X Nginx started to start and listen

software/gitlab/gitlab-parameters.cfg

@@ -10,6 +10,10 @@
 #   last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9
 #   TODO recheck )
 
+# TODO move to proper place and merge related from omnibus
+configuration.https = false
+
+
 configuration.rate_limit_requests_per_period    = 10
 configuration.rate_limit_period                 = 60
 
@@ -66,12 +70,21 @@ configuration.unicorn_worker_processes  = 2
 configuration.unicorn_tcp_nopush        = true
 
 # nginx
-configuration.nginx_proxy_read_timeout  = 300
-configuration.nginx_proxy_connect_timeout  = 300
+configuration.nginx_client_max_body_size    = 250m
+configuration.nginx_redirect_http_to_https  = false
+# TODO -> generate certificate automatically
+# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
+# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
+# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
+
+
+configuration.nginx_proxy_read_timeout      = 300
+configuration.nginx_proxy_connect_timeout   = 300
 
 # nginx advanced
 configuration.nginx_worker_processes    = 4
 configuration.nginx_worker_connections  = 10240
+configuration.nginx_log_format          = $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
 configuration.nginx_sendfile            = on
 configuration.nginx_tcp_nopush          = on
 configuration.nginx_tcp_nodelay         = on

software/gitlab/instance-gitlab.cfg.in

@@ -201,12 +201,16 @@ context =
     section gitlab_backend          gitlab-backend
     section directory               directory
     raw     mime_types              {{ mime_types }}
-#   raw     nginx_gitlab_http_conf  ${nginx-gitlab-http.conf:rendered}
+    raw     nginx_gitlab_http_conf  ${nginx-gitlab-http.conf:rendered}
 
 [nginx-gitlab-http.conf]
 <= nginx-etc-template
 template= {{ nginx_gitlab_http_conf_in }}
-context = ...
+context =
+    section instance_parameter      instance-parameter
+    section gitlab_backend          gitlab-backend
+    section nginx                   nginx
+    section gitlab_root_shadow      gitlab-root-shadow
 
 # TODO log: logrotate
 

software/gitlab/macrolib.cfg.in

@@ -3,3 +3,7 @@
 {# cfg(name) -> instance_parameter:configuration.<name> #}
 {% macro cfg(name) %}{{ instance_parameter[str("configuration." + name)] }}{% endmacro %}
 
+{# cfg_bool(name) - like cfg(name), but returns 'true'/''
+   NOTE macros can return only strings - that's why '' is used for false #}
+{% macro cfg_bool(name) %}{{ 'true' if (cfg(name).lower() in ('true', 'yes')) else '' }}{% endmacro %}
+

software/gitlab/template/nginx-gitlab-http.conf.in

@@ -3,18 +3,24 @@
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
 # (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9)
 
+{% from 'macrolib.cfg.in' import cfg, cfg_bool  with context %}
+
 # TODO unix socket of unicorn
 upstream gitlab {
-  server unix:<%= @socket %> fail_timeout=0;
+  {# TODO reenable #}
+  {# server unix:<%= @socket %> fail_timeout=0; #}
+  server unix:/dev/null fail_timeout=0;
 }
 
 # TODO unix socket of gitlab-git-http-server
 upstream gitlab-git-http-server {
+  {# TODO reenable
   server unix:<%= node['gitlab']['gitlab-git-http-server']['listen_addr'] %>;
+  #}
+  server unix:/dev/null fail_timeout=0;
 }
 
-# TODO -> conf parameters
-{% if cfg('https') && cfg('redirect_http_to_https') %}
+{% if cfg_bool('https') and cfg_bool('nginx_redirect_http_to_https') %}
 ## Redirects all HTTP traffic to the HTTPS host
 server {
 <% @listen_addresses.each do |listen_address| %>
@@ -29,31 +35,36 @@ server {
 {% endif %}
 
 server {
-  listen {{ gitlab_backend.host }}:{{ gitlab_backend.port }}{% if cfg('https') %} ssl spdy{% endif %};
+  listen [{{ gitlab_backend.host }}]:{{ gitlab_backend.port }}{% if cfg_bool('https') %} ssl spdy{% endif %};
 
-  # we don't use: kerbeeros
-  # <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
-  # listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
-  # <% end %>
+  {# we don't use: kerbeeros
+  <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
+  listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
+  <% end %>
+  #}
 
   # XXX fqdn
   server_name <%= @fqdn %>;
   server_tokens off; ## Don't show the nginx version number, a security best practice
-  root ${gitlab-root-shadow:location}/public;
+  root {{ gitlab_root_shadow.location }}/public;
 
   ## Increase this if you want to upload large attachments
   ## Or if you want to accept large git objects over http
-  client_max_body_size {{ cfg('client_max_body_size') }};
+  client_max_body_size {{ cfg('nginx_client_max_body_size') }};
 
-  {% if cfg('https') %}
+  {% if cfg_bool('https') %}
   ## Strong SSL Security
   ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
   ssl on;
+  {# TODO handle ssl certs: generate automatically (?)
   ssl_certificate {{ cfg('ssl_certificate') }};
   ssl_certificate_key <%= @ssl_certificate_key %>;
-  {% if cfg('ssl_client_certificate') %}
+  #}
+  {# TODO use from ca-certs
+  {% if cfg_bool('ssl_client_certificate') %}
   ssl_client_certificate <%= @ssl_client_certificate%>;
-        <% end %>
+  {% endif %}
+  #}
 
   # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
   ssl_ciphers '<%= @ssl_ciphers %>';
@@ -62,9 +73,11 @@ server {
   ssl_session_cache  <%= @ssl_session_cache %>;
   ssl_session_timeout  <%= @ssl_session_timeout %>;
 
-  <% if @ssl_dhparam %>
+  {# XXX do we need ssl_dharm ?
+  {% if cfg_bool('ssl_dhparam') %}
   ssl_dhparam <%= @ssl_dhparam %>;
   {% endif %}
+  #}
   {% endif %}
 
   ## Individual nginx logs for this GitLab vhost
@@ -80,7 +93,7 @@ server {
   location /uploads/ {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg('https') }}
+    {{ 'gzip off' if cfg_bool('https')  else ''}}
 
     ## https://github.com/gitlabhq/gitlabhq/issues/694
     ## Some requests take more than 30 seconds.
@@ -90,11 +103,11 @@ server {
 
     proxy_set_header    Host                $http_host;
     proxy_set_header    X-Real-IP           $remote_addr;
-    {% if cfg('https') %}
+    {% if cfg_bool('https') %}
     proxy_set_header    X-Forwarded-Ssl     on;
     {% endif %}
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg('https') else "http" }};
+    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_bool('https') else "http" }};
     proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
     proxy_pass http://gitlab;
@@ -105,7 +118,7 @@ server {
   location @gitlab {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg('https') }}
+    {{ 'gzip off' if cfg_bool('https')  else ''}}
 
     ## https://github.com/gitlabhq/gitlabhq/issues/694
     ## Some requests take more than 30 seconds.
@@ -115,11 +128,11 @@ server {
 
     proxy_set_header    Host                $http_host;
     proxy_set_header    X-Real-IP           $remote_addr;
-    {% if cfg('https') %}
+    {% if cfg_bool('https') %}
     proxy_set_header    X-Forwarded-Ssl     on;
     {% endif %}
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg('https') else "http" }};
+    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_bool('https') else "http" }};
     proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
     proxy_pass http://gitlab;
@@ -146,7 +159,7 @@ server {
   location @gitlab-git-http-server {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg('https') }}
+    {{ 'gzip off' if cfg_bool('https')  else ''}}
 
     ## https://github.com/gitlabhq/gitlabhq/issues/694
     ## Some requests take more than 30 seconds.
@@ -156,11 +169,11 @@ server {
 
     proxy_set_header    Host                $http_host;
     proxy_set_header    X-Real-IP           $remote_addr;
-    {% if cfg('https') %}
+    {% if cfg_bool('https') %}
     proxy_set_header    X-Forwarded-Ssl     on;
     {% endif %}
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg('https') else "http" }};
+    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_bool('https') else "http" }};
 
     proxy_pass http://gitlab-git-http-server;
   }
@@ -172,7 +185,9 @@ server {
   ## other files that need to be changed for relative url support
   location ~ ^/(assets)/ {
     root {{ gitlab_root_shadow.location }}/public;
+    {# TODO reenable after --with-http_gzip_static_module added to nginx
     gzip_static on; # to serve pre-gzipped version
+    #}
     expires max;
     add_header Cache-Control public;
   }

software/gitlab/template/nginx.conf.in

@@ -20,10 +20,11 @@ events {
 }
 
 http {
-  # XXX do we need to tune this?
-  # log_format gitlab_access '<%= @gitlab_access_log_format %>';
-  # log_format gitlab_ci_access '<%= @gitlab_ci_access_log_format %>';
-  # log_format gitlab_mattermost_access '<%= @gitlab_mattermost_access_log_format %>';
+  log_format gitlab_access '{{ cfg("nginx_log_format") }}';
+  {# we do not use: ci, mattermost
+  log_format gitlab_ci_access '<%= @gitlab_ci_access_log_format %>';
+  log_format gitlab_mattermost_access '<%= @gitlab_mattermost_access_log_format %>';
+  #}
 
   sendfile    {{ cfg('nginx_sendfile') }};
   tcp_nopush  {{ cfg('nginx_tcp_nopush') }};
@@ -39,7 +40,7 @@ http {
 
   include {{ mime_types }};
 
-  {# include {{ nginx_gitlab_http_conf }}; #}
+  include {{ nginx_gitlab_http_conf }};
 
   # we don't need: ci, mattermost
   # include <%= @gitlab_ci_http_config %>