# This file is managed by gitlab-ctl. Manual changes will be # erased! To change the contents below, edit /etc/gitlab/gitlab.rb # and run `sudo gitlab-ctl reconfigure`. ## GitLab ## Modified from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl & https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab ## ## Lines starting with two hashes (##) are comments with information. ## Lines starting with one hash (#) are configuration parameters that can be uncommented. ## ################################## ## CHUNKED TRANSFER ## ################################## ## ## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] ## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object ## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get ## around this by tweaking this configuration file and either: ## - installing an old version of Nginx with the chunkin module [2] compiled in, or ## - using a newer version of Nginx. ## ## At the time of writing we do not know if either of these theoretical solutions works. ## As a workaround users can use Git over SSH to push large files. ## ## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 ## [1] https://github.com/agentzh/chunkin-nginx-module#status ## [2] https://github.com/agentzh/chunkin-nginx-module ## ################################### ## configuration ## ################################### upstream gitlab-workhorse { server unix:<%= node['gitlab']['gitlab-workhorse']['listen_addr'] %>; } <% if @https && @redirect_http_to_https %> ## Redirects all HTTP traffic to the HTTPS host server { <% @listen_addresses.each do |listen_address| %> listen <%= listen_address %>:<%= @redirect_http_to_https_port %>; <% end %> server_name <%= @fqdn %>; server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://<%= @fqdn %>:<%= @port %>$request_uri; access_log <%= @log_directory %>/gitlab_access.log gitlab_access; error_log <%= @log_directory %>/gitlab_error.log; } <% end %> server { <% @listen_addresses.each do |listen_address| %> listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl spdy<% end %>; <% if @kerberos_enabled && @kerberos_use_dedicated_port %> listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>; <% end %> <% end %> server_name <%= @fqdn %>; server_tokens off; ## Don't show the nginx version number, a security best practice root /opt/gitlab/embedded/service/gitlab-rails/public; ## Increase this if you want to upload large attachments ## Or if you want to accept large git objects over http client_max_body_size <%= @client_max_body_size %>; <% if @https %> ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ ssl on; ssl_certificate <%= @ssl_certificate %>; ssl_certificate_key <%= @ssl_certificate_key %>; <% if @ssl_client_certificate %> ssl_client_certificate <%= @ssl_client_certificate%>; <% end %> # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs ssl_ciphers '<%= @ssl_ciphers %>'; ssl_protocols <%= @ssl_protocols %>; ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>; ssl_session_cache <%= @ssl_session_cache %>; ssl_session_timeout <%= @ssl_session_timeout %>; <% if @ssl_dhparam %> ssl_dhparam <%= @ssl_dhparam %>; <% end %> <% end %> ## Individual nginx logs for this GitLab vhost access_log <%= @log_directory %>/gitlab_access.log gitlab_access; error_log <%= @log_directory %>/gitlab_error.log; location / { ## If you use HTTPS make sure you disable gzip compression ## to be safe against BREACH attack. <%= 'gzip off;' if @https %> ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. proxy_read_timeout <%= @proxy_read_timeout %>; proxy_connect_timeout <%= @proxy_connect_timeout %>; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; <% if @https %> proxy_set_header X-Forwarded-Ssl on; <% end %> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto <%= @https ? "https" : "http" %>; proxy_pass http://gitlab-workhorse; } <%= @custom_gitlab_server_config %> }