gitlab-workhorse + Nexedi patches


Gitlab-workhorse is a smart reverse proxy for GitLab. It handles "large" HTTP requests such as file downloads, file uploads, Git push/pull and Git archive downloads.


  gitlab-workhorse [OPTIONS]

  -authBackend string
        Authentication/authorization backend (default "http://localhost:8080")
  -authSocket string
        Optional: Unix domain socket to dial authBackend at
        Allow to serve assets from Rails app
  -documentRoot string
        Path to static files content (default "public")
  -listenAddr string
        Listen address for HTTP server (default "localhost:8181")
  -listenNetwork string
        Listen 'network' (tcp, tcp4, tcp6, unix) (default "tcp")
  -listenUmask int
        Umask for Unix socket, default: 022 (default 18)
  -pprofListenAddr string
        pprof listening address, e.g. 'localhost:6060'
  -proxyHeadersTimeout duration
        How long to wait for response headers when proxying the request (default 1m0s)
        Print version and exit

The 'auth backend' refers to the GitLab Rails application. The name is a holdover from when gitlab-workhorse only handled Git push/pull over HTTP.

Gitlab-workhorse can listen on either a TCP or a Unix domain socket. It can also open a second listening TCP listening socket with the Go net/http/pprof profiler server.

Relative URL support

If you are mounting GitLab at a relative URL, e.g. example.com/gitlab, then you should also use this relative URL in the authBackend setting:

gitlab-workhorse -authBackend http://localhost:8080/gitlab


To install gitlab-workhorse you need Go 1.5 or newer.

To install into /usr/local/bin run make install.

make install

To install into /foo/bin set the PREFIX variable.

make install PREFIX=/foo


make clean test

Try it out

You can try out the Git server without authentication as follows:

# Start a fake auth backend that allows everything/everybody
make test/data/test.git
go run support/fake-auth-backend.go ~+/test/data/test.git &
# Start gitlab-workhorse

Now you can try things like:

git clone http://localhost:8181/test.git
curl -JO http://localhost:8181/test/repository/archive.zip

Example request flow

  • start POST repo.git/git-receive-pack to NGINX
  • ..start POST repo.git/git-receive-pack to gitlab-workhorse
  • ....start POST repo.git/git-receive-pack to Unicorn for auth
  • ....end POST to Unicorn for auth
  • ....start git-receive-pack process from gitlab-workhorse
  • ......start POST /api/v3/internal/allowed to Unicorn from Git hook (check protected branches)
  • ......end POST to Unicorn from Git hook
  • ....end git-receive-pack process
  • ..end POST to gitlab-workhorse
  • end POST to NGINX


This code is distributed under the MIT license, see the LICENSE file.