gitlab-ssl 7.1 KB
Newer Older
1
## GitLab
2
## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller, DouweM
3 4 5
##
## Modified from nginx http version
## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
6
## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
7
##
8
## Lines starting with two hashes (##) are comments with information.
9
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
10 11 12 13 14 15 16 17 18 19 20 21
##
##################################
##        CHUNKED TRANSFER      ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
22
## At the time of writing we do not know if either of these theoretical solutions works.
Ben Bodenmiller's avatar
Ben Bodenmiller committed
23
## As a workaround users can use Git over SSH to push large files.
24 25 26 27
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module
28 29
##
###################################
30
##         configuration         ##
31 32
###################################
##
33
## See installation.md#using-https for additional HTTPS configuration details.
34 35

upstream gitlab {
36
  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
37 38
}

39
## Redirects all HTTP traffic to the HTTPS host
40
server {
41
  listen 0.0.0.0:80;
42
  listen [::]:80 ipv6only=on default_server;
43 44
  server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice
45 46 47
  return 301 https://$server_name$request_uri;
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;
48 49
}

50

Ben Bodenmiller's avatar
Ben Bodenmiller committed
51
## HTTPS host
52
server {
53
  listen 0.0.0.0:443 ssl;
54
  listen [::]:443 ipv6only=on ssl default_server;
55
  server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
56
  server_tokens off; ## Don't show the nginx version number, a security best practice
57 58 59 60 61 62 63
  root /home/git/gitlab/public;

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
  client_max_body_size 20m;

  ## Strong SSL Security
64
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
65 66 67 68
  ssl on;
  ssl_certificate /etc/nginx/ssl/gitlab.crt;
  ssl_certificate_key /etc/nginx/ssl/gitlab.key;

69
  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
70 71 72 73
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
74
  ssl_session_timeout 5m;
75

76
  ## See app/controllers/application_controller.rb for headers set
77

78 79 80 81 82 83 84 85 86
  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  ## Replace with your ssl_trusted_certificate. For more info see:
  ## - https://medium.com/devops-programming/4445f4862461
  ## - https://www.ruby-forum.com/topic/4419319
  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  # ssl_stapling on;
  # ssl_stapling_verify on;
  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
87
  # resolver_timeout 5s;
88 89

  ## [Optional] Generate a stronger DHE parameter:
90
  ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
91 92 93
  ##
  # ssl_dhparam /etc/ssl/certs/dhparam.pem;

94 95 96 97 98 99 100 101 102 103
  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

  location / {
    ## Serve static files from defined root folder.
    ## @gitlab is a named location for the upstream fallback, see below.
    try_files $uri $uri/index.html $uri.html @gitlab;
  }

104 105
  ## We route uploads through GitLab to prevent XSS and enforce access control.
  location /uploads/ {
106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
    gzip off;

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;

123 124 125
    proxy_pass http://gitlab;
  }

mattes's avatar
mattes committed
126 127 128 129 130 131
  ## If ``go get`` detected, return go-import meta tag.
  ## This works for public and for private repositories.
  ## See also http://golang.org/cmd/go/#hdr-Remote_import_paths
  if ($http_user_agent ~* "Go") {
    return 200 "
      <!DOCTYPE html>
mattes's avatar
mattes committed
132
      <head><meta content='$host$uri git $scheme://$host$uri.git' name='go-import'></head>
mattes's avatar
mattes committed
133 134 135
      </html>";
  }

136
  ## If a file, which is not found in the root folder is requested,
Ben Bodenmiller's avatar
Ben Bodenmiller committed
137
  ## then the proxy passes the request to the upsteam (gitlab unicorn).
138
  location @gitlab {
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
    gzip off;

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;

156 157 158 159 160
    proxy_pass http://gitlab;
  }

  ## Enable gzip compression as per rails guide:
  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
Ben Bodenmiller's avatar
Ben Bodenmiller committed
161
  ## WARNING: If you are using relative urls remove the block below
162 163 164
  ## See config/application.rb under "Relative url support" for the list of
  ## other files that need to be changed for relative url support
  location ~ ^/(assets)/ {
165
    root /home/git/gitlab/public;
166 167 168 169 170 171 172
    gzip_static on; # to serve pre-gzipped version
    expires max;
    add_header Cache-Control public;
  }

  error_page 502 /502.html;
}