gitlab: configure trusted proxies for nginx

so that the client IP is no longer the frontend IP, so rack attack won't be blacklisting fontend IPs

gitlab: configure trusted proxies for nginx
so that the client IP is no longer the frontend IP, so rack attack won't be blacklisting fontend IPs
cc7bc1ed · iv · Alain Takoudjou · 3e38592a · cc7bc1ed · cc7bc1ed
Commit cc7bc1ed authored Jan 24, 2017 by iv Committed by Alain Takoudjou Jan 26, 2017
4 changed files
--- a/software/gitlab/gitlab-parameters.cfg
+++ b/software/gitlab/gitlab-parameters.cfg
@@ -102,7 +102,10 @@ configuration.nginx_gzip_proxied        = any
 configuration.nginx_gzip_types          = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json
 configuration.nginx_keepalive_timeout   = 65
-# TODO allow configuring trusted proxies
+# configuring trusted proxies
-# configuration.nginx_real_ip_trusted_addresses
+# GitLab is behind a reverse proxy, so we don't want the IP address of the proxy
-# configuration.nginx_real_ip_header
+# to show up as the client address (because rack attack blacklists the lab
-# configuration.nginx_real_ip_recursive
+# frontend)
+configuration.nginx_real_ip_trusted_addresses   =
+configuration.nginx_real_ip_header              = X-Forwarded-For
+configuration.nginx_real_ip_recursive           = off
--- a/software/gitlab/software.cfg
+++ b/software/gitlab/software.cfg
@@ -303,7 +303,7 @@ md5sum  = eb1230fee50067924ba89f4dc6e82fa9
 [gitlab-parameters.cfg]
 <= download-file
-md5sum  = a74670934ec0190cc212d1f3468c11ed
+md5sum  = 9ff67261781092ae4d1096d65927b9f2
 [gitlab-shell-config.yml.in]
 <= download-template
@@ -315,7 +315,7 @@ md5sum  = a9cb347f60aad3465932fd36cd4fe25d
 [gitlab.yml.in]
 <= download-template
-md5sum  = 176939a6428a7aca4767a36421b0af2b
+md5sum  = fb52f20f04b3c0bacd6a767dac9d6483
 [instance-gitlab.cfg.in]
 <= download-file
@@ -331,7 +331,7 @@ md5sum  = a56a44e96f65f5ed20211bb6a54279f4
 [nginx-gitlab-http.conf.in]
 <= download-template
-md5sum  = a11b50d2ff2b1fa842ba4aa20041e2fe
+md5sum  = 37ea159762fe25db2af6b4ac3870d1e3
 [nginx.conf.in]
 <= download-template

--- a/software/gitlab/template/gitlab.yml.in
+++ b/software/gitlab/template/gitlab.yml.in
@@ -36,11 +36,9 @@ production: &base
    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
    trusted_proxies:
-    {# TODO support configuring trusted proxies
+    {% for proxy in cfg("nginx_real_ip_trusted_addresses").split() %}
-<% @trusted_proxies.each do |proxy| %>
+      - {{ proxy }}
-      - <%= proxy %>
+    {% endfor %}
-<% end %>
-    #}
    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    user: {{ backend_info.user }}

--- a/software/gitlab/template/nginx-gitlab-http.conf.in
+++ b/software/gitlab/template/nginx-gitlab-http.conf.in
@@ -101,17 +101,15 @@ server {
  ## Real IP Module Config
  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
-  {# TODO support trusted proxies & realip
+  {% if '{{ cfg("nginx_real_ip_header") }}' %}
-  <% if @real_ip_header %>
+  real_ip_header '{{ cfg("nginx_real_ip_header") }}';
-  real_ip_header <%= @real_ip_header %>;
+  {% endif %}
-  <% end %>
+  {% if '{{ cfg("nginx_real_ip_recursive") }}' %}
-  <% if @real_ip_recursive %>
+  real_ip_recursive '{{ cfg("nginx_real_ip_recursive") }}';
-  real_ip_recursive <%= @real_ip_recursive %>;
+  {% endif %}
-  <% end %>
+  {% for trusted_address in cfg("nginx_real_ip_trusted_addresses").split() %}
-  <% @real_ip_trusted_addresses.each do |trusted_address| %>
+  set_real_ip_from {{ trusted_address }};
-  set_real_ip_from <%= trusted_address %>;
+  {% endfor %}
-  <% end %>
-  #}
  ## Individual nginx logs for this GitLab vhost
  access_log  {{ nginx.log }}/gitlab_access.log gitlab_access;