nginx-gitlab-http.conf.in 6.46 KB
Newer Older
1 2 3
{{ autogenerated }}
# see:
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
4
# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)
5

6 7
{% from 'macrolib.cfg.in' import cfg, cfg_bool, cfg_https, fqdn  with context %}

8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
## GitLab
## Modified from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl & https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
##        CHUNKED TRANSFER      ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
## At the time of writing we do not know if either of these theoretical solutions works.
## As a workaround users can use Git over SSH to push large files.
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module
##
###################################
##         configuration         ##
###################################

upstream gitlab-workhorse {
37
  server unix:{{ gitlab_workhorse.socket }};
38 39
}

40 41 42
{# not needed for us - the frontend can do the redirection and also
   gitlab/nginx speaks HSTS on https port so when we access https port via http
   protocol, it gets redirected to https
43 44 45 46 47 48 49 50 51 52 53 54 55
<% if @https && @redirect_http_to_https %>
## Redirects all HTTP traffic to the HTTPS host
server {
<% @listen_addresses.each do |listen_address| %>
  listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
<% end %>
  server_name <%= @fqdn %>;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
  access_log  <%= @log_directory %>/gitlab_access.log gitlab_access;
  error_log   <%= @log_directory %>/gitlab_error.log;
}
<% end %>
56
#}
57 58

server {
59
  listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_https %} ssl http2{% endif %};
60

61
  {# we don't use: kerbeeros
62 63 64
  <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
  listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
  <% end %>
65
  #}
66

67
  server_name {{ fqdn }};
68 69 70 71
  server_tokens off; ## Don't show the nginx version number, a security best practice

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
72
  client_max_body_size {{ cfg('nginx_client_max_body_size') }};
73

74
  {% if cfg_https %}
75 76 77
  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl on;
78 79 80
  ssl_certificate {{ nginx.cert_file }};
  ssl_certificate_key {{ nginx.key_file }};
  {# we don't need - most root CA will be included by default
81 82 83
  <% if @ssl_client_certificate %>
  ssl_client_certificate <%= @ssl_client_certificate%>;
 	<% end %>
84
  #}
85 86

  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
87 88 89 90 91 92 93 94 95
  # NOTE(slapos) ^^^ is not relevant for us - we are behind frontend and clients
  #     directly connects to frontend
  ssl_ciphers '{{ cfg("nginx_ssl_ciphers") }}';
  ssl_protocols  {{ cfg('nginx_ssl_protocols') }};
  ssl_prefer_server_ciphers {{ cfg('nginx_ssl_prefer_server_ciphers') }};
  ssl_session_cache  {{ cfg('nginx_ssl_session_cache') }};
  ssl_session_timeout  {{ cfg('nginx_ssl_session_timeout') }};

  {# we do not use: ssl_dhparam
96 97 98
  <% if @ssl_dhparam %>
  ssl_dhparam <%= @ssl_dhparam %>;
  <% end %>
99 100
  #}
  {% endif %}
101

102 103
  ## Real IP Module Config
  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
104 105 106 107 108 109 110 111 112
  {% if '{{ cfg("nginx_real_ip_header") }}' %}
  real_ip_header '{{ cfg("nginx_real_ip_header") }}';
  {% endif %}
  {% if '{{ cfg("nginx_real_ip_recursive") }}' %}
  real_ip_recursive '{{ cfg("nginx_real_ip_recursive") }}';
  {% endif %}
  {% for trusted_address in cfg("nginx_real_ip_trusted_addresses").split() %}
  set_real_ip_from {{ trusted_address }};
  {% endfor %}
113

114
  ## Individual nginx logs for this GitLab vhost
115 116
  access_log  {{ nginx.log }}/gitlab_access.log gitlab_access;
  error_log   {{ nginx.log }}/gitlab_error.log;
117

118 119 120
  {# we do not support relative URL - path is always "/" #}
  {% set path = "/" %}
  location {{ path }} {
121 122
    # Set CORS header
    add_header 'Access-Control-Allow-Origin' {{ cfg('nginx_header_allow_origin') }};
123
    add_header 'Access-Control-Allow-Credentials' true;
124 125
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
126
    {{ 'gzip off;' if cfg_https else ''}}
127 128 129

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
130 131
    proxy_read_timeout      {{ cfg('nginx_proxy_read_timeout') }};
    proxy_connect_timeout   {{ cfg('nginx_proxy_connect_timeout') }};
132 133
    proxy_redirect          off;

134
    proxy_http_version 1.1;
135

136 137 138 139 140 141 142 143 144 145 146 147
    # NOTE(slapos) proxy headers are defined upstream in omnibus-gitlab in:
    #   - files/gitlab-config-template/gitlab.rb.template       nginx['proxy_set_headers']
    #   - files/gitlab-cookbooks/gitlab/attributes/default.rb   default['gitlab']['nginx']['proxy_set_headers']
    #   - files/gitlab-cookbooks/gitlab/libraries/gitlab.rb     parse_nginx_proxy_headers()
    # (last updated for omnibus-gitlab 8.5.1+ce.0-1-ge732b39)
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    {% if cfg_https %}
    proxy_set_header    X-Forwarded-Ssl     on;
    {% endif %}
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_https else "http" }};
148 149 150 151

    proxy_pass http://gitlab-workhorse;
  }

152 153 154 155 156
  error_page 404 /404.html;
  error_page 422 /422.html;
  error_page 500 /500.html;
  error_page 502 /502.html;
  location ~ ^/(404|422|500|502)\.html$ {
157
    root {{ gitlab_work.location }}/public;
158 159 160
    internal;
  }

161
  {# we don't support custom nginx configs
162
  <%= @custom_gitlab_server_config %>
163
  #}
164
}