Commit 97dcf455 authored by Kirill Smelkov's avatar Kirill Smelkov

gitlab: Establish proper 1 branch for tracking upstream configs

It was my mistake to establish several tracking lines for tracking
upstream changes - e.g. in

    61544d87    (gitlab: Import nginx http configuration from omnibus-gitlab)

we started not from

    6fd7b987    (gitlab: Import gitlab-ce & gitlab-shell configs from omnibus-gitlab)

-- the first upstream tracking commit on its own branch -- but from

    4c127fdd    (gitlab: Setup sidekiq service)

i.e. from after some changes which already tweaked upstream
configuration files.

This makes updating gitlab more work than necessary: instead of
switching to upstream branch only once, importing all files, and
then switching back to master and merging upstream changes only once, we
currently have to do that operation 3 times:

    - for main gitlab settings,
    - for nginx settings, and
    - for gitconfig settings

which is not convenient and wastes our time.

So establish a proper 1 branch for tracking upstream configs:

Here we cherry-pick the following commits

    61544d87    (gitlab: Import nginx http configuration from omnibus-gitlab)
    d17f1f5f    (gitlab: Sync nginx http configuration from omnibus gitlab)

    8f945bd2    (gitlab: Import gitconfig from omnibus-gitlab)
    e8461571    (gitlab: Sync gitconfig settings from omnibus-gitlab)

and later we'll be updating upstream files on a branch starting from
this commit and containing upstream changes only.

/cc @kazuhiko, @jerome
parent 8c62b063
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
[user]
name = <%= node['gitlab']['user']['git_user_name'] %>
email = <%= node['gitlab']['user']['git_user_email'] %>
[core]
autocrlf = input
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
## GitLab
## Modified from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl & https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
## CHUNKED TRANSFER ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
## At the time of writing we do not know if either of these theoretical solutions works.
## As a workaround users can use Git over SSH to push large files.
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module
##
###################################
## configuration ##
###################################
upstream gitlab-workhorse {
server unix:<%= node['gitlab']['gitlab-workhorse']['listen_addr'] %>;
}
<% if @https && @redirect_http_to_https %>
## Redirects all HTTP traffic to the HTTPS host
server {
<% @listen_addresses.each do |listen_address| %>
listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
<% end %>
server_name <%= @fqdn %>;
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
access_log <%= @log_directory %>/gitlab_access.log gitlab_access;
error_log <%= @log_directory %>/gitlab_error.log;
}
<% end %>
server {
<% @listen_addresses.each do |listen_address| %>
listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl spdy<% end %>;
<% if @kerberos_enabled && @kerberos_use_dedicated_port %>
listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
<% end %>
<% end %>
server_name <%= @fqdn %>;
server_tokens off; ## Don't show the nginx version number, a security best practice
root /opt/gitlab/embedded/service/gitlab-rails/public;
## Increase this if you want to upload large attachments
## Or if you want to accept large git objects over http
client_max_body_size <%= @client_max_body_size %>;
<% if @https %>
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
ssl_certificate <%= @ssl_certificate %>;
ssl_certificate_key <%= @ssl_certificate_key %>;
<% if @ssl_client_certificate %>
ssl_client_certificate <%= @ssl_client_certificate%>;
<% end %>
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
ssl_ciphers '<%= @ssl_ciphers %>';
ssl_protocols <%= @ssl_protocols %>;
ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
ssl_session_cache <%= @ssl_session_cache %>;
ssl_session_timeout <%= @ssl_session_timeout %>;
<% if @ssl_dhparam %>
ssl_dhparam <%= @ssl_dhparam %>;
<% end %>
<% end %>
## Individual nginx logs for this GitLab vhost
access_log <%= @log_directory %>/gitlab_access.log gitlab_access;
error_log <%= @log_directory %>/gitlab_error.log;
location / {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
<%= 'gzip off;' if @https %>
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout <%= @proxy_read_timeout %>;
proxy_connect_timeout <%= @proxy_connect_timeout %>;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
<% if @https %>
proxy_set_header X-Forwarded-Ssl on;
<% end %>
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto <%= @https ? "https" : "http" %>;
proxy_pass http://gitlab-workhorse;
}
<%= @custom_gitlab_server_config %>
}
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
user <%= node['gitlab']['web-server']['username'] %> <%= node['gitlab']['web-server']['group']%>;
worker_processes <%= @worker_processes %>;
error_log stderr;
pid nginx.pid;
daemon off;
events {
worker_connections <%= @worker_connections %>;
}
http {
log_format gitlab_access '<%= @gitlab_access_log_format %>';
log_format gitlab_ci_access '<%= @gitlab_ci_access_log_format %>';
log_format gitlab_mattermost_access '<%= @gitlab_mattermost_access_log_format %>';
sendfile <%= @sendfile %>;
tcp_nopush <%= @tcp_nopush %>;
tcp_nodelay <%= @tcp_nodelay %>;
keepalive_timeout <%= @keepalive_timeout %>;
gzip <%= @gzip %>;
gzip_http_version <%= @gzip_http_version %>;
gzip_comp_level <%= @gzip_comp_level %>;
gzip_proxied <%= @gzip_proxied %>;
gzip_types <%= @gzip_types.join(' ') %>;
include /opt/gitlab/embedded/conf/mime.types;
<% if @gitlab_http_config %>
include <%= @gitlab_http_config %>;
<% end %>
<% if @gitlab_ci_http_config %>
include <%= @gitlab_ci_http_config %>;
<% end %>
<% if @gitlab_pages_http_config %>
include <%= @gitlab_pages_http_config %>;
<% end %>
<% if @gitlab_mattermost_http_config %>
include <%= @gitlab_mattermost_http_config %>;
<% end %>
<%= @custom_nginx_config %>
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment