lab.nexedi.com will be down from Thursday, 20 March 2025, 07:30:00 UTC for a duration of approximately 2 hours

Commit cc7bc1ed authored by iv's avatar iv Committed by Alain Takoudjou

gitlab: configure trusted proxies for nginx

so that the client IP is no longer the frontend IP, so rack
attack won't be blacklisting fontend IPs
parent 3e38592a
No related merge requests found
...@@ -102,7 +102,10 @@ configuration.nginx_gzip_proxied = any ...@@ -102,7 +102,10 @@ configuration.nginx_gzip_proxied = any
configuration.nginx_gzip_types = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json configuration.nginx_gzip_types = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json
configuration.nginx_keepalive_timeout = 65 configuration.nginx_keepalive_timeout = 65
# TODO allow configuring trusted proxies # configuring trusted proxies
# configuration.nginx_real_ip_trusted_addresses # GitLab is behind a reverse proxy, so we don't want the IP address of the proxy
# configuration.nginx_real_ip_header # to show up as the client address (because rack attack blacklists the lab
# configuration.nginx_real_ip_recursive # frontend)
configuration.nginx_real_ip_trusted_addresses =
configuration.nginx_real_ip_header = X-Forwarded-For
configuration.nginx_real_ip_recursive = off
...@@ -303,7 +303,7 @@ md5sum = eb1230fee50067924ba89f4dc6e82fa9 ...@@ -303,7 +303,7 @@ md5sum = eb1230fee50067924ba89f4dc6e82fa9
[gitlab-parameters.cfg] [gitlab-parameters.cfg]
<= download-file <= download-file
md5sum = a74670934ec0190cc212d1f3468c11ed md5sum = 9ff67261781092ae4d1096d65927b9f2
[gitlab-shell-config.yml.in] [gitlab-shell-config.yml.in]
<= download-template <= download-template
...@@ -315,7 +315,7 @@ md5sum = a9cb347f60aad3465932fd36cd4fe25d ...@@ -315,7 +315,7 @@ md5sum = a9cb347f60aad3465932fd36cd4fe25d
[gitlab.yml.in] [gitlab.yml.in]
<= download-template <= download-template
md5sum = 176939a6428a7aca4767a36421b0af2b md5sum = fb52f20f04b3c0bacd6a767dac9d6483
[instance-gitlab.cfg.in] [instance-gitlab.cfg.in]
<= download-file <= download-file
...@@ -331,7 +331,7 @@ md5sum = a56a44e96f65f5ed20211bb6a54279f4 ...@@ -331,7 +331,7 @@ md5sum = a56a44e96f65f5ed20211bb6a54279f4
[nginx-gitlab-http.conf.in] [nginx-gitlab-http.conf.in]
<= download-template <= download-template
md5sum = a11b50d2ff2b1fa842ba4aa20041e2fe md5sum = 37ea159762fe25db2af6b4ac3870d1e3
[nginx.conf.in] [nginx.conf.in]
<= download-template <= download-template
......
...@@ -36,11 +36,9 @@ production: &base ...@@ -36,11 +36,9 @@ production: &base
# Customize if you have GitLab behind a reverse proxy which is running on a different machine. # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
# Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
trusted_proxies: trusted_proxies:
{# TODO support configuring trusted proxies {% for proxy in cfg("nginx_real_ip_trusted_addresses").split() %}
<% @trusted_proxies.each do |proxy| %> - {{ proxy }}
- <%= proxy %> {% endfor %}
<% end %>
#}
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git') # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
user: {{ backend_info.user }} user: {{ backend_info.user }}
......
...@@ -101,17 +101,15 @@ server { ...@@ -101,17 +101,15 @@ server {
## Real IP Module Config ## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
{# TODO support trusted proxies & realip {% if '{{ cfg("nginx_real_ip_header") }}' %}
<% if @real_ip_header %> real_ip_header '{{ cfg("nginx_real_ip_header") }}';
real_ip_header <%= @real_ip_header %>; {% endif %}
<% end %> {% if '{{ cfg("nginx_real_ip_recursive") }}' %}
<% if @real_ip_recursive %> real_ip_recursive '{{ cfg("nginx_real_ip_recursive") }}';
real_ip_recursive <%= @real_ip_recursive %>; {% endif %}
<% end %> {% for trusted_address in cfg("nginx_real_ip_trusted_addresses").split() %}
<% @real_ip_trusted_addresses.each do |trusted_address| %> set_real_ip_from {{ trusted_address }};
set_real_ip_from <%= trusted_address %>; {% endfor %}
<% end %>
#}
## Individual nginx logs for this GitLab vhost ## Individual nginx logs for this GitLab vhost
access_log {{ nginx.log }}/gitlab_access.log gitlab_access; access_log {{ nginx.log }}/gitlab_access.log gitlab_access;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment