Commit d64ae536 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'soft-launch-gitlab-git-http-server' into 'master'

Experimental support for gitlab-git-http-server

https://gitlab.com/gitlab-org/gitlab-git-http-server

This change introduces the GITLAB_GRACK_AUTH_ONLY environment
variable. When set, Grack requests to GitLab will only respond with
the user's GL_ID (if the request is OK) or an error. This allows
gitlab-git-http-server to use the main GitLab application as an
authentication and authorization backend.

If we like how this works we should drop the GITLAB_GRACK_AUTH_ONLY
variable at some point in the future.

See merge request !1915
parents 5efb58b0 16dcf356
...@@ -26,7 +26,12 @@ module Grack ...@@ -26,7 +26,12 @@ module Grack
auth! auth!
if project && authorized_request? if project && authorized_request?
if ENV['GITLAB_GRACK_AUTH_ONLY'] == '1'
# Tell gitlab-git-http-server the request is OK, and what the GL_ID is
render_grack_auth_ok
else
@app.call(env) @app.call(env)
end
elsif @user.nil? && !@gitlab_ci elsif @user.nil? && !@gitlab_ci
unauthorized unauthorized
else else
...@@ -174,6 +179,10 @@ module Grack ...@@ -174,6 +179,10 @@ module Grack
end end
end end
def render_grack_auth_ok
[200, { "Content-Type" => "application/json" }, [JSON.dump({ 'GL_ID' => Gitlab::ShellEnv.gl_id(@user) })]]
end
def render_not_found def render_not_found
[404, { "Content-Type" => "text/plain" }, ["Not Found"]] [404, { "Content-Type" => "text/plain" }, ["Not Found"]]
end end
......
...@@ -7,7 +7,7 @@ module Gitlab ...@@ -7,7 +7,7 @@ module Gitlab
def set_env(user) def set_env(user)
# Set GL_ID env variable # Set GL_ID env variable
if user if user
ENV['GL_ID'] = "user-#{user.id}" ENV['GL_ID'] = gl_id(user)
end end
end end
...@@ -15,5 +15,14 @@ module Gitlab ...@@ -15,5 +15,14 @@ module Gitlab
# Reset GL_ID env variable # Reset GL_ID env variable
ENV['GL_ID'] = nil ENV['GL_ID'] = nil
end end
def gl_id(user)
if user.present?
"user-#{user.id}"
else
# This empty string is used in the render_grack_auth_ok method
""
end
end
end end
end end
...@@ -38,6 +38,11 @@ upstream gitlab { ...@@ -38,6 +38,11 @@ upstream gitlab {
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0; server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
} }
## Experimental: gitlab-git-http-server
# upstream gitlab-git-http-server {
# server localhost:8181;
# }
## Normal HTTP host ## Normal HTTP host
server { server {
## Either remove "default_server" from the listen line below, ## Either remove "default_server" from the listen line below,
...@@ -109,6 +114,26 @@ server { ...@@ -109,6 +114,26 @@ server {
proxy_pass http://gitlab; proxy_pass http://gitlab;
} }
## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn
# location ~ [-\/\w\.]+\.git\/ {
# ## If you use HTTPS make sure you disable gzip compression
# ## to be safe against BREACH attack.
# # gzip off;
# ## https://github.com/gitlabhq/gitlabhq/issues/694
# ## Some requests take more than 30 seconds.
# proxy_read_timeout 300;
# proxy_connect_timeout 300;
# proxy_redirect off;
# proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_pass http://gitlab-git-http-server;
# }
## Enable gzip compression as per rails guide: ## Enable gzip compression as per rails guide:
## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
## WARNING: If you are using relative urls remove the block below ## WARNING: If you are using relative urls remove the block below
......
...@@ -42,6 +42,11 @@ upstream gitlab { ...@@ -42,6 +42,11 @@ upstream gitlab {
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0; server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
} }
## Experimental: gitlab-git-http-server
# upstream gitlab-git-http-server {
# server localhost:8181;
# }
## Redirects all HTTP traffic to the HTTPS host ## Redirects all HTTP traffic to the HTTPS host
server { server {
## Either remove "default_server" from the listen line below, ## Either remove "default_server" from the listen line below,
...@@ -156,6 +161,26 @@ server { ...@@ -156,6 +161,26 @@ server {
proxy_pass http://gitlab; proxy_pass http://gitlab;
} }
## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn
# location ~ [-\/\w\.]+\.git\/ {
# ## If you use HTTPS make sure you disable gzip compression
# ## to be safe against BREACH attack.
# gzip off;
# ## https://github.com/gitlabhq/gitlabhq/issues/694
# ## Some requests take more than 30 seconds.
# proxy_read_timeout 300;
# proxy_connect_timeout 300;
# proxy_redirect off;
# proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-Ssl on;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_pass http://gitlab-git-http-server;
# }
## Enable gzip compression as per rails guide: ## Enable gzip compression as per rails guide:
## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
## WARNING: If you are using relative urls remove the block below ## WARNING: If you are using relative urls remove the block below
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment