{{ autogenerated }} # see: # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb # (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7) {% from 'macrolib.cfg.in' import cfg, cfg_bool, cfg_https, fqdn with context %} ## GitLab ## Modified from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl & https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab ## ## Lines starting with two hashes (##) are comments with information. ## Lines starting with one hash (#) are configuration parameters that can be uncommented. ## ################################## ## CHUNKED TRANSFER ## ################################## ## ## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] ## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object ## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get ## around this by tweaking this configuration file and either: ## - installing an old version of Nginx with the chunkin module [2] compiled in, or ## - using a newer version of Nginx. ## ## At the time of writing we do not know if either of these theoretical solutions works. ## As a workaround users can use Git over SSH to push large files. ## ## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 ## [1] https://github.com/agentzh/chunkin-nginx-module#status ## [2] https://github.com/agentzh/chunkin-nginx-module ## ################################### ## configuration ## ################################### upstream gitlab-workhorse { server unix:{{ gitlab_workhorse.socket }}; } {# not needed for us - the frontend can do the redirection and also gitlab/nginx speaks HSTS on https port so when we access https port via http protocol, it gets redirected to https <% if @https && @redirect_http_to_https %> ## Redirects all HTTP traffic to the HTTPS host server { <% @listen_addresses.each do |listen_address| %> listen <%= listen_address %>:<%= @redirect_http_to_https_port %>; <% end %> server_name <%= @fqdn %>; server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://<%= @fqdn %>:<%= @port %>$request_uri; access_log <%= @log_directory %>/gitlab_access.log gitlab_access; error_log <%= @log_directory %>/gitlab_error.log; } <% end %> #} server { listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_https %} ssl http2{% endif %}; {# we don't use: kerbeeros <% if @kerberos_enabled && @kerberos_use_dedicated_port %> listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>; <% end %> #} server_name {{ fqdn }}; server_tokens off; ## Don't show the nginx version number, a security best practice ## Increase this if you want to upload large attachments ## Or if you want to accept large git objects over http client_max_body_size {{ cfg('nginx_client_max_body_size') }}; {% if cfg_https %} ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ ssl on; ssl_certificate {{ nginx.cert_file }}; ssl_certificate_key {{ nginx.key_file }}; {# we don't need - most root CA will be included by default <% if @ssl_client_certificate %> ssl_client_certificate <%= @ssl_client_certificate%>; <% end %> #} # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs # NOTE(slapos) ^^^ is not relevant for us - we are behind frontend and clients # directly connects to frontend ssl_ciphers '{{ cfg("nginx_ssl_ciphers") }}'; ssl_protocols {{ cfg('nginx_ssl_protocols') }}; ssl_prefer_server_ciphers {{ cfg('nginx_ssl_prefer_server_ciphers') }}; ssl_session_cache {{ cfg('nginx_ssl_session_cache') }}; ssl_session_timeout {{ cfg('nginx_ssl_session_timeout') }}; {# we do not use: ssl_dhparam <% if @ssl_dhparam %> ssl_dhparam <%= @ssl_dhparam %>; <% end %> #} {% endif %} ## Real IP Module Config ## http://nginx.org/en/docs/http/ngx_http_realip_module.html {# TODO support trusted proxies & realip <% if @real_ip_header %> real_ip_header <%= @real_ip_header %>; <% end %> <% if @real_ip_recursive %> real_ip_recursive <%= @real_ip_recursive %>; <% end %> <% @real_ip_trusted_addresses.each do |trusted_address| %> set_real_ip_from <%= trusted_address %>; <% end %> #} ## Individual nginx logs for this GitLab vhost access_log {{ nginx.log }}/gitlab_access.log gitlab_access; error_log {{ nginx.log }}/gitlab_error.log; {# we do not support relative URL - path is always "/" #} {% set path = "/" %} location {{ path }} { ## If you use HTTPS make sure you disable gzip compression ## to be safe against BREACH attack. {{ 'gzip off;' if cfg_https else ''}} ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. proxy_read_timeout {{ cfg('nginx_proxy_read_timeout') }}; proxy_connect_timeout {{ cfg('nginx_proxy_connect_timeout') }}; proxy_redirect off; proxy_http_version 1.1; # NOTE(slapos) proxy headers are defined upstream in omnibus-gitlab in: # - files/gitlab-config-template/gitlab.rb.template nginx['proxy_set_headers'] # - files/gitlab-cookbooks/gitlab/attributes/default.rb default['gitlab']['nginx']['proxy_set_headers'] # - files/gitlab-cookbooks/gitlab/libraries/gitlab.rb parse_nginx_proxy_headers() # (last updated for omnibus-gitlab 8.5.1+ce.0-1-ge732b39) proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; {% if cfg_https %} proxy_set_header X-Forwarded-Ssl on; {% endif %} proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto {{ "https" if cfg_https else "http" }}; proxy_pass http://gitlab-workhorse; } error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; error_page 502 /502.html; location ~ ^/(404|422|500|502)\.html$ { root {{ gitlab_work.location }}/public; internal; } {# we don't support custom nginx configs <%= @custom_gitlab_server_config %> #} }