Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
S
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kirill Smelkov
slapos
Commits
e5f914c6
Commit
e5f914c6
authored
Nov 13, 2015
by
Kirill Smelkov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
X https draftly works
parent
8426aca3
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
47 additions
and
47 deletions
+47
-47
component/nginx/buildout.cfg
component/nginx/buildout.cfg
+4
-0
software/gitlab/gitlab-parameters.cfg
software/gitlab/gitlab-parameters.cfg
+2
-1
software/gitlab/instance-gitlab.cfg.in
software/gitlab/instance-gitlab.cfg.in
+33
-34
software/gitlab/template/nginx-gitlab-http.conf.in
software/gitlab/template/nginx-gitlab-http.conf.in
+8
-12
No files found.
component/nginx/buildout.cfg
View file @
e5f914c6
...
@@ -19,6 +19,8 @@ md5sum = 27322fbb4b265c0e0cc548f5e6b7f201
...
@@ -19,6 +19,8 @@ md5sum = 27322fbb4b265c0e0cc548f5e6b7f201
configure-options=
configure-options=
--with-ipv6
--with-ipv6
--with-http_ssl_module
--with-http_ssl_module
--with-http_spdy_module
--with-http_gzip_static_module
--with-mail
--with-mail
--with-mail_ssl_module
--with-mail_ssl_module
--with-ld-opt="-L ${openssl:location}/lib -L ${pcre:location}/lib -L ${zlib:location}/lib -Wl,-rpath=${openssl:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib"
--with-ld-opt="-L ${openssl:location}/lib -L ${pcre:location}/lib -L ${zlib:location}/lib -Wl,-rpath=${openssl:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib"
...
@@ -36,6 +38,8 @@ mode = 0644
...
@@ -36,6 +38,8 @@ mode = 0644
configure-options =
configure-options =
--with-ipv6
--with-ipv6
--with-http_ssl_module
--with-http_ssl_module
--with-http_spdy_module
--with-http_gzip_static_module
--with-mail
--with-mail
--with-mail_ssl_module
--with-mail_ssl_module
--error-log-path=var/log/nginx.error.log
--error-log-path=var/log/nginx.error.log
...
...
software/gitlab/gitlab-parameters.cfg
View file @
e5f914c6
...
@@ -90,10 +90,11 @@ configuration.nginx_redirect_http_to_https = false
...
@@ -90,10 +90,11 @@ configuration.nginx_redirect_http_to_https = false
# we don't need - we talk directly to frontend only
# we don't need - we talk directly to frontend only
configuration.nginx_ssl_ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
configuration.nginx_ssl_ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
configuration.nginx_ssl_prefer_server_ciphers =
no
configuration.nginx_ssl_prefer_server_ciphers =
on
configuration.nginx_ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
configuration.nginx_ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
# the following is not default
# the following is not default
configuration.nginx_ssl_session_cache = builtin:1000 shared:SSL:10m
configuration.nginx_ssl_session_cache = builtin:1000 shared:SSL:10m
configuration.nginx_ssl_session_timeout = 5m
configuration.nginx_proxy_read_timeout = 300
configuration.nginx_proxy_read_timeout = 300
...
...
software/gitlab/instance-gitlab.cfg.in
View file @
e5f914c6
...
@@ -26,8 +26,6 @@ parts =
...
@@ -26,8 +26,6 @@ parts =
service-unicorn
service-unicorn
service-sidekiq
service-sidekiq
certificate-authority
service-nginx
service-nginx
service-postgresql
service-postgresql
service-redis
service-redis
...
@@ -518,49 +516,50 @@ command-line = ${gitlab-sidekiq:wrapper-path}
...
@@ -518,49 +516,50 @@ command-line = ${gitlab-sidekiq:wrapper-path}
# Nginx frontend #
# Nginx frontend #
######################
######################
# self-signed certificate, if we use https
[ssl]
recipe = slapos.cookbook:mkdirectory
ssl = ${directory:srv}/ssl
requests= ${:ssl}/requests
private = ${:ssl}/private
certs = ${:ssl}/certs
newcerts= ${:ssl}/newcerts
crl = ${:ssl}/crl
[certificate-authority]
recipe = slapos.cookbook:certificate_authority
wrapper = ${directory:service}/certificate_authority
openssl-binary = {{ openssl_bin }}
ca-dir = ${ssl:ssl}
requests-directory = ${ssl:requests}
ca-private = ${ssl:private}
ca-certs = ${ssl:certs}
ca-newcerts = ${ssl:newcerts}
ca-crl = ${ssl:crl}
email = ${instance-parameter:configuration.email_from}
#[ca-nginx]
#recipe = slapos.cookbook:certificate_authority.request
#key-file=
#cert-file=
name = <domain-name>
# srv/nginx/ prefix + etc/ log/ ...
# srv/nginx/ prefix + etc/ log/ ...
[nginx]
[nginx
-dir
]
recipe = slapos.cookbook:mkdirectory
recipe = slapos.cookbook:mkdirectory
srv = ${directory:srv}/nginx
srv = ${directory:srv}/nginx
etc = ${directory:etc}/nginx
etc = ${directory:etc}/nginx
log = ${directory:log}/nginx
log = ${directory:log}/nginx
[nginx-ssl-dir]
recipe = slapos.cookbook:mkdirectory
ssl = ${nginx-dir:etc}/ssl
# contains https key
mode = 0700
# self-signed certificate for https
[nginx-generate-certificate]
# NOTE there is slapos.cookbook:certificate_authority.request but it requires
# to start whole service and has up to 60 seconds latency to generate
# certificate. We only need to run 1 command to do it...
recipe = plone.recipe.command
stop-on-error = true
cert_file = ${nginx-ssl-dir:ssl}/gitlab_backend.crt
key_file = ${nginx-ssl-dir:ssl}/gitlab_backend.key
update-command =
command =
{{ openssl_bin }} req -newkey rsa -batch -new -x509 -days 3650 -nodes \
-keyout ${:key_file} -out ${:cert_file}
[nginx]
srv = ${nginx-dir:srv}
etc = ${nginx-dir:etc}
log = ${nginx-dir:log}
ssl = ${nginx-ssl-dir:ssl}
cert_file = ${nginx-generate-certificate:cert_file}
key_file = ${nginx-generate-certificate:key_file}
[nginx-symlinks]
[nginx-symlinks]
# (nginx wants <prefix>/logs to be there from start - else it issues alarm to the log)
# (nginx wants <prefix>/logs to be there from start - else it issues alarm to the log)
recipe = cns.recipe.symlink
recipe = cns.recipe.symlink
symlink = ${nginx:log} = ${nginx:srv}/logs
symlink = ${nginx:log} = ${nginx:srv}/logs
[service-nginx]
[service-nginx]
recipe = slapos.cookbook:wrapper
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:service}/nginx
wrapper-path = ${directory:service}/nginx
...
...
software/gitlab/template/nginx-gitlab-http.conf.in
View file @
e5f914c6
...
@@ -53,24 +53,22 @@ server {
...
@@ -53,24 +53,22 @@ server {
## Strong SSL Security
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
ssl on;
{# TODO handle ssl certs: generate automatically (?)
ssl_certificate {{ nginx.cert_file }};
ssl_certificate {{ cfg('ssl_certificate') }};
ssl_certificate_key {{ nginx.key_file }};
ssl_certificate_key <%= @ssl_certificate_key %>;
{# we don't need - most root CA will be included by default
#}
{# TODO use from ca-certs
{% if cfg_bool('ssl_client_certificate') %}
{% if cfg_bool('ssl_client_certificate') %}
ssl_client_certificate <%= @ssl_client_certificate%>;
ssl_client_certificate <%= @ssl_client_certificate%>;
{% endif %}
{% endif %}
#}
#}
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
# XXX the above is
not relevant for us - we are beg
ind frontend and clients
# XXX the above is
not relevant for us - we are beh
ind frontend and clients
# directly connects to frontend
# directly connects to frontend
ssl_ciphers '{{ cfg("nginx_ssl_ciphers") }}';
ssl_ciphers '{{ cfg("nginx_ssl_ciphers") }}';
ssl_protocols {{ cfg('nginx_ssl_protocols') }};
ssl_protocols {{ cfg('nginx_ssl_protocols') }};
ssl_prefer_server_ciphers {{ cfg('nginx_ssl_prefer_server_ciphers') }};
ssl_prefer_server_ciphers {{ cfg('nginx_ssl_prefer_server_ciphers') }};
ssl_session_cache {{ cfg('nginx_ssl_session_cache') }};
ssl_session_cache {{ cfg('nginx_ssl_session_cache') }};
ssl_session_timeout {{ cfg('ssl_session_timeout') }};
ssl_session_timeout {{ cfg('
nginx_
ssl_session_timeout') }};
{# XXX do we need ssl_dharm ?
{# XXX do we need ssl_dharm ?
{% if cfg_bool('ssl_dhparam') %}
{% if cfg_bool('ssl_dhparam') %}
...
@@ -92,7 +90,7 @@ server {
...
@@ -92,7 +90,7 @@ server {
location /uploads/ {
location /uploads/ {
## If you use HTTPS make sure you disable gzip compression
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
## to be safe against BREACH attack.
{{ 'gzip off' if cfg_https else ''}}
{{ 'gzip off' if cfg_https else ''}}
;
## https://github.com/gitlabhq/gitlabhq/issues/694
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
## Some requests take more than 30 seconds.
...
@@ -117,7 +115,7 @@ server {
...
@@ -117,7 +115,7 @@ server {
location @gitlab {
location @gitlab {
## If you use HTTPS make sure you disable gzip compression
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
## to be safe against BREACH attack.
{{ 'gzip off' if cfg_https else ''}}
{{ 'gzip off' if cfg_https else ''}}
;
## https://github.com/gitlabhq/gitlabhq/issues/694
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
## Some requests take more than 30 seconds.
...
@@ -158,7 +156,7 @@ server {
...
@@ -158,7 +156,7 @@ server {
location @gitlab-git-http-server {
location @gitlab-git-http-server {
## If you use HTTPS make sure you disable gzip compression
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
## to be safe against BREACH attack.
{{ 'gzip off' if cfg_https else ''}}
{{ 'gzip off' if cfg_https else ''}}
;
## https://github.com/gitlabhq/gitlabhq/issues/694
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
## Some requests take more than 30 seconds.
...
@@ -184,9 +182,7 @@ server {
...
@@ -184,9 +182,7 @@ server {
## other files that need to be changed for relative url support
## other files that need to be changed for relative url support
location ~ ^/(assets)/ {
location ~ ^/(assets)/ {
root {{ gitlab_work.location }}/public;
root {{ gitlab_work.location }}/public;
{# TODO reenable after --with-http_gzip_static_module added to nginx
gzip_static on; # to serve pre-gzipped version
gzip_static on; # to serve pre-gzipped version
#}
expires max;
expires max;
add_header Cache-Control public;
add_header Cache-Control public;
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment