gitlab 6.42 KB
Newer Older
Ben Bodenmiller's avatar
Ben Bodenmiller committed
1 2 3 4 5 6
## GitLab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
7 8 9 10 11 12 13
##        CONTRIBUTING          ##
##################################
##
## If you change this file in a Merge Request, please also create
## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
##
##################################
Ben Bodenmiller's avatar
Ben Bodenmiller committed
14 15 16 17 18 19 20 21 22 23
##        CHUNKED TRANSFER      ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
24
## At the time of writing we do not know if either of these theoretical solutions works.
Ben Bodenmiller's avatar
Ben Bodenmiller committed
25 26 27 28 29 30 31 32 33 34
## As a workaround users can use Git over SSH to push large files.
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module
##
###################################
##         configuration         ##
###################################
##
35
## See installation.md#using-https for additional HTTPS configuration details.
36

37
upstream gitlab {
38
  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
39 40
}

41 42 43
upstream gitlab-git-http-server {
  server unix:/home/git/gitlab/tmp/sockets/gitlab-git-http-server.socket fail_timeout=0;
}
44

Ben Bodenmiller's avatar
Ben Bodenmiller committed
45
## Normal HTTP host
46
server {
Luke Ashe-Browne's avatar
Luke Ashe-Browne committed
47
  ## Either remove "default_server" from the listen line below, 
48 49 50
  ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
  ## to be served if you visit any address that your server responds to, eg.
  ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
51 52
  listen 0.0.0.0:80 default_server;
  listen [::]:80 default_server;
53 54
  server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice
55
  root /home/git/gitlab/public;
Ben Bodenmiller's avatar
Ben Bodenmiller committed
56 57 58

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
59
  client_max_body_size 20m;
60

61 62
  ## See app/controllers/application_controller.rb for headers set

Ben Bodenmiller's avatar
Ben Bodenmiller committed
63
  ## Individual nginx logs for this GitLab vhost
64 65 66 67
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

  location / {
Ben Bodenmiller's avatar
Ben Bodenmiller committed
68 69
    ## Serve static files from defined root folder.
    ## @gitlab is a named location for the upstream fallback, see below.
70 71 72
    try_files $uri $uri/index.html $uri.html @gitlab;
  }

73 74
  ## We route uploads through GitLab to prevent XSS and enforce access control.
  location /uploads/ {
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
    # gzip off;

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;

91 92 93
    proxy_pass http://gitlab;
  }

Ben Bodenmiller's avatar
Ben Bodenmiller committed
94 95
  ## If a file, which is not found in the root folder is requested,
  ## then the proxy passes the request to the upsteam (gitlab unicorn).
96
  location @gitlab {
97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
    # gzip off;

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;

113 114
    proxy_pass http://gitlab;
  }
Jacob Vosmaer's avatar
Jacob Vosmaer committed
115

116 117 118 119 120 121 122 123 124 125 126 127
  location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ {
    # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block
    error_page 418 = @gitlab-git-http-server;
    return 418;
  }

  location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive {
    # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block
    error_page 418 = @gitlab-git-http-server;
    return 418;
  }

128
  location ~ ^/api/v3/projects/.*/repository/archive {
129 130 131 132 133 134
    # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block
    error_page 418 = @gitlab-git-http-server;
    return 418;
  }

  location @gitlab-git-http-server {
135 136 137 138 139 140 141 142 143 144
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
    # gzip off;

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

145 146 147
    # Do not buffer Git HTTP responses
    proxy_buffering off;

148 149 150 151 152
    # The following settings only work with NGINX 1.7.11 or newer
    #
    # # Pass chunked request bodies to gitlab-git-http-server as-is
    # proxy_request_buffering off;
    # proxy_http_version 1.1;
153

154 155 156 157 158 159 160
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;

    proxy_pass http://gitlab-git-http-server;
  }
161

Ben Bodenmiller's avatar
Ben Bodenmiller committed
162 163 164 165 166 167
  ## Enable gzip compression as per rails guide:
  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
  ## WARNING: If you are using relative urls remove the block below
  ## See config/application.rb under "Relative url support" for the list of
  ## other files that need to be changed for relative url support
  location ~ ^/(assets)/ {
168
    root /home/git/gitlab/public;
169 170 171 172 173
    gzip_static on; # to serve pre-gzipped version
    expires max;
    add_header Cache-Control public;
  }

Jacob Vosmaer's avatar
Jacob Vosmaer committed
174
  error_page 502 /502.html;
175
}