Commit d11ace24 authored by Stan Hu's avatar Stan Hu Committed by Michael Kozono

Support setting Rails asset host via gitlab.yml

Previously the only way to set the Rails asset host was via the
`GITLAB_CDN_HOST` environment variable. This still works, but the
`gitlab.cdn_host` config parameter can now be used to better manage this
setting.

Relates to #332695

Changelog: added
parent d323d728
...@@ -51,9 +51,6 @@ Rails.application.configure do ...@@ -51,9 +51,6 @@ Rails.application.configure do
# Use a different logger for distributed setups # Use a different logger for distributed setups
# config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new) # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
# Enable serving of images, stylesheets, and JavaScripts from an asset server
config.action_controller.asset_host = ENV['GITLAB_CDN_HOST'] if ENV['GITLAB_CDN_HOST'].present?
# Do not dump schema after migrations. # Do not dump schema after migrations.
config.active_record.dump_schema_after_migration = false config.active_record.dump_schema_after_migration = false
......
...@@ -33,6 +33,10 @@ production: &base ...@@ -33,6 +33,10 @@ production: &base
host: localhost host: localhost
port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
# Uncomment this line if you want to configure the Rails asset host for a CDN.
# cdn_host: localhost
# The maximum time Puma can spend on the request. This needs to be smaller than the worker timeout. # The maximum time Puma can spend on the request. This needs to be smaller than the worker timeout.
# Default is 95% of the worker timeout # Default is 95% of the worker timeout
max_request_duration_seconds: 57 max_request_duration_seconds: 57
......
...@@ -164,6 +164,7 @@ Settings.gitlab['default_branch_protection'] ||= 2 ...@@ -164,6 +164,7 @@ Settings.gitlab['default_branch_protection'] ||= 2
Settings.gitlab['default_can_create_group'] = true if Settings.gitlab['default_can_create_group'].nil? Settings.gitlab['default_can_create_group'] = true if Settings.gitlab['default_can_create_group'].nil?
Settings.gitlab['default_theme'] = Gitlab::Themes::APPLICATION_DEFAULT if Settings.gitlab['default_theme'].nil? Settings.gitlab['default_theme'] = Gitlab::Themes::APPLICATION_DEFAULT if Settings.gitlab['default_theme'].nil?
Settings.gitlab['host'] ||= ENV['GITLAB_HOST'] || 'localhost' Settings.gitlab['host'] ||= ENV['GITLAB_HOST'] || 'localhost'
Settings.gitlab['cdn_host'] ||= ENV['GITLAB_CDN_HOST'].presence
Settings.gitlab['ssh_host'] ||= Settings.gitlab.host Settings.gitlab['ssh_host'] ||= Settings.gitlab.host
Settings.gitlab['https'] = false if Settings.gitlab['https'].nil? Settings.gitlab['https'] = false if Settings.gitlab['https'].nil?
Settings.gitlab['port'] ||= ENV['GITLAB_PORT'] || (Settings.gitlab.https ? 443 : 80) Settings.gitlab['port'] ||= ENV['GITLAB_PORT'] || (Settings.gitlab.https ? 443 : 80)
...@@ -209,7 +210,7 @@ Settings.gitlab.default_projects_features['visibility_level'] = Settings.__sen ...@@ -209,7 +210,7 @@ Settings.gitlab.default_projects_features['visibility_level'] = Settings.__sen
Settings.gitlab['domain_allowlist'] ||= [] Settings.gitlab['domain_allowlist'] ||= []
Settings.gitlab['import_sources'] ||= Gitlab::ImportSources.values Settings.gitlab['import_sources'] ||= Gitlab::ImportSources.values
Settings.gitlab['trusted_proxies'] ||= [] Settings.gitlab['trusted_proxies'] ||= []
Settings.gitlab['content_security_policy'] ||= Gitlab::ContentSecurityPolicy::ConfigLoader.default_settings_hash Settings.gitlab['content_security_policy'] ||= Gitlab::ContentSecurityPolicy::ConfigLoader.default_settings_hash(Settings.gitlab['cdn_host'])
Settings.gitlab['allowed_hosts'] ||= [] Settings.gitlab['allowed_hosts'] ||= []
Settings.gitlab['no_todos_messages'] ||= YAML.load_file(Rails.root.join('config', 'no_todos_messages.yml')) Settings.gitlab['no_todos_messages'] ||= YAML.load_file(Rails.root.join('config', 'no_todos_messages.yml'))
Settings.gitlab['impersonation_enabled'] ||= true if Settings.gitlab['impersonation_enabled'].nil? Settings.gitlab['impersonation_enabled'] ||= true if Settings.gitlab['impersonation_enabled'].nil?
......
# frozen_string_literal: true
if Gitlab.config.gitlab.cdn_host.present?
Rails.application.configure do
config.after_initialize do
# Enable serving of images, stylesheets, and JavaScripts from an asset server
Rails.application.config.action_controller.asset_host = Gitlab.config.gitlab.cdn_host
# If ActionController::Base is called before this initializer, then we must set
# the configuration directly.
# See https://github.com/rails/rails/issues/16209
ActionController::Base.asset_host = Gitlab.config.gitlab.cdn_host
end
end
end
...@@ -7,7 +7,7 @@ module Gitlab ...@@ -7,7 +7,7 @@ module Gitlab
form_action frame_ancestors frame_src img_src manifest_src form_action frame_ancestors frame_src img_src manifest_src
media_src object_src report_uri script_src style_src worker_src).freeze media_src object_src report_uri script_src style_src worker_src).freeze
def self.default_settings_hash def self.default_settings_hash(cdn_host)
settings_hash = { settings_hash = {
'enabled' => Rails.env.development? || Rails.env.test?, 'enabled' => Rails.env.development? || Rails.env.test?,
'report_only' => false, 'report_only' => false,
...@@ -36,7 +36,7 @@ module Gitlab ...@@ -36,7 +36,7 @@ module Gitlab
settings_hash['directives']['child_src'] = settings_hash['directives']['frame_src'] settings_hash['directives']['child_src'] = settings_hash['directives']['frame_src']
allow_webpack_dev_server(settings_hash) if Rails.env.development? allow_webpack_dev_server(settings_hash) if Rails.env.development?
allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present? allow_cdn(settings_hash, cdn_host) if cdn_host.present?
allow_customersdot(settings_hash) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present? allow_customersdot(settings_hash) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present?
settings_hash settings_hash
...@@ -75,9 +75,7 @@ module Gitlab ...@@ -75,9 +75,7 @@ module Gitlab
append_to_directive(settings_hash, 'connect_src', "#{http_url} #{ws_url}") append_to_directive(settings_hash, 'connect_src', "#{http_url} #{ws_url}")
end end
def self.allow_cdn(settings_hash) def self.allow_cdn(settings_hash, cdn_host)
cdn_host = ENV['GITLAB_CDN_HOST']
append_to_directive(settings_hash, 'script_src', cdn_host) append_to_directive(settings_hash, 'script_src', cdn_host)
append_to_directive(settings_hash, 'style_src', cdn_host) append_to_directive(settings_hash, 'style_src', cdn_host)
append_to_directive(settings_hash, 'font_src', cdn_host) append_to_directive(settings_hash, 'font_src', cdn_host)
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'Rails asset host initializer' do
def load_initializer
load Rails.root.join('config/initializers/rails_asset_host.rb')
end
subject { Rails.application.config.action_controller.asset_host }
it 'uses no asset host by default' do
load_initializer
expect(subject).to be nil
end
context 'with cdn_host defined in gitlab.yml' do
before do
stub_config_setting(cdn_host: 'https://gitlab.example.com')
end
it 'returns https://gitlab.example.com' do
load_initializer
expect(subject).to eq('https://gitlab.example.com')
end
end
end
...@@ -4,6 +4,7 @@ require 'spec_helper' ...@@ -4,6 +4,7 @@ require 'spec_helper'
RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
let(:policy) { ActionDispatch::ContentSecurityPolicy.new } let(:policy) { ActionDispatch::ContentSecurityPolicy.new }
let(:cdn_host) { nil }
let(:csp_config) do let(:csp_config) do
{ {
enabled: true, enabled: true,
...@@ -20,7 +21,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -20,7 +21,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end end
describe '.default_settings_hash' do describe '.default_settings_hash' do
let(:settings) { described_class.default_settings_hash } let(:settings) { described_class.default_settings_hash(cdn_host) }
it 'returns defaults for all keys' do it 'returns defaults for all keys' do
expect(settings['enabled']).to be_truthy expect(settings['enabled']).to be_truthy
...@@ -48,12 +49,10 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -48,12 +49,10 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end end
end end
context 'when GITLAB_CDN_HOST is set' do context 'when CDN host is defined' do
before do let(:cdn_host) { 'https://example.com' }
stub_env('GITLAB_CDN_HOST', 'https://example.com')
end
it 'adds GITLAB_CDN_HOST to CSP' do it 'adds CDN host to CSP' do
directives = settings['directives'] directives = settings['directives']
expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com") expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment