nginx-gitlab-http.conf.in 6.4 KB
{{ autogenerated }}
# see:
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)

{% from 'macrolib.cfg.in' import cfg, cfg_bool, cfg_https, fqdn  with context %}

## GitLab
## Modified from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl & https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
##        CHUNKED TRANSFER      ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
## At the time of writing we do not know if either of these theoretical solutions works.
## As a workaround users can use Git over SSH to push large files.
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module
##
###################################
##         configuration         ##
###################################

upstream gitlab-workhorse {
  server unix:{{ gitlab_workhorse.socket }};
}

{# not needed for us - the frontend can do the redirection and also
   gitlab/nginx speaks HSTS on https port so when we access https port via http
   protocol, it gets redirected to https
<% if @https && @redirect_http_to_https %>
## Redirects all HTTP traffic to the HTTPS host
server {
<% @listen_addresses.each do |listen_address| %>
  listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
<% end %>
  server_name <%= @fqdn %>;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
  access_log  <%= @log_directory %>/gitlab_access.log gitlab_access;
  error_log   <%= @log_directory %>/gitlab_error.log;
}
<% end %>
#}

server {
  listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_https %} ssl http2{% endif %};

  {# we don't use: kerbeeros
  <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
  listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
  <% end %>
  #}

  server_name {{ fqdn }};
  server_tokens off; ## Don't show the nginx version number, a security best practice

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
  client_max_body_size {{ cfg('nginx_client_max_body_size') }};

  {% if cfg_https %}
  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl on;
  ssl_certificate {{ nginx.cert_file }};
  ssl_certificate_key {{ nginx.key_file }};
  {# we don't need - most root CA will be included by default
  <% if @ssl_client_certificate %>
  ssl_client_certificate <%= @ssl_client_certificate%>;
 	<% end %>
  #}

  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
  # NOTE(slapos) ^^^ is not relevant for us - we are behind frontend and clients
  #     directly connects to frontend
  ssl_ciphers '{{ cfg("nginx_ssl_ciphers") }}';
  ssl_protocols  {{ cfg('nginx_ssl_protocols') }};
  ssl_prefer_server_ciphers {{ cfg('nginx_ssl_prefer_server_ciphers') }};
  ssl_session_cache  {{ cfg('nginx_ssl_session_cache') }};
  ssl_session_timeout  {{ cfg('nginx_ssl_session_timeout') }};

  {# we do not use: ssl_dhparam
  <% if @ssl_dhparam %>
  ssl_dhparam <%= @ssl_dhparam %>;
  <% end %>
  #}
  {% endif %}

  ## Real IP Module Config
  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
  {% if '{{ cfg("nginx_real_ip_header") }}' %}
  real_ip_header '{{ cfg("nginx_real_ip_header") }}';
  {% endif %}
  {% if '{{ cfg("nginx_real_ip_recursive") }}' %}
  real_ip_recursive '{{ cfg("nginx_real_ip_recursive") }}';
  {% endif %}
  {% for trusted_address in cfg("nginx_real_ip_trusted_addresses").split() %}
  set_real_ip_from {{ trusted_address }};
  {% endfor %}

  ## Individual nginx logs for this GitLab vhost
  access_log  {{ nginx.log }}/gitlab_access.log gitlab_access;
  error_log   {{ nginx.log }}/gitlab_error.log;

  {# we do not support relative URL - path is always "/" #}
  {% set path = "/" %}
  location {{ path }} {
    # Set CORS header
    add_header 'Access-Control-Allow-Origin' {{ cfg('nginx_header_allow_origin') }};
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
    {{ 'gzip off;' if cfg_https else ''}}

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      {{ cfg('nginx_proxy_read_timeout') }};
    proxy_connect_timeout   {{ cfg('nginx_proxy_connect_timeout') }};
    proxy_redirect          off;

    proxy_http_version 1.1;

    # NOTE(slapos) proxy headers are defined upstream in omnibus-gitlab in:
    #   - files/gitlab-config-template/gitlab.rb.template       nginx['proxy_set_headers']
    #   - files/gitlab-cookbooks/gitlab/attributes/default.rb   default['gitlab']['nginx']['proxy_set_headers']
    #   - files/gitlab-cookbooks/gitlab/libraries/gitlab.rb     parse_nginx_proxy_headers()
    # (last updated for omnibus-gitlab 8.5.1+ce.0-1-ge732b39)
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    {% if cfg_https %}
    proxy_set_header    X-Forwarded-Ssl     on;
    {% endif %}
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_https else "http" }};

    proxy_pass http://gitlab-workhorse;
  }

  error_page 404 /404.html;
  error_page 422 /422.html;
  error_page 500 /500.html;
  error_page 502 /502.html;
  location ~ ^/(404|422|500|502)\.html$ {
    root {{ gitlab_work.location }}/public;
    internal;
  }

  {# we don't support custom nginx configs
  <%= @custom_gitlab_server_config %>
  #}
}