X Draft nginx config

828be986 · Kirill Smelkov · 883c0a9f · 828be986 · 828be986 · 828be986
Commit 828be986 authored Oct 20, 2015 by Kirill Smelkov
3 changed files
--- a/software/gitlab/instance-gitlab.cfg.in
+++ b/software/gitlab/instance-gitlab.cfg.in
@@ -33,6 +33,11 @@ key     = ${slap-connection:key-file}
 cert    = ${slap-connection:cert-file}

 # gitlab instance parameters
+# ( parameter names and advanced default taken from omnibus-gitlab
+#   files/gitlab-config-template/gitlab.rb.template.
+#
+#   last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9
+#   TODO recheck )
 configuration.email_enabled             = true
 configuration.email_from                = lab@example.com
 configuration.email_display_name        = GitLab
@@ -74,6 +79,23 @@ configuration.backup_keep_time          = 0
 configuration.git_max_size              =
 configuration.git_timeout               =

+# nginx
+configuration.nginx_proxy_read_timeout  = 300
+configuration.nginx_proxy_connect_timeout  = 300
+
+# nginx advanced
+configuration.nginx_worker_processes    = 4
+configuration.nginx_worker_connections  = 10240
+configuration.nginx_sendfile            = on
+configuration.nginx_tcp_nopush          = on
+configuration.nginx_tcp_nodelay         = on
+configuration.nginx_gzip                = on
+configuration.nginx_gzip_http_version   = 1.0
+configuration.nginx_gzip_comp_level     = 2
+configuration.nginx_gzip_proxied        = any
+configuration.nginx_gzip_types          = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json
+configuration.nginx_keepalive_timeout   = 65
+


 # for convenience
@@ -291,3 +313,10 @@ command =
 # service/
 #   unicorn
 #   sidekiq
+
+
+# nginx: etc/ log/ ...
+[nginx]
+recipe  = slapos.cookbook:mkdirectory
+log     = ${directory:log}/nginx
+# TODO more?
--- a/software/gitlab/template/nginx-gitlab-http.conf.in
+++ b/software/gitlab/template/nginx-gitlab-http.conf.in
+# @autogenerated XXX
+# see:
+# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
+# (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9)
+
+# TODO unix socket of unicorn
+upstream gitlab {
+  server unix:<%= @socket %> fail_timeout=0;
+}
+
+# TODO unix socket of gitlab-git-http-server
+upstream gitlab-git-http-server {
+  server unix:<%= node['gitlab']['gitlab-git-http-server']['listen_addr'] %>;
+}
+
+# TODO do always
+<% if @https && @redirect_http_to_https %>
+## Redirects all HTTP traffic to the HTTPS host
+server {
+<% @listen_addresses.each do |listen_address| %>
+  listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
+<% end %>
+  server_name <%= @fqdn %>;
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
+  access_log  <%= @log_directory %>/gitlab_access.log gitlab_access;
+  error_log   <%= @log_directory %>/gitlab_error.log;
+}
+<% end %>
+
+server {
+  listen ${gitlab-backend:host}:${gitlab-backend:port}<% if @https %> ssl spdy<% end %>;
+
+  # we don't use: kerbeeros
+  # <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
+  # listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
+  # <% end %>
+
+  # XXX fqdn
+  server_name <%= @fqdn %>;
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  root ${gitlab-root-shadow:location}/public;
+
+  # XXX max body size
+  ## Increase this if you want to upload large attachments
+  ## Or if you want to accept large git objects over http
+  client_max_body_size <%= @client_max_body_size %>;
+
+  # TODO ssl
+  # <% if @https %>
+  # ## Strong SSL Security
+  # ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+  # ssl on;
+  # ssl_certificate <%= @ssl_certificate %>;
+  # ssl_certificate_key <%= @ssl_certificate_key %>;
+  # <% if @ssl_client_certificate %>
+  # ssl_client_certificate <%= @ssl_client_certificate%>;
+  #       <% end %>
+  #
+  # # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
+  # ssl_ciphers '<%= @ssl_ciphers %>';
+  # ssl_protocols  <%= @ssl_protocols %>;
+  # ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
+  # ssl_session_cache  <%= @ssl_session_cache %>;
+  # ssl_session_timeout  <%= @ssl_session_timeout %>;
+  #
+  # <% if @ssl_dhparam %>
+  # ssl_dhparam <%= @ssl_dhparam %>;
+  # <% end %>
+  # <% end %>
+
+  ## Individual nginx logs for this GitLab vhost
+  access_log  ${nginx:log}/gitlab_access.log gitlab_access;
+  error_log   ${nginx:log}/gitlab_error.log;
+
+  location / {
+    ## Serve static files from defined root folder.
+    ## @gitlab is a named location for the upstream fallback, see below.
+    try_files $uri $uri/index.html $uri.html @gitlab;
+  }
+
+  location /uploads/ {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    #<%= 'gzip off;' if @https %>    # TODO
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      ${instance-parameter:nginx_proxy_read_timeout};
+    proxy_connect_timeout   ${instance-parameter:nginx_proxy_connect_timeout};
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    # TODO https
+    #<% if @https %>
+    #proxy_set_header    X-Forwarded-Ssl     on;
+    #<% end %>
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   http;   # TODO <%= @https ? "https" : "http" %>;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
+    proxy_pass http://gitlab;
+  }
+
+  ## If a file, which is not found in the root folder is requested,
+  ## then the proxy passes the request to the upsteam (gitlab unicorn).
+  location @gitlab {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    # <%= 'gzip off;' if @https %>  # TODO
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      ${instance-parameter:nginx_proxy_read_timeout};
+    proxy_connect_timeout   ${instance-parameter:nginx_proxy_connect_timeout};
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    # TODO https
+    #<% if @https %>
+    #proxy_set_header    X-Forwarded-Ssl     on;
+    #<% end %>
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   http;   # TODO <%= @https ? "https" : "http" %>;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
+    proxy_pass http://gitlab;
+  }
+
+  location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ {
+    # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block
+    error_page 418 = @gitlab-git-http-server;
+    return 418;
+  }
+
+  location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive {
+    # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block
+    error_page 418 = @gitlab-git-http-server;
+    return 418;
+  }
+
+  location ~ ^/api/v3/projects/.*/repository/archive {
+    # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block
+    error_page 418 = @gitlab-git-http-server;
+    return 418;
+  }
+
+  location @gitlab-git-http-server {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    # TODO
+    # <%= 'gzip off;' if @https %>
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      ${instance-parameter:nginx_proxy_read_timeout};
+    proxy_connect_timeout   ${instance-parameter:nginx_proxy_connect_timeout};
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    # TODO
+    # <% if @https %>
+    # proxy_set_header    X-Forwarded-Ssl     on;
+    # <% end %>
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   http;   # TODO <%= @https ? "https" : "http" %>;
+
+    proxy_pass http://gitlab-git-http-server;
+  }
+
+  ## Enable gzip compression as per rails guide:
+  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
+  ## WARNING: If you are using relative urls remove the block below
+  ## See config/application.rb under "Relative url support" for the list of
+  ## other files that need to be changed for relative url support
+  location ~ ^/(assets)/ {
+    root ${gitlab-root-shadow:location}/public;
+    gzip_static on; # to serve pre-gzipped version
+    expires max;
+    add_header Cache-Control public;
+  }
+
+
+  error_page 502 /502.html;
+}
--- a/software/gitlab/template/nginx.conf.in
+++ b/software/gitlab/template/nginx.conf.in
 # @autogenerated XXX
 # see:
 # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl
-# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
-# (last updated for TODO)
+# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
+# (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9)
+
+user ${gitlab-backend:user};
+worker_processes ${instance-parameter:configuration.nginx_worker_processes}
+error_log stderr;
+pid nginx.pid;
+
+daemon off;
+
+events {
+  worker_connections ${instance-parameter:configuration.nginx_worker_connections};
+}
+
+http {
+  # XXX do we need to tune this?
+  # log_format gitlab_access '<%= @gitlab_access_log_format %>';
+  # log_format gitlab_ci_access '<%= @gitlab_ci_access_log_format %>';
+  # log_format gitlab_mattermost_access '<%= @gitlab_mattermost_access_log_format %>';
+
+  sendfile    ${instance-parameter:configuration.nginx_sendfile};
+  tcp_nopush  ${instance-parameter:configuration.nginx_tcp_nopush};
+  tcp_nodelay ${instance-parameter:configuration.nginx_tcp_nodelay};
+
+  keepalive_timeout ${instance-parameter:configuration.nginx_keepalive_timeout};
+
+  gzip              ${instance-parameter:configuration.nginx_gzip};
+  gzip_http_version ${instance-parameter:configuration.nginx_http_version};
+  gzip_comp_level   ${instance-parameter:configuration.nginx_gzip_comp_level};
+  gzip_proxied      ${instance-parameter:configuration.nginx_gzip_proxied};
+  gzip_types        ${instance-parameter:configuration.nginx_gzip_types};
+
+  include ${nginx-output:mime}
+
+  include <gitlab_http_config>
+
+  # we don't need: ci, mattermost
+  # include <%= @gitlab_ci_http_config %>
+  # include <%= @gitlab_mattermost_http_config %>
+}