gitlab: Merge in upstream config updates

This does only pure merge. We will slaposify / adjust config and
corresponding md5sum in the following patches.

/cc @kazuhiko, @jerome

software/gitlab/template/gitlab.yml.in

@@ -28,7 +28,7 @@ production: &base
 
     # WARNING: See config/application.rb under "Relative url support" for the list of
     # other files that need to be changed for relative url support
-    # relative_url_root: /gitlab
+    relative_url_root: <%= @gitlab_relative_url %>
 
     # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
     user: {{ backend_info.user }}
@@ -141,6 +141,8 @@ production: &base
     host: <%= @pages_host %>
     port: <%= @pages_port %>
     https: <%= @pages_https %>
+    external_http: <%= @pages_external_http %>
+    external_https: <%= @pages_external_https %>
   #}
 
   {# we do not support Elasticsearch
@@ -282,15 +284,22 @@ production: &base
     auto_sign_in_with_provider: <%= @omniauth_auto_sign_in_with_provider %>
 
     # CAUTION!
-    # This allows users to login without having a user account first (default: false).
+    # This allows users to login without having a user account first. Define the allowed
+    # providers using an array, e.g. ["saml", "twitter"]
     # User accounts will be created automatically when authentication was successful.
-    allow_single_sign_on: <%= @omniauth_allow_single_sign_on %>
+    allow_single_sign_on: <%= @omniauth_allow_single_sign_on.to_json %>
+
     # Locks down those users until they have been cleared by the admin (default: true).
     block_auto_created_users: <%= @omniauth_block_auto_created_users %>
     # Look up new users in LDAP servers. If a match is found (same uid), automatically
     # link the omniauth identity with the LDAP account. (default: false)
     auto_link_ldap_user: <%= @omniauth_auto_link_ldap_user %>
 
+    # Allow users with existing accounts to login and auto link their account via SAML
+    # login, without having to do a manual login first and manually add SAML
+    # (default: false)
+    auto_link_saml_user: <%= @omniauth_auto_link_saml_user.to_json %>
+
 
     ## Auth providers
     # Uncomment the following lines and fill in the data of the auth provider you want to use

software/gitlab/template/nginx-gitlab-http.conf.in

@@ -56,7 +56,7 @@ server {
 #}
 
 server {
-  listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_https %} ssl spdy{% endif %};
+  listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_https %} ssl http2{% endif %};
 
   {# we don't use: kerbeeros
   <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
@@ -104,7 +104,8 @@ server {
   access_log  {{ nginx.log }}/gitlab_access.log gitlab_access;
   error_log   {{ nginx.log }}/gitlab_error.log;
 
-  location / {
+  <% path = @relative_url ? @relative_url : "/" %>
+  location <%= path %> {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
     {{ 'gzip off;' if cfg_https else ''}}
@@ -117,13 +118,10 @@ server {
 
     proxy_http_version 1.1;
 
-    proxy_set_header    Host                $http_host;
-    proxy_set_header    X-Real-IP           $remote_addr;
-    {% if cfg_https %}
-    proxy_set_header    X-Forwarded-Ssl     on;
-    {% endif %}
-    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_https else "http" }};
+    <% @proxy_set_headers.each do |header| %>
+    <% next if header[1].nil? %>
+    proxy_set_header <%= header[0] %> <%= header[1] %>;
+    <% end %>
 
     proxy_pass http://gitlab-workhorse;
   }

software/gitlab/template/unicorn.rb.in

@@ -71,3 +71,9 @@ stderr_path '{{ unicorn.log }}/unicorn_stderr.log'
 
 # Where stdout gets logged
 stdout_path '{{ unicorn.log }}/unicorn_stdout.log'
+
+<%- if @relative_url %>
+# Relative url from where GitLab is served
+ENV['RAILS_RELATIVE_URL_ROOT'] = "<%= @relative_url %>"
+
+<%- end %>
\ No newline at end of file