $http_host;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
{% if cfg_
bool('https')
%}
{% if cfg_
https
%}
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Ssl on;
{% endif %}
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
bool('https')
else "http" }};
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
https
else "http" }};
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://gitlab;
proxy_pass http://gitlab;
...
@@ -111,7 +117,7 @@ server {
...
@@ -111,7 +117,7 @@ server {
location @gitlab {
location @gitlab {
## If you use HTTPS make sure you disable gzip compression
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
## to be safe against BREACH attack.
{{ 'gzip off' if cfg_
bool('https')
else ''}}
{{ 'gzip off' if cfg_
https
else ''}}
## https://github.com/gitlabhq/gitlabhq/issues/694
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
## Some requests take more than 30 seconds.
...
@@ -121,11 +127,11 @@ server {
...
@@ -121,11 +127,11 @@ server {
proxy_set_header Host $http_host;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
{% if cfg_
bool('https')
%}
{% if cfg_
https
%}
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Ssl on;
{% endif %}
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
bool('https')
else "http" }};
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
https
else "http" }};
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://gitlab;
proxy_pass http://gitlab;
...
@@ -152,7 +158,7 @@ server {
...
@@ -152,7 +158,7 @@ server {
location @gitlab-git-http-server {
location @gitlab-git-http-server {
## If you use HTTPS make sure you disable gzip compression
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
## to be safe against BREACH attack.
{{ 'gzip off' if cfg_
bool('https')
else ''}}
{{ 'gzip off' if cfg_
https
else ''}}
## https://github.com/gitlabhq/gitlabhq/issues/694
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
## Some requests take more than 30 seconds.
...
@@ -162,11 +168,11 @@ server {
...
@@ -162,11 +168,11 @@ server {
proxy_set_header Host $http_host;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
{% if cfg_
bool('https')
%}
{% if cfg_
https
%}
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Ssl on;
{% endif %}
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
bool('https')
else "http" }};
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
https
else "http" }};
proxy_pass http://gitlab-git-http-server;
proxy_pass http://gitlab-git-http-server;
}
}
...
...
software/gitlab/template/nginx.conf.in
View file @
8426aca3
...
@@ -6,7 +6,8 @@
...
@@ -6,7 +6,8 @@
{% from 'macrolib.cfg.in' import cfg with context %}
{% from 'macrolib.cfg.in' import cfg with context %}
# user directive makes sense only when running initially as root (and nginx will complain if not)
# user directive makes sense only when running initially as root
# (and nginx will complain if not and directive give)
# user {{ backend_info.user }};
# user {{ backend_info.user }};
worker_processes {{ cfg('nginx_worker_processes') }};
worker_processes {{ cfg('nginx_worker_processes') }};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment