Initial import

1 files changed, 67 insertions, 0 deletions

diff --git a/nginx-ssl.conf.example b/nginx-ssl.conf.example
new file mode 100644
index 000000000000..48d89bca9401
--- /dev/null
+++ b/nginx-ssl.conf.example
@@ -0,0 +1,67 @@
+# GITLAB CI
+
+# You need to run openssl to generate a self-signed ssl certificate.
+# cd /etc/nginx/
+# sudo openssl req -new -x509 -nodes -days 3560 -out gitlabci.crt -keyout gitlabci.key
+# sudo chmod o-r gitlabci.key
+# You also need to edit gitlab-ci/config/application.yml
+#  1) Define port for http "port: 443"
+#  2) Enable https "https: true"
+#  3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
+
+upstream gitlab_ci {
+	## Uncomment if you have set up puma/unicorn to listen on a unix socket (recommended).
+	server unix:/var/run/gitlab-ci/gitlab-ci.socket;
+
+	## Uncomment if puma/unicorn are configured to listen on a tcp port.
+	## Check the port number in /etc/webapps/gitlab-ci/{puma.rb/unicorn.rb}
+	# server 127.0.0.1:8081;
+}
+
+# This is a normal HTTP host which redirects all traffic to the HTTPS host.
+# Replace git.example.com with your FQDN.
+server {
+	listen *:80;
+	server_name gitlabci.example.com;
+	server_tokens off;
+	root /nowhere; # this doesn't have to be a valid path since we are redirecting, you don't have to change it.
+	rewrite ^ https://$server_name$request_uri permanent;
+}
+server {
+	listen 443 ssl;
+	server_name gitlabci.example.com;
+	server_tokens off;
+	root /usr/share/webapps/gitlab-ci/public;
+
+	ssl on;
+	ssl_certificate /etc/nginx/gitlabci.crt;
+	ssl_certificate_key /etc/nginx/gitlabci.key;
+	ssl_protocols TLSv1 TLSv1.2;
+	ssl_ciphers AES:HIGH:!ADH:!MD5;
+	ssl_prefer_server_ciphers   on;
+
+	# individual nginx logs for this gitlab vhost
+	access_log  /var/log/nginx/gitlab-ci_access.log;
+	error_log   /var/log/nginx/gitlab-ci_error.log;
+
+	location / {
+		# serve static files from defined root folder;.
+		# @gitlab is a named location for the upstream fallback, see below
+		try_files $uri $uri/index.html $uri.html @gitlab_ci;
+	}
+
+	# if a file, which is not found in the root folder is requested,
+	# then the proxy pass the request to the upsteam (gitlab unicorn)
+	location @gitlab_ci {
+		proxy_read_timeout    300; # https://github.com/gitlabhq/gitlabhq/issues/694
+		proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
+		proxy_redirect        off;
+
+		proxy_set_header  X-Forwarded-Proto https;
+		proxy_set_header  X-Forwarded-Ssl   on;
+		proxy_set_header  Host              $http_host;
+		proxy_set_header  X-Real-IP         $remote_addr;
+
+		proxy_pass http://gitlab_ci;
+	}
+}