Commit cc7bc1ed by iv Committed by Alain Takoudjou

gitlab: configure trusted proxies for nginx

so that the client IP is no longer the frontend IP, so rack
attack won't be blacklisting fontend IPs
1 parent 3e38592a
......@@ -102,7 +102,10 @@ configuration.nginx_gzip_proxied = any
configuration.nginx_gzip_types = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json
configuration.nginx_keepalive_timeout = 65
# TODO allow configuring trusted proxies
# configuration.nginx_real_ip_trusted_addresses
# configuration.nginx_real_ip_header
# configuration.nginx_real_ip_recursive
# configuring trusted proxies
# GitLab is behind a reverse proxy, so we don't want the IP address of the proxy
# to show up as the client address (because rack attack blacklists the lab
# frontend)
configuration.nginx_real_ip_trusted_addresses =
configuration.nginx_real_ip_header = X-Forwarded-For
configuration.nginx_real_ip_recursive = off
......@@ -303,7 +303,7 @@ md5sum = eb1230fee50067924ba89f4dc6e82fa9
[gitlab-parameters.cfg]
<= download-file
md5sum = a74670934ec0190cc212d1f3468c11ed
md5sum = 9ff67261781092ae4d1096d65927b9f2
[gitlab-shell-config.yml.in]
<= download-template
......@@ -315,7 +315,7 @@ md5sum = a9cb347f60aad3465932fd36cd4fe25d
[gitlab.yml.in]
<= download-template
md5sum = 176939a6428a7aca4767a36421b0af2b
md5sum = fb52f20f04b3c0bacd6a767dac9d6483
[instance-gitlab.cfg.in]
<= download-file
......@@ -331,7 +331,7 @@ md5sum = a56a44e96f65f5ed20211bb6a54279f4
[nginx-gitlab-http.conf.in]
<= download-template
md5sum = a11b50d2ff2b1fa842ba4aa20041e2fe
md5sum = 37ea159762fe25db2af6b4ac3870d1e3
[nginx.conf.in]
<= download-template
......
......@@ -36,11 +36,9 @@ production: &base
# Customize if you have GitLab behind a reverse proxy which is running on a different machine.
# Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
trusted_proxies:
{# TODO support configuring trusted proxies
<% @trusted_proxies.each do |proxy| %>
- <%= proxy %>
<% end %>
#}
{% for proxy in cfg("nginx_real_ip_trusted_addresses").split() %}
- {{ proxy }}
{% endfor %}
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
user: {{ backend_info.user }}
......
......@@ -101,17 +101,15 @@ server {
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
{# TODO support trusted proxies & realip
<% if @real_ip_header %>
real_ip_header <%= @real_ip_header %>;
<% end %>
<% if @real_ip_recursive %>
real_ip_recursive <%= @real_ip_recursive %>;
<% end %>
<% @real_ip_trusted_addresses.each do |trusted_address| %>
set_real_ip_from <%= trusted_address %>;
<% end %>
#}
{% if '{{ cfg("nginx_real_ip_header") }}' %}
real_ip_header '{{ cfg("nginx_real_ip_header") }}';
{% endif %}
{% if '{{ cfg("nginx_real_ip_recursive") }}' %}
real_ip_recursive '{{ cfg("nginx_real_ip_recursive") }}';
{% endif %}
{% for trusted_address in cfg("nginx_real_ip_trusted_addresses").split() %}
set_real_ip_from {{ trusted_address }};
{% endfor %}
## Individual nginx logs for this GitLab vhost
access_log {{ nginx.log }}/gitlab_access.log gitlab_access;
......
Styling with Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!