Merge branch 'configure_trusted_proxies' into 'master'

Adjust the default trusted_proxies to only include localhost And also allow other trusted proxies to be added from the config.yml. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/3538 Omnibus config: https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1208 See merge request !3524

Merge branch 'configure_trusted_proxies' into 'master'
Adjust the default trusted_proxies to only include localhost And also allow other trusted proxies to be added from the config.yml. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/3538 Omnibus config: https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1208 See merge request !3524
e83424a1 · Rémy Coutable · 5d14615a · e18f20d7 · e83424a1 · e83424a1
Commit e83424a1 authored Apr 13, 2016 by Rémy Coutable
5 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,8 @@ v 8.7.0 (unreleased)
  - Load award emoji images separately unless opening the full picker. Saves several hundred KBs of data for most pages. (Connor Shea)
  - All images in discussions and wikis now link to their source files !3464 (Connor Shea).
  - Return status code 303 after a branch DELETE operation to avoid project deletion (Stan Hu)
+  - Add setting for customizing the list of trusted proxies !3524
+  - Fix `signed_in_ip` being set to 127.0.0.1 when using a reverse proxy !3524
  - Improved Markdown rendering performance !3389 (Yorick Peterse)
  - Don't attempt to look up an avatar in repo if repo directory does not exist (Stan Hu)
  - Expose project badges in project settings

--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -46,6 +46,15 @@ production: &base
    #
    # relative_url_root: /gitlab
+    # Trusted Proxies
+    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
+    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
+    trusted_proxies:
+      # Examples:
+      #- 192.168.1.0/24
+      #- 192.168.2.1
+      #- 2001:0db8::/32
    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    # user: git

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -190,6 +190,7 @@ Settings.gitlab.default_projects_features['visibility_level']    = Settings.send
 Settings.gitlab['repository_downloads_path'] = File.join(Settings.shared['path'], 'cache/archive') if Settings.gitlab['repository_downloads_path'].nil?
 Settings.gitlab['restricted_signup_domains'] ||= []
 Settings.gitlab['import_sources'] ||= ['github','bitbucket','gitlab','gitorious','google_code','fogbugz','git']
+Settings.gitlab['trusted_proxies'] ||= []
 #

--- a/config/initializers/trusted_proxies.rb
+++ b/config/initializers/trusted_proxies.rb
+Rails.application.config.action_dispatch.trusted_proxies =
+  [ '127.0.0.1', '::1' ] + Array(Gitlab.config.gitlab.trusted_proxies)
--- a/doc/install/installation.md
+++ b/doc/install/installation.md
@@ -530,6 +530,16 @@ See the [omniauth integration document](../integration/omniauth.md)
 GitLab can build your projects. To enable that feature you need GitLab Runners to do that for you.
 Checkout the [GitLab Runner section](https://about.gitlab.com/gitlab-ci/#gitlab-runner) to install it
+### Adding your Trusted Proxies
+If you are using a reverse proxy on an separate machine, you may want to add the
+proxy to the trusted proxies list. Otherwise users will appear signed in from the
+proxy's IP address.
+You can add trusted proxies in `config/gitlab.yml` by customizing the `trusted_proxies`
+option in section 1. Save the file and [reconfigure GitLab](../administration/restart_gitlab.md)
+for the changes to take effect.
 ### Custom Redis Connection
 If you'd like Resque to connect to a Redis server on a non-standard port or on a different host, you can configure its connection string via the `config/resque.yml` file.