Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
S
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kirill Smelkov
slapos
Commits
57eb38b8
Commit
57eb38b8
authored
Oct 26, 2015
by
Kirill Smelkov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
X Nginx started to start and listen
parent
628886f1
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
69 additions
and
32 deletions
+69
-32
software/gitlab/gitlab-parameters.cfg
software/gitlab/gitlab-parameters.cfg
+15
-2
software/gitlab/instance-gitlab.cfg.in
software/gitlab/instance-gitlab.cfg.in
+6
-2
software/gitlab/macrolib.cfg.in
software/gitlab/macrolib.cfg.in
+4
-0
software/gitlab/template/nginx-gitlab-http.conf.in
software/gitlab/template/nginx-gitlab-http.conf.in
+38
-23
software/gitlab/template/nginx.conf.in
software/gitlab/template/nginx.conf.in
+6
-5
No files found.
software/gitlab/gitlab-parameters.cfg
View file @
57eb38b8
...
...
@@ -10,6 +10,10 @@
# last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9
# TODO recheck )
# TODO move to proper place and merge related from omnibus
configuration.https = false
configuration.rate_limit_requests_per_period = 10
configuration.rate_limit_period = 60
...
...
@@ -66,12 +70,21 @@ configuration.unicorn_worker_processes = 2
configuration.unicorn_tcp_nopush = true
# nginx
configuration.nginx_client_max_body_size = 250m
configuration.nginx_redirect_http_to_https = false
# TODO -> generate certificate automatically
# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
configuration.nginx_proxy_read_timeout = 300
configuration.nginx_proxy_connect_timeout = 300
# nginx advanced
configuration.nginx_worker_processes = 4
configuration.nginx_worker_connections = 10240
configuration.nginx_log_format = $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
configuration.nginx_sendfile = on
configuration.nginx_tcp_nopush = on
configuration.nginx_tcp_nodelay = on
...
...
software/gitlab/instance-gitlab.cfg.in
View file @
57eb38b8
...
...
@@ -201,12 +201,16 @@ context =
section gitlab_backend gitlab-backend
section directory directory
raw mime_types {{ mime_types }}
#
raw nginx_gitlab_http_conf ${nginx-gitlab-http.conf:rendered}
raw nginx_gitlab_http_conf ${nginx-gitlab-http.conf:rendered}
[nginx-gitlab-http.conf]
<= nginx-etc-template
template= {{ nginx_gitlab_http_conf_in }}
context = ...
context =
section instance_parameter instance-parameter
section gitlab_backend gitlab-backend
section nginx nginx
section gitlab_root_shadow gitlab-root-shadow
# TODO log: logrotate
...
...
software/gitlab/macrolib.cfg.in
View file @
57eb38b8
...
...
@@ -3,3 +3,7 @@
{# cfg(name) -> instance_parameter:configuration.<name> #}
{% macro cfg(name) %}{{ instance_parameter[str("configuration." + name)] }}{% endmacro %}
{# cfg_bool(name) - like cfg(name), but returns 'true'/''
NOTE macros can return only strings - that's why '' is used for false #}
{% macro cfg_bool(name) %}{{ 'true' if (cfg(name).lower() in ('true', 'yes')) else '' }}{% endmacro %}
software/gitlab/template/nginx-gitlab-http.conf.in
View file @
57eb38b8
...
...
@@ -3,18 +3,24 @@
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
# (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9)
{% from 'macrolib.cfg.in' import cfg, cfg_bool with context %}
# TODO unix socket of unicorn
upstream gitlab {
server unix:<%= @socket %> fail_timeout=0;
{# TODO reenable #}
{# server unix:<%= @socket %> fail_timeout=0; #}
server unix:/dev/null fail_timeout=0;
}
# TODO unix socket of gitlab-git-http-server
upstream gitlab-git-http-server {
{# TODO reenable
server unix:<%= node['gitlab']['gitlab-git-http-server']['listen_addr'] %>;
#}
server unix:/dev/null fail_timeout=0;
}
# TODO -> conf parameters
{% if cfg('https') && cfg('redirect_http_to_https') %}
{% if cfg_bool('https') and cfg_bool('nginx_redirect_http_to_https') %}
## Redirects all HTTP traffic to the HTTPS host
server {
<% @listen_addresses.each do |listen_address| %>
...
...
@@ -29,31 +35,36 @@ server {
{% endif %}
server {
listen
{{ gitlab_backend.host }}:{{ gitlab_backend.port }}{% if cfg
('https') %} ssl spdy{% endif %};
listen
[{{ gitlab_backend.host }}]:{{ gitlab_backend.port }}{% if cfg_bool
('https') %} ssl spdy{% endif %};
# we don't use: kerbeeros
# <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
# listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
# <% end %>
{# we don't use: kerbeeros
<% if @kerberos_enabled && @kerberos_use_dedicated_port %>
listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
<% end %>
#}
# XXX fqdn
server_name <%= @fqdn %>;
server_tokens off; ## Don't show the nginx version number, a security best practice
root
${gitlab-root-shadow:location
}/public;
root
{{ gitlab_root_shadow.location }
}/public;
## Increase this if you want to upload large attachments
## Or if you want to accept large git objects over http
client_max_body_size {{ cfg('client_max_body_size') }};
client_max_body_size {{ cfg('
nginx_
client_max_body_size') }};
{% if cfg('https') %}
{% if cfg
_bool
('https') %}
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
{# TODO handle ssl certs: generate automatically (?)
ssl_certificate {{ cfg('ssl_certificate') }};
ssl_certificate_key <%= @ssl_certificate_key %>;
{% if cfg('ssl_client_certificate') %}
#}
{# TODO use from ca-certs
{% if cfg_bool('ssl_client_certificate') %}
ssl_client_certificate <%= @ssl_client_certificate%>;
<% end %>
{% endif %}
#}
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
ssl_ciphers '<%= @ssl_ciphers %>';
...
...
@@ -62,9 +73,11 @@ server {
ssl_session_cache <%= @ssl_session_cache %>;
ssl_session_timeout <%= @ssl_session_timeout %>;
<% if @ssl_dhparam %>
{# XXX do we need ssl_dharm ?
{% if cfg_bool('ssl_dhparam') %}
ssl_dhparam <%= @ssl_dhparam %>;
{% endif %}
#}
{% endif %}
## Individual nginx logs for this GitLab vhost
...
...
@@ -80,7 +93,7 @@ server {
location /uploads/ {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
{{ 'gzip off' if cfg
('https')
}}
{{ 'gzip off' if cfg
_bool('https') else ''
}}
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
...
...
@@ -90,11 +103,11 @@ server {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
{% if cfg('https') %}
{% if cfg
_bool
('https') %}
proxy_set_header X-Forwarded-Ssl on;
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto {{ "https" if cfg('https') else "http" }};
proxy_set_header X-Forwarded-Proto {{ "https" if cfg
_bool
('https') else "http" }};
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://gitlab;
...
...
@@ -105,7 +118,7 @@ server {
location @gitlab {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
{{ 'gzip off' if cfg
('https')
}}
{{ 'gzip off' if cfg
_bool('https') else ''
}}
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
...
...
@@ -115,11 +128,11 @@ server {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
{% if cfg('https') %}
{% if cfg
_bool
('https') %}
proxy_set_header X-Forwarded-Ssl on;
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto {{ "https" if cfg('https') else "http" }};
proxy_set_header X-Forwarded-Proto {{ "https" if cfg
_bool
('https') else "http" }};
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://gitlab;
...
...
@@ -146,7 +159,7 @@ server {
location @gitlab-git-http-server {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
{{ 'gzip off' if cfg
('https')
}}
{{ 'gzip off' if cfg
_bool('https') else ''
}}
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
...
...
@@ -156,11 +169,11 @@ server {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
{% if cfg('https') %}
{% if cfg
_bool
('https') %}
proxy_set_header X-Forwarded-Ssl on;
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto {{ "https" if cfg('https') else "http" }};
proxy_set_header X-Forwarded-Proto {{ "https" if cfg
_bool
('https') else "http" }};
proxy_pass http://gitlab-git-http-server;
}
...
...
@@ -172,7 +185,9 @@ server {
## other files that need to be changed for relative url support
location ~ ^/(assets)/ {
root {{ gitlab_root_shadow.location }}/public;
{# TODO reenable after --with-http_gzip_static_module added to nginx
gzip_static on; # to serve pre-gzipped version
#}
expires max;
add_header Cache-Control public;
}
...
...
software/gitlab/template/nginx.conf.in
View file @
57eb38b8
...
...
@@ -20,10 +20,11 @@ events {
}
http {
# XXX do we need to tune this?
# log_format gitlab_access '<%= @gitlab_access_log_format %>';
# log_format gitlab_ci_access '<%= @gitlab_ci_access_log_format %>';
# log_format gitlab_mattermost_access '<%= @gitlab_mattermost_access_log_format %>';
log_format gitlab_access '{{ cfg("nginx_log_format") }}';
{# we do not use: ci, mattermost
log_format gitlab_ci_access '<%= @gitlab_ci_access_log_format %>';
log_format gitlab_mattermost_access '<%= @gitlab_mattermost_access_log_format %>';
#}
sendfile {{ cfg('nginx_sendfile') }};
tcp_nopush {{ cfg('nginx_tcp_nopush') }};
...
...
@@ -39,7 +40,7 @@ http {
include {{ mime_types }};
{# include {{ nginx_gitlab_http_conf }}; #}
include {{ nginx_gitlab_http_conf }};
# we don't need: ci, mattermost
# include <%= @gitlab_ci_http_config %>
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment