nginx-gitlab-http.conf.in 5.01 KB
Newer Older
1 2 3
{{ autogenerated }}
# see:
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
4
# (last updated for omnibus-gitlab 8.4.4+ce.0-0-g1680742)
5

6 7
{% from 'macrolib.cfg.in' import cfg, cfg_bool, cfg_https, fqdn  with context %}

8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
## GitLab
## Modified from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl & https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
##        CHUNKED TRANSFER      ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
## At the time of writing we do not know if either of these theoretical solutions works.
## As a workaround users can use Git over SSH to push large files.
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module
##
###################################
##         configuration         ##
###################################

upstream gitlab-workhorse {
37
  server unix:{{ gitlab_workhorse.socket }};
38 39
}

40 41 42
{# not needed for us - the frontend can do the redirection and also
   gitlab/nginx speaks HSTS on https port so when we access https port via http
   protocol, it gets redirected to https
43 44 45 46 47 48 49 50 51 52 53 54 55
<% if @https && @redirect_http_to_https %>
## Redirects all HTTP traffic to the HTTPS host
server {
<% @listen_addresses.each do |listen_address| %>
  listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
<% end %>
  server_name <%= @fqdn %>;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
  access_log  <%= @log_directory %>/gitlab_access.log gitlab_access;
  error_log   <%= @log_directory %>/gitlab_error.log;
}
<% end %>
56
#}
57 58

server {
59
  listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_https %} ssl http2{% endif %};
60

61
  {# we don't use: kerbeeros
62 63 64
  <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
  listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
  <% end %>
65
  #}
66

67
  server_name {{ fqdn }};
68
  server_tokens off; ## Don't show the nginx version number, a security best practice
69
  root {{ gitlab_work.location }}/public;
70 71 72

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
73
  client_max_body_size {{ cfg('nginx_client_max_body_size') }};
74

75
  {% if cfg_https %}
76 77 78
  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl on;
79 80 81
  ssl_certificate {{ nginx.cert_file }};
  ssl_certificate_key {{ nginx.key_file }};
  {# we don't need - most root CA will be included by default
82 83 84
  <% if @ssl_client_certificate %>
  ssl_client_certificate <%= @ssl_client_certificate%>;
 	<% end %>
85
  #}
86 87

  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
88 89 90 91 92 93 94 95 96
  # NOTE(slapos) ^^^ is not relevant for us - we are behind frontend and clients
  #     directly connects to frontend
  ssl_ciphers '{{ cfg("nginx_ssl_ciphers") }}';
  ssl_protocols  {{ cfg('nginx_ssl_protocols') }};
  ssl_prefer_server_ciphers {{ cfg('nginx_ssl_prefer_server_ciphers') }};
  ssl_session_cache  {{ cfg('nginx_ssl_session_cache') }};
  ssl_session_timeout  {{ cfg('nginx_ssl_session_timeout') }};

  {# we do not use: ssl_dhparam
97 98 99
  <% if @ssl_dhparam %>
  ssl_dhparam <%= @ssl_dhparam %>;
  <% end %>
100 101
  #}
  {% endif %}
102 103

  ## Individual nginx logs for this GitLab vhost
104 105
  access_log  {{ nginx.log }}/gitlab_access.log gitlab_access;
  error_log   {{ nginx.log }}/gitlab_error.log;
106

107 108
  <% path = @relative_url ? @relative_url : "/" %>
  location <%= path %> {
109 110
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
111
    {{ 'gzip off;' if cfg_https else ''}}
112 113 114

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
115 116
    proxy_read_timeout      {{ cfg('nginx_proxy_read_timeout') }};
    proxy_connect_timeout   {{ cfg('nginx_proxy_connect_timeout') }};
117 118
    proxy_redirect          off;

119
    proxy_http_version 1.1;
120

121 122 123
    <% @proxy_set_headers.each do |header| %>
    <% next if header[1].nil? %>
    proxy_set_header <%= header[0] %> <%= header[1] %>;
124
    <% end %>
125 126 127 128

    proxy_pass http://gitlab-workhorse;
  }

129
  {# we don't support custom nginx configs
130
  <%= @custom_gitlab_server_config %>
131
  #}
132
}