Merge branch 'pages_docs' into 'master'

Pages docs See merge request !202

Merge branch 'pages_docs' into 'master'
Pages docs See merge request !202
568fe1e2 · Achilleas Pipinellis · 23a7d8bc · 350003ed · 568fe1e2 · 568fe1e2
Commit 568fe1e2 authored Feb 22, 2016 by Achilleas Pipinellis
5 changed files
--- a/doc/pages/administration.md
+++ b/doc/pages/administration.md
 # GitLab Pages Administration
-_**Note:** This feature was [introduced][ee-80] in GitLab EE 8.3_
+> **Note:**
+> This feature was first [introduced][ee-80] in GitLab EE 8.3.
+> Custom CNAMEs with TLS support were [introduced][ee-173] in GitLab EE 8.5.
+---
+This document describes how to set up the _latest_ GitLab Pages feature. Make
+sure to read the [changelog](#changelog) if you are upgrading to a new GitLab
+version as it may include new features and changes needed to be made in your
+configuration.
 If you are looking for ways to upload your static content in GitLab Pages, you
 probably want to read the [user documentation](README.md).
+[ee-80]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/80
+[ee-173]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/173
+---
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+**Table of Contents**  *generated with [DocToc](https://github.com/thlorenz/doctoc)*
+- [The GitLab Pages daemon](#the-gitlab-pages-daemon)
+    - [The GitLab Pages daemon and the case of custom domains](#the-gitlab-pages-daemon-and-the-case-of-custom-domains)
+    - [Install the Pages daemon](#install-the-pages-daemon)
+- [Configuration](#configuration)
+    - [Configuration prerequisites](#configuration-prerequisites)
+    - [Configuration scenarios](#configuration-scenarios)
+    - [DNS configuration](#dns-configuration)
+- [Setting up GitLab Pages](#setting-up-gitlab-pages)
+    - [Custom domains with HTTPS support](#custom-domains-with-https-support)
+    - [Custom domains without HTTPS support](#custom-domains-without-https-support)
+    - [Wildcard HTTP domain without custom domains](#wildcard-http-domain-without-custom-domains)
+    - [Wildcard HTTPS domain without custom domains](#wildcard-https-domain-without-custom-domains)
+- [NGINX configuration](#nginx-configuration)
+    - [NGINX configuration files](#nginx-configuration-files)
+    - [NGINX configuration for custom domains](#nginx-configuration-for-custom-domains)
+    - [NGINX caveats](#nginx-caveats)
+- [Set maximum pages size](#set-maximum-pages-size)
+- [Change storage path](#change-storage-path)
+- [Backup](#backup)
+- [Security](#security)
+- [Changelog](#changelog)
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+## The GitLab Pages daemon
+Starting from GitLab EE 8.5, GitLab Pages make use of the [GitLab Pages daemon],
+a simple HTTP server written in Go that can listen on an external IP address
+and provide support for custom domains and custom certificates. The GitLab
+Pages Daemon supports dynamic certificates through SNI and exposes pages using
+HTTP2 by default.
+Here is a brief list with what it is supported when using the pages daemon:
+- Multiple domains per-project
+- One TLS certificate per-domain
+  - Validation of certificate
+  - Validation of certificate chain
+  - Validation of private key against certificate
+You are encouraged to read its [README][pages-readme] to fully understand how
+it works.
+[gitlab pages daemon]: https://gitlab.com/gitlab-org/gitlab-pages
+[pages-readme]: https://gitlab.com/gitlab-org/gitlab-pages/blob/master/README.md
+### The GitLab Pages daemon and the case of custom domains
+In the case of custom domains, the Pages daemon needs to listen on ports `80`
+and/or `443`. For that reason, there is some flexibility in the way which you
+can set it up, so you basically have three choices:
+1. Run the pages daemon in the same server as GitLab, listening on a secondary IP
+1. Run the pages daemon in a separate server. In that case, the
+   [Pages path](#change-storage-path) must also be present in the server that
+   the pages daemon is installed, so you will have to share it via network.
+1. Run the pages daemon in the same server as GitLab, listening on the same IP
+   but on different ports. In that case, you will have to proxy the traffic with
+   a loadbalancer. If you choose that route note that you should use TCP load
+   balancing for HTTPS. If you use TLS-termination (HTTPS-load balancing) the
+   pages will not be able to be served with user provided certificates. For
+   HTTP it's OK to use HTTP or TCP load balancing.
+In this document, we will proceed assuming the first option. Let's begin by
+installing the pages daemon.
+### Install the Pages daemon
+**Source installations**
+```
+cd /home/git
+sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-pages.git
+cd gitlab-pages
+sudo -u git -H git checkout v0.2.0
+sudo -u git -H make
+```
+**Omnibus installations**
+The `gitlab-pages` daemon is included in the Omnibus package.
 ## Configuration
-There are a couple of things to consider before enabling GitLab pages in your
+There are multiple ways to set up GitLab Pages according to what URL scheme you
-GitLab EE instance.
+are willing to support.
+### Configuration prerequisites
+In the next section you will find all possible scenarios to choose from.
+In either scenario, you will need:
+1. To use the [GitLab Pages daemon](#the-gitlab-pages-daemon)
+1. A separate domain
+1. A separate Nginx configuration file which needs to be explicitly added in
+   the server under which GitLab EE runs (Omnibus does that automatically)
+1. (Optional) A wildcard certificate for that domain if you decide to serve
+   pages under HTTPS
+1. (Optional but recommended) [Shared runners](../ci/runners/README.md) so that
+   your users don't have to bring their own
+### Configuration scenarios
+Before proceeding with setting up GitLab Pages, you have to decide which route
+you want to take.
+The possible scenarios are depicted in the table below.
+| URL scheme | Option | Wildcard certificate | Custom domain with HTTP support | Custom domain with HTTPS support | Secondary IP |
+| --- |:---:|:---:|:---:|:---:|:---:|:---:|:---:|
+| `http://page.example.io`  | 1 | no  |  no | no | no |
+| `https://page.example.io` | 1 | yes |  no | no | no |
+| `http://page.example.io` and `http://page.com`   | 2 | no  |  yes    | no  | yes |
+| `https://page.example.io` and `https://page.com` | 2 | yes |  redirects to HTTPS | yes | yes |
-1. You need to properly configure your DNS to point to the domain that pages
+As you see from the table above, each URL scheme comes with an option:
-   will be served
-1. Pages use a separate Nginx configuration file which needs to be explicitly
-   added in the server under which GitLab EE runs
-1. Optionally but recommended, you can add some
-   [shared runners](../ci/runners/README.md) so that your users don't have to
-   bring their own.
-Both of these settings are described in detail in the sections below.
+1. Pages enabled, daemon is enabled and NGINX will proxy all requests to the
+   daemon. Pages daemon doesn't listen to the outside world.
+1. Pages enabled, daemon is enabled AND pages has external IP support enabled.
+   In that case, the pages daemon is running, NGINX still proxies requests to
+   the daemon but the daemon is also able to receive requests from the outside
+   world. Custom domains and TLS are supported.
 ### DNS configuration
@@ -27,29 +156,31 @@ you need to add a [wildcard DNS A record][wiki-wildcard-dns] pointing to the
 host that GitLab runs. For example, an entry would look like this:
 ```
-*.example.com. 60 IN A 1.2.3.4
+*.example.io. 1800 IN A 1.2.3.4
 ```
-where `example.com` is the domain under which GitLab Pages will be served
+where `example.io` is the domain under which GitLab Pages will be served
 and `1.2.3.4` is the IP address of your GitLab instance.
 You should not use the GitLab domain to serve user pages. For more information
 see the [security section](#security).
-### Omnibus package installations
+[wiki-wildcard-dns]: https://en.wikipedia.org/wiki/Wildcard_DNS_record
-See the relevant documentation at <http://doc.gitlab.com/omnibus/settings/pages.html>.
+## Setting up GitLab Pages
-### Installations from source
+Below are the four scenarios that are described in
+[#configuration-scenarios](#configuration-scenarios).
-1. Go to the GitLab installation directory:
+### Custom domains with HTTPS support
-     ```bash
+**Source installations:**
-     cd /home/git/gitlab
-     ```
-1. Edit `gitlab.yml` and under the `pages` setting, set `enabled` to `true` and
+1. [Install the pages daemon](#install-the-pages-daemon)
-   the `host` to the FQDN under which GitLab Pages will be served:
+1. Edit `gitlab.yml` to look like the example below. You need to change the
+   `host` to the FQDN under which GitLab Pages will be served. Set
+   `external_http` and `external_https` to the secondary IP on which the pages
+   daemon will listen for connections:
     ```yaml
     ## GitLab Pages
@@ -58,54 +189,156 @@ See the relevant documentation at <http://doc.gitlab.com/omnibus/settings/pages.
       # The location where pages are stored (default: shared/pages).
       # path: shared/pages
-       # The domain under which the pages are served:
+       host: example.io
-       # http://group.example.com/project
+       port: 443
-       # or project path can be a group page: group.example.com
+       https: true
-       host: example.com
-       port: 80 # Set to 443 if you serve the pages with HTTPS
+       external_http: 1.1.1.1:80
-       https: false # Set to true if you serve the pages with HTTPS
+       external_https: 1.1.1.1:443
     ```
-1. Make sure you have copied the new `gitlab-pages` Nginx configuration file:
+1. Edit `/etc/default/gitlab` and set `gitlab_pages_enabled` to `true` in
+   order to enable the pages daemon. In `gitlab_pages_options` the
+   `-pages-domain`, `-listen-http` and `-listen-https` must match the `host`,
+   `external_http` and `external_https` settings that you set above respectively.
+   The `-root-cert` and `-root-key` settings are the wildcard TLS certificates
+   of the `example.io` domain:
-    ```bash
+    ```
-    sudo cp lib/support/nginx/gitlab-pages /etc/nginx/sites-available/gitlab-pages.conf
+    gitlab_pages_enabled=true
-    sudo ln -sf /etc/nginx/sites-{available,enabled}/gitlab-pages.conf
+    gitlab_pages_options="-pages-domain example.io -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090 -listen-http 1.1.1.1:80 -listen-https 1.1.1.1:443 -root-cert /path/to/example.io.crt -root-key /path/to/example.io.key
    ```
-    Don't forget to add your domain name in the Nginx config. For example if
+1. Make sure to [configure NGINX](#nginx-configuration) properly.
-    your GitLab pages domain is `example.com`, replace
+1. [Restart GitLab][restart]
-    ```bash
+---
-    server_name ~^(?<group>.*)\.YOUR_GITLAB_PAGES\.DOMAIN$;
-    ```
+**Omnibus installations:**
-    with
+1. Edit `/etc/gitlab/gitlab.rb`:
+    ```ruby
+    pages_external_url "https://example.io"
+    nginx['listen_addresses'] = ['1.1.1.1']
+    pages_nginx['enable'] = false
+    gitlab_pages['cert'] = "/etc/gitlab/ssl/example.io.crt"
+    gitlab_pages['cert_key'] = "/etc/gitlab/ssl/example.io.key"
+    gitlab_pages['external_http'] = '1.1.1.2:80'
+    gitlab_pages['external_https'] = '1.1.1.2:443'
    ```
-    server_name ~^(?<group>.*)\.example\.com$;
+    where `1.1.1.1` is the primary IP address that GitLab is listening to and
+    `1.1.1.2` the secondary IP where the GitLab Pages daemon listens to.
+    Read more at the
+    [NGINX configuration for custom domains](#nginx-configuration-for-custom-domains)
+    section.
+1. [Reconfigure GitLab][reconfigure]
+### Custom domains without HTTPS support
+**Source installations:**
+1. [Install the pages daemon](#install-the-pages-daemon)
+1. Edit `gitlab.yml` to look like the example below. You need to change the
+   `host` to the FQDN under which GitLab Pages will be served. Set
+   `external_http` to the secondary IP on which the pages daemon will listen
+   for connections:
+     ```yaml
+     pages:
+       enabled: true
+       # The location where pages are stored (default: shared/pages).
+       # path: shared/pages
+       host: example.io
+       port: 80
+       https: false
+       external_http: 1.1.1.1:80
     ```
-    You must be extra careful to not remove the backslashes. If you are using
+1. Edit `/etc/default/gitlab` and set `gitlab_pages_enabled` to `true` in
-    a subdomain, make sure to escape all dots (`.`) with a backslash (\).
+   order to enable the pages daemon. In `gitlab_pages_options` the
-    For example `pages.example.com` would be:
+   `-pages-domain` and `-listen-http` must match the `host` and `external_http`
+   settings that you set above respectively:
    ```
-    server_name ~^(?<group>.*)\.pages\.example\.com$;
+    gitlab_pages_enabled=true
+    gitlab_pages_options="-pages-domain example.io -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090 -listen-http 1.1.1.1:80"
    ```
-1. Restart Nginx and GitLab:
+1. Make sure to [configure NGINX](#nginx-configuration) properly.
+1. [Restart GitLab][restart]
+---
+**Omnibus installations:**
+1. Edit `/etc/gitlab/gitlab.rb`:
+    ```ruby
+    pages_external_url "https://example.io"
+    nginx['listen_addresses'] = ['1.1.1.1']
+    pages_nginx['enable'] = false
+    gitlab_pages['external_http'] = '1.1.1.2:80'
+    ```
+    where `1.1.1.1` is the primary IP address that GitLab is listening to and
+    `1.1.1.2` the secondary IP where the GitLab Pages daemon listens to.
+    Read more at the
+    [NGINX configuration for custom domains](#nginx-configuration-for-custom-domains)
+    section.
+1. [Reconfigure GitLab][reconfigure]
+### Wildcard HTTP domain without custom domains
+**Source installations:**
+1. [Install the pages daemon](#install-the-pages-daemon)
+1. Go to the GitLab installation directory:
     ```bash
-    sudo service nginx restart
+     cd /home/git/gitlab
-    sudo service gitlab restart
     ```
-### Running GitLab Pages with HTTPS
+1. Edit `gitlab.yml` and under the `pages` setting, set `enabled` to `true` and
+   the `host` to the FQDN under which GitLab Pages will be served:
+     ```yaml
+     ## GitLab Pages
+     pages:
+       enabled: true
+       # The location where pages are stored (default: shared/pages).
+       # path: shared/pages
+       host: example.io
+       port: 80
+       https: false
+     ```
+1. Make sure to [configure NGINX](#nginx-configuration) properly.
+1. [Restart GitLab][restart]
+---
+**Omnibus installations:**
-If you want the pages to be served under HTTPS, a wildcard SSL certificate is
+1. Set the external URL for GitLab Pages in `/etc/gitlab/gitlab.rb`:
-required.
+    ```ruby
+    pages_external_url 'http://example.io'
+    ```
+1. [Reconfigure GitLab][reconfigure]
+### Wildcard HTTPS domain without custom domains
+**Source installations:**
+1. [Install the pages daemon](#install-the-pages-daemon)
 1. In `gitlab.yml`, set the port to `443` and https to `true`:
     ```bash
@@ -115,24 +348,98 @@ required.
       # The location where pages are stored (default: shared/pages).
       # path: shared/pages
-       # The domain under which the pages are served:
+       host: example.io
-       # http://group.example.com/project
+       port: 443
-       # or project path can be a group page: group.example.com
+       https: true
-       host: example.com
-       port: 443 # Set to 443 if you serve the pages with HTTPS
-       https: true # Set to true if you serve the pages with HTTPS
     ```
-1. Copy the `gitlab-pages-ssl` Nginx configuration file:
+1. Make sure to [configure NGINX](#nginx-configuration) properly.
-    ```bash
+---
-    sudo cp lib/support/nginx/gitlab-pages-ssl /etc/nginx/sites-available/gitlab-pages-ssl.conf
-    sudo ln -sf /etc/nginx/sites-{available,enabled}/gitlab-pages.conf
+**Omnibus installations:**
+1. Place the certificate and key inside `/etc/gitlab/ssl`
+1. In `/etc/gitlab/gitlab.rb` specify the following configuration:
+    ```ruby
+    pages_external_url 'https://example.io'
+    pages_nginx['redirect_http_to_https'] = true
+    pages_nginx['ssl_certificate'] = "/etc/gitlab/ssl/pages-nginx.crt"
+    pages_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/pages-nginx.key"
    ```
-    Make sure to edit the config to add your domain as well as correctly point
+    where `pages-nginx.crt` and `pages-nginx.key` are the SSL cert and key,
-    to the right location of the SSL certificate files. Restart Nginx for the
+    respectively.
-    changes to take effect.
+1. [Reconfigure GitLab][reconfigure]
+## NGINX configuration
+Depending on your setup, you will need to make some changes to NGINX.
+Specifically you must change the domain name and the IP address where NGINX
+listens to. Read the following sections for more details.
+### NGINX configuration files
+Copy the `gitlab-pages-ssl` Nginx configuration file:
+```bash
+sudo cp lib/support/nginx/gitlab-pages-ssl /etc/nginx/sites-available/gitlab-pages-ssl.conf
+sudo ln -sf /etc/nginx/sites-{available,enabled}/gitlab-pages-ssl.conf
+```
+Replace `gitlab-pages-ssl` with `gitlab-pages` if you are not using SSL.
+### NGINX configuration for custom domains
+> If you are not using custom domains ignore this section.
+[In the case of custom domains](#the-gitlab-pages-daemon-and-the-case-of-custom-domains),
+if you have the secondary IP address configured on the same server as GitLab,
+you need to change **all** NGINX configs to listen on the first IP address.
+**Source installations:**
+1. Edit all GitLab related configs in `/etc/nginx/site-available/` and replace
+   `0.0.0.0` with `1.1.1.1`, where `1.1.1.1` the primary IP where GitLab
+   listens to.
+1. Restart NGINX
+**Omnibus installations:**
+1. Edit `/etc/gitlab/gilab.rb`:
+    ```
+    nginx['listen_addresses'] = ['1.1.1.1']
+    ```
+1. [Reconfigure GitLab][reconfigure]
+### NGINX caveats
+Be extra careful when setting up the domain name in the NGINX config. You must
+not remove the backslashes.
+If your GitLab pages domain is `example.io`, replace:
+```bash
+server_name ~^.*\.YOUR_GITLAB_PAGES\.DOMAIN$;
+```
+with:
+```
+server_name ~^.*\.example\.io$;
+```
+If you are using a subdomain, make sure to escape all dots (`.`) except from
+the first one with a backslash (\). For example `pages.example.io` would be:
+```
+server_name ~^.*\.pages\.example\.io$;
+```
 ## Set maximum pages size
@@ -142,31 +449,79 @@ The default is 100MB.
 ## Change storage path
-Pages are stored by default in `/home/git/gitlab/shared/pages`.
+**Source installations:**
-If you wish to store them in another location you must set it up in
-`gitlab.yml` under the `pages` section:
-```yaml
+1. Pages are stored by default in `/home/git/gitlab/shared/pages`.
-pages:
+   If you wish to store them in another location you must set it up in
+   `gitlab.yml` under the `pages` section:
+     ```yaml
+     pages:
       enabled: true
       # The location where pages are stored (default: shared/pages).
       path: /mnt/storage/pages
-```
+     ```
-Restart GitLab for the changes to take effect:
+1. [Restart GitLab][restart]
-```bash
+**Omnibus installations:**
-sudo service gitlab restart
-```
+1. Pages are stored by default in `/var/opt/gitlab/gitlab-rails/shared/pages`.
+   If you wish to store them in another location you must set it up in
+   `/etc/gitlab/gitlab.rb`:
+     ```ruby
+     gitlab_rails['pages_path'] = "/mnt/storage/pages"
+     ```
+1. [Reconfigure GitLab][reconfigure]
 ## Backup
-Pages are part of the regular backup so there is nothing to configure.
+Pages are part of the [regular backup][backup] so there is nothing to configure.
 ## Security
 You should strongly consider running GitLab pages under a different hostname
 than GitLab to prevent XSS attacks.
-[ee-80]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/80
+## Changelog
-[wiki-wildcard-dns]: https://en.wikipedia.org/wiki/Wildcard_DNS_record
+GitLab Pages were first introduced in GitLab EE 8.3. Since then, many features
+where added, like custom CNAME and TLS support, and many more are likely to
+come. Below is a brief changelog. If no changes were introduced or a version is
+missing from the changelog, assume that the documentation is the same as the
+latest previous version.
+---
+**GitLab 8.5 ([documentation][8-5-docs])**
+- In GitLab 8.5 we introduced the [gitlab-pages][] daemon which is now the
+  recommended way to set up GitLab Pages.
+- The [NGINX configs][] have changed to reflect this change. So make sure to
+  update them.
+- Custom CNAME and TLS certificates support
+- Documentation was moved to one place
+[8-5-docs]: https://gitlab.com/gitlab-org/gitlab-ee/blob/8-5-stable-ee/doc/pages/administration.md
+[gitlab-pages]: https://gitlab.com/gitlab-org/gitlab-pages/tree/v0.2.0
+[NGINX configs]: https://gitlab.com/gitlab-org/gitlab-ee/tree/8-5-stable-ee/lib/support/nginx
+---
+**GitLab 8.4**
+No new changes.
+---
+**GitLab 8.3 ([source docs][8-3-docs], [Omnibus docs][8-3-omnidocs])**
+- GitLab Pages feature was introduced.
+[8-3-docs]: https://gitlab.com/gitlab-org/gitlab-ee/blob/8-3-stable-ee/doc/pages/administration.md
+[8-3-omnidocs]: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/8-3-stable-ee/doc/settings/pages.md
+[reconfigure]: ../../administration/restart_gitlab.md#omnibus-gitlab-reconfigure
+[restart]: ../../administration/restart_gitlab.md#installations-from-source
+[backup]: ../../raketasks/backup_restore.md
--- a/lib/support/init.d/gitlab
+++ b/lib/support/init.d/gitlab
@@ -42,6 +42,11 @@ gitlab_workhorse_dir=$(cd $app_root/../gitlab-workhorse 2> /dev/null && pwd)
 gitlab_workhorse_pid_path="$pid_path/gitlab-workhorse.pid"
 gitlab_workhorse_options="-listenUmask 0 -listenNetwork unix -listenAddr $socket_path/gitlab-workhorse.socket -authBackend http://127.0.0.1:8080 -authSocket $rails_socket -documentRoot $app_root/public"
 gitlab_workhorse_log="$app_root/log/gitlab-workhorse.log"
+gitlab_pages_enabled=false
+gitlab_pages_dir=$(cd $app_root/../gitlab-pages 2> /dev/null && pwd)
+gitlab_pages_pid_path="$pid_path/gitlab-pages.pid"
+gitlab_pages_options="-pages-domain example.com -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090"
+gitlab_pages_log="$app_root/log/gitlab-pages.log"
 shell_path="/bin/bash"
 # Read configuration variable file if it is present
@@ -89,13 +94,20 @@ check_pids(){
      mpid=0
    fi
  fi
+  if [ "$gitlab_pages_enabled" = true ]; then
+    if [ -f "$gitlab_pages_pid_path" ]; then
+      gppid=$(cat "$gitlab_pages_pid_path")
+    else
+      gppid=0
+    fi
+  fi
 }
 ## Called when we have started the two processes and are waiting for their pid files.
 wait_for_pids(){
  # We are sleeping a bit here mostly because sidekiq is slow at writing its pid
  i=0;
-  while [ ! -f $web_server_pid_path ] || [ ! -f $sidekiq_pid_path ] || [ ! -f $gitlab_workhorse_pid_path ] || { [ "$mail_room_enabled" = true ] && [ ! -f $mail_room_pid_path ]; }; do
+  while [ ! -f $web_server_pid_path ] || [ ! -f $sidekiq_pid_path ] || [ ! -f $gitlab_workhorse_pid_path ] || { [ "$mail_room_enabled" = true ] && [ ! -f $mail_room_pid_path ] || { [ "$gitlab_pages_enabled" = true ] && [ ! -f $gitlab_pages_pid_path ]; }; do
    sleep 0.1;
    i=$((i+1))
    if [ $((i%10)) = 0 ]; then
@@ -144,7 +156,15 @@ check_status(){
      mail_room_status="-1"
    fi
  fi
-  if [ $web_status = 0 ] && [ $sidekiq_status = 0 ] && [ $gitlab_workhorse_status = 0 ] && { [ "$mail_room_enabled" != true ] || [ $mail_room_status = 0 ]; }; then
+  if [ "$gitlab_pages_enabled" = true ]; then
+    if [ $gppid -ne 0 ]; then
+      kill -0 "$gppid" 2>/dev/null
+      gitlab_pages_status="$?"
+    else
+      gitlab_pages_status="-1"
+    fi
+  fi
+  if [ $web_status = 0 ] && [ $sidekiq_status = 0 ] && [ $gitlab_workhorse_status = 0 ] && { [ "$mail_room_enabled" != true ] || [ $mail_room_status = 0 ]; } && { [ "$gitlab_pages_enabled" != true ] || [ $gitlab_pages_status = 0 ]; }; then
    gitlab_status=0
  else
    # http://refspecs.linuxbase.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html
@@ -186,12 +206,19 @@ check_stale_pids(){
      exit 1
    fi
  fi
+  if [ "$gitlab_pages_enabled" = true ] && [ "$gppid" != "0" ] && [ "$gitlab_pages_status" != "0" ]; then
+    echo "Removing stale GitLab Pages job dispatcher pid. This is most likely caused by GitLab Pages crashing the last time it ran."
+    if ! rm "$gitlab_pages_pid_path"; then
+      echo "Unable to remove stale pid, exiting"
+      exit 1
+    fi
+  fi
 }
 ## If no parts of the service is running, bail out.
 exit_if_not_running(){
  check_stale_pids
-  if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then
+  if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; } && { [ "$gitlab_pages_enabled" != true ] || [ "$gitlab_pages_status" != "0" ]; }; then
    echo "GitLab is not running."
    exit
  fi
@@ -213,6 +240,9 @@ start_gitlab() {
  if [ "$mail_room_enabled" = true ] && [ "$mail_room_status" != "0" ]; then
    echo "Starting GitLab MailRoom"
  fi
+  if [ "$gitlab_pages_enabled" = true ] && [ "$gitlab_pages_status" != "0" ]; then
+    echo "Starting GitLab Pages"
+  fi
  # Then check if the service is running. If it is: don't start again.
  if [ "$web_status" = "0" ]; then
@@ -252,6 +282,16 @@ start_gitlab() {
    fi
  fi
+  if [ "$gitlab_pages_enabled" = true ]; then
+    if [ "$gitlab_pages_status" = "0" ]; then
+      echo "The GitLab Pages is already running with pid $spid, not restarting"
+    else
+      $app_root/bin/daemon_with_pidfile $gitlab_pages_pid_path  \
+          $gitlab_pages_dir/gitlab-pages $gitlab_pages_options \
+        >> $gitlab_pages_log 2>&1 &
+    fi
+  fi
  # Wait for the pids to be planted
  wait_for_pids
  # Finally check the status to tell wether or not GitLab is running
@@ -278,13 +318,17 @@ stop_gitlab() {
    echo "Shutting down GitLab MailRoom"
    RAILS_ENV=$RAILS_ENV bin/mail_room stop
  fi
+  if [ "$gitlab_pages_status" = "0" ]; then
+    echo "Shutting down gitlab-pages"
+    kill -- $(cat $gitlab_pages_pid_path)
+  fi
  # If something needs to be stopped, lets wait for it to stop. Never use SIGKILL in a script.
-  while [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_workhorse_status" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; do
+  while [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_workhorse_status" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; } || { [ "$gitlab_pages_enabled" = true ] && [ "$gitlab_pages_status" = "0" ]; }; do
    sleep 1
    check_status
    printf "."
-    if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then
+    if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; } && { [ "$gitlab_pages_enabled" != true ] || [ "$gitlab_pages_status" != "0" ]; }; then
      printf "\n"
      break
    fi
@@ -298,6 +342,7 @@ stop_gitlab() {
  if [ "$mail_room_enabled" = true ]; then
    rm "$mail_room_pid_path" 2>/dev/null
  fi
+  rm -f "$gitlab_pages_pid_path"
  print_status
 }
@@ -305,7 +350,7 @@ stop_gitlab() {
 ## Prints the status of GitLab and its components.
 print_status() {
  check_status
-  if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then
+  if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; } && { [ "$gitlab_pages_enabled" != true ] || [ "$gitlab_pages_status" != "0" ]; }; then
    echo "GitLab is not running."
    return
  fi
@@ -331,7 +376,14 @@ print_status() {
        printf "The GitLab MailRoom email processor is \033[31mnot running\033[0m.\n"
    fi
  fi
-  if [ "$web_status" = "0" ] && [ "$sidekiq_status" = "0" ] && [ "$gitlab_workhorse_status" = "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" = "0" ]; }; then
+  if [ "$gitlab_pages_enabled" = true ]; then
+    if [ "$gitlab_pages_status" = "0" ]; then
+        echo "The GitLab Pages with pid $mpid is running."
+    else
+        printf "The GitLab Pages is \033[31mnot running\033[0m.\n"
+    fi
+  fi
+  if [ "$web_status" = "0" ] && [ "$sidekiq_status" = "0" ] && [ "$gitlab_workhorse_status" = "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" = "0" ]; } && { [ "$gitlab_pages_enabled" != true ] || [ "$gitlab_pages_status" = "0" ]; }; then
    printf "GitLab and all its components are \033[32mup and running\033[0m.\n"
  fi
 }
@@ -362,7 +414,7 @@ reload_gitlab(){
 ## Restarts Sidekiq and Unicorn.
 restart_gitlab(){
  check_status
-  if [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_workhorse" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; then
+  if [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_workhorse" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; } || { [ "$gitlab_pages_enabled" = true ] && [ "$gitlab_pages_status" = "0" ]; }; then
    stop_gitlab
  fi
  start_gitlab

--- a/lib/support/init.d/gitlab.default.example
+++ b/lib/support/init.d/gitlab.default.example
@@ -47,6 +47,30 @@ gitlab_workhorse_pid_path="$pid_path/gitlab-workhorse.pid"
 gitlab_workhorse_options="-listenUmask 0 -listenNetwork unix -listenAddr $socket_path/gitlab-workhorse.socket -authBackend http://127.0.0.1:8080 -authSocket $socket_path/gitlab.socket -documentRoot $app_root/public"
 gitlab_workhorse_log="$app_root/log/gitlab-workhorse.log"
+# The GitLab Pages Daemon needs either a separate IP address on which it will
+# listen or use different ports than 80 or 443 that will be forwarded to GitLab
+# Pages Daemon.
+#
+# To enable HTTP support for custom domains add the `-listen-http` directive
+# in `gitlab_pages_options` below.
+# The value of -listen-http must be set to `gitlab.yml > pages > external_http`
+# as well. For example:
+#
+#   -listen-http 1.1.1.1:80
+#
+# To enable HTTPS support for custom domains add the `-listen-https`,
+# `-root-cert` and `-root-key` directives in `gitlab_pages_options` below.
+# The value of -listen-https must be set to `gitlab.yml > pages > external_https`
+# as well. For example:
+#
+#   -listen-https 1.1.1.1:443 -root-cert /path/to/example.com.crt -root-key /path/to/example.com.key
+#
+# The -pages-domain must be specified the same as in `gitlab.yml > pages > host`.
+# Set `gitlab_pages_enabled=true` if you want to enable the Pages feature.
+gitlab_pages_enabled=false
+gitlab_pages_options="-pages-domain example.com -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090"
+gitlab_pages_log="$app_root/log/gitlab-pages.log"
 # mail_room_enabled specifies whether mail_room, which is used to process incoming email, is enabled.
 # This is required for the Reply by email feature.
 # The default is "false"

--- a/lib/support/nginx/gitlab-pages
+++ b/lib/support/nginx/gitlab-pages
@@ -7,21 +7,19 @@ server {
  listen [::]:80 ipv6only=on;
  ## Replace this with something like pages.gitlab.com
-  server_name ~^(?<group>.*)\.YOUR_GITLAB_PAGES\.DOMAIN$;
+  server_name ~^.*\.YOUR_GITLAB_PAGES\.DOMAIN$;
-  root /home/git/gitlab/shared/pages/${group};
  ## Individual nginx logs for GitLab pages
  access_log  /var/log/nginx/gitlab_pages_access.log;
  error_log   /var/log/nginx/gitlab_pages_error.log;
-  # 1. Try to get /path/ from shared/pages/${group}/${path}/public/
+  location / {
-  # 2. Try to get / from shared/pages/${group}/${host}/public/
+    proxy_set_header    Host                $http_host;
-  location ~ ^/([^/]*)(/.*)?$ {
+    proxy_set_header    X-Real-IP           $remote_addr;
-    try_files "/$1/public$2"
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-              "/$1/public$2/index.html"
+    proxy_set_header    X-Forwarded-Proto   $scheme;
-              "/${host}/public/${uri}"
+    # The same address as passed to GitLab Pages: `-listen-proxy`
-              "/${host}/public/${uri}/index.html"
+    proxy_pass          http://localhost:8090/;
-              =404;
  }
  # Define custom error pages

--- a/lib/support/nginx/gitlab-pages-ssl
+++ b/lib/support/nginx/gitlab-pages-ssl
@@ -11,7 +11,7 @@ server {
  listen [::]:80 ipv6only=on;
  ## Replace this with something like pages.gitlab.com
-  server_name ~^(?<group>.*)\.YOUR_GITLAB_PAGES\.DOMAIN$;
+  server_name ~^.*\.YOUR_GITLAB_PAGES\.DOMAIN$;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301  https://$http_host$request_uri;
@@ -23,12 +23,11 @@ server {
 ## Pages serving host
 server {
  listen 0.0.0.0:443 ssl;
-  listen [::]:443 ipv6only=on ssl;
+  listen [::]:443 ipv6only=on ssl http2;
  ## Replace this with something like pages.gitlab.com
-  server_name ~^(?<group>.*)\.YOUR_GITLAB_PAGES\.DOMAIN$;
+  server_name ~^.*\.YOUR_GITLAB_PAGES\.DOMAIN$;
  server_tokens off; ## Don't show the nginx version number, a security best practice
-  root /home/git/gitlab/shared/pages/${group};
  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
@@ -63,14 +62,13 @@ server {
  access_log  /var/log/nginx/gitlab_pages_access.log;
  error_log   /var/log/nginx/gitlab_pages_error.log;
-  # 1. Try to get /path/ from shared/pages/${group}/${path}/public/
+  location / {
-  # 2. Try to get / from shared/pages/${group}/${host}/public/
+    proxy_set_header    Host                $http_host;
-  location ~ ^/([^/]*)(/.*)?$ {
+    proxy_set_header    X-Real-IP           $remote_addr;
-    try_files "/$1/public$2"
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-              "/$1/public$2/index.html"
+    proxy_set_header    X-Forwarded-Proto   $scheme;
-              "/${host}/public/${uri}"
+    # The same address as passed to GitLab Pages: `-listen-proxy`
-              "/${host}/public/${uri}/index.html"
+    proxy_pass          http://localhost:8090/;
-              =404;
  }
  # Define custom error pages