Commit d3305df7 authored by Jacob Vosmaer's avatar Jacob Vosmaer

Experimental support for gitlab-git-http-server

https://gitlab.com/gitlab-org/gitlab-git-http-server

This change introduces the GITLAB_GRACK_AUTH_ONLY environment
variable. When set, Grack requests to GitLab will only respond with
the user's GL_ID (if the request is OK) or an error. This allows
gitlab-git-http-server to use the main GitLab application as an
authentication and authorization backend.

If we like how this works we should drop the GITLAB_GRACK_AUTH_ONLY
variable at some point in the future.
parent cd6046e1
......@@ -26,7 +26,12 @@ module Grack
auth!
if project && authorized_request?
if ENV['GITLAB_GRACK_AUTH_ONLY'] == '1'
# Tell gitlab-git-http-server the request is OK, and what the GL_ID is
[200, { "Content-Type" => "text/plain" }, [Gitlab::ShellEnv.gl_id(@user)]]
else
@app.call(env)
end
elsif @user.nil? && !@gitlab_ci
unauthorized
else
......
......@@ -7,7 +7,7 @@ module Gitlab
def set_env(user)
# Set GL_ID env variable
if user
ENV['GL_ID'] = "user-#{user.id}"
ENV['GL_ID'] = gl_id(user)
end
end
......@@ -15,5 +15,9 @@ module Gitlab
# Reset GL_ID env variable
ENV['GL_ID'] = nil
end
def gl_id(user)
"user-#{user.id}"
end
end
end
......@@ -38,6 +38,11 @@ upstream gitlab {
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
}
## Experimental: gitlab-git-http-server
# upstream gitlab-git-http-server {
# server localhost:8181;
# }
## Normal HTTP host
server {
## Either remove "default_server" from the listen line below,
......@@ -109,6 +114,26 @@ server {
proxy_pass http://gitlab;
}
## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn
# location ~ [-\/\w\.]+\.git\/ {
# ## If you use HTTPS make sure you disable gzip compression
# ## to be safe against BREACH attack.
# # gzip off;
# ## https://github.com/gitlabhq/gitlabhq/issues/694
# ## Some requests take more than 30 seconds.
# proxy_read_timeout 300;
# proxy_connect_timeout 300;
# proxy_redirect off;
# proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_pass http://gitlab-git-http-server;
# }
## Enable gzip compression as per rails guide:
## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
## WARNING: If you are using relative urls remove the block below
......
......@@ -42,6 +42,11 @@ upstream gitlab {
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
}
## Experimental: gitlab-git-http-server
# upstream gitlab-git-http-server {
# server localhost:8181;
# }
## Redirects all HTTP traffic to the HTTPS host
server {
## Either remove "default_server" from the listen line below,
......@@ -156,6 +161,26 @@ server {
proxy_pass http://gitlab;
}
## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn
# location ~ [-\/\w\.]+\.git\/ {
# ## If you use HTTPS make sure you disable gzip compression
# ## to be safe against BREACH attack.
# gzip off;
# ## https://github.com/gitlabhq/gitlabhq/issues/694
# ## Some requests take more than 30 seconds.
# proxy_read_timeout 300;
# proxy_connect_timeout 300;
# proxy_redirect off;
# proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-Ssl on;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_pass http://gitlab-git-http-server;
# }
## Enable gzip compression as per rails guide:
## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
## WARNING: If you are using relative urls remove the block below
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment