diff options
| -rw-r--r-- | .SRCINFO | 21 | ||||
| -rw-r--r-- | PKGBUILD | 23 | ||||
| -rw-r--r-- | gitlab-mailroom.service | 21 | ||||
| -rw-r--r-- | gitlab-sidekiq.service | 7 | ||||
| -rw-r--r-- | gitlab-workhorse.service | 19 | ||||
| -rw-r--r-- | nginx-ssl.conf.example | 111 | ||||
| -rw-r--r-- | nginx.conf.example | 89 |
7 files changed, 251 insertions, 40 deletions
@@ -1,6 +1,6 @@ pkgbase = gitlab pkgdesc = Project management and code hosting application - pkgver = 8.0.3 + pkgver = 8.2.1 pkgrel = 1 url = http://gitlab.org/gitlab-ce install = gitlab.install @@ -11,12 +11,13 @@ pkgbase = gitlab depends = ruby2.1 depends = git>=1.7.10 depends = ruby2.1-bundler>=1.5.2 - depends = gitlab-shell=2.6.5 + depends = gitlab-shell=2.6.7 depends = openssh depends = redis>=2.0 depends = libxslt - depends = icu + depends = icu55 depends = nodejs + depends = gitlab-workhorse=0.4.2 optdepends = mariadb: database backend optdepends = postgresql>=9.1: database backend optdepends = python2-docutils: reStructuredText markup language support @@ -27,10 +28,12 @@ pkgbase = gitlab backup = etc/webapps/gitlab/resque.yml backup = etc/webapps/gitlab/unicorn.rb backup = etc/logrotate.d/gitlab - source = gitlab-8.0.3.tar.gz::https://github.com/gitlabhq/gitlabhq/archive/v8.0.3.tar.gz + source = gitlab-8.2.1.tar.gz::https://github.com/gitlabhq/gitlabhq/archive/v8.2.1.tar.gz source = gitlab-unicorn.service source = gitlab-sidekiq.service source = gitlab-backup.service + source = gitlab-workhorse.service + source = gitlab-mailroom.service source = gitlab-backup.timer source = gitlab.target source = gitlab.tmpfiles.d @@ -42,10 +45,12 @@ pkgbase = gitlab source = nginx.conf.example source = nginx-ssl.conf.example source = lighttpd.conf.example - sha512sums = e247b3677ca86f43e665623c3a2602ab33843860537813fa64e3cd33b408698f0482e1ce437a4a30976b0656977f86890173ca044b7d07bfdfda3d269d311802 + sha512sums = af6f02a3d5b1d789089b0dcfce1ea59fc30621ccca6e62edc831e5c85731769bc387db9c8d3d261f09b6b8441a111500c13082d8a2bdb115d9e46542155ff2aa sha512sums = 5dd7a940eee6a84095478af514dcc98c4fc6c4a214de1ddfa4a1e727d4ba34984d66d51affd7844ffebb75fed8f781b38a0da80fba6a5b8fa832948ab39b2249 - sha512sums = 5596dd45dea18f0003305e9e6509745ba45a35937aa7b2ff5b21659a62426f9d889d60e337df9d5d7c4aeb6ba2223d1386036545806d358d294cbce105308aa0 + sha512sums = 3075372952421eecc34475ddd5dbaa02eae37e98ba1760437c1f171ebbc036de758364ca48c57349d06a40bb5c0ddbb070efd47352c12101096eae335e7c9c3c sha512sums = c22439ee4cb34adf42de7619a2b83b02359cada38cbe99dd3031e6e72225ec4b2c2d6306331eadfc1c2044609b7a7e8bceddf7be213b5d4dbcaff86b35fe1ce7 + sha512sums = 6980dad2542f1923f84553799dd9787493762651adc8ae5ea22ba0a85422245bc4d8996690cd7e8346b391500cc2ea36e3593aeb6cd65d16be83fbec467e9c7a + sha512sums = ba4266709079f57e4e3d0e37a46e4ba2cac793ce0a4ac18d2edfe0b7fed8104a3a75bdea2997404a8f363b8017f3be2792745bbdaebf0d09cf78f825a56b0928 sha512sums = c11d2c59da8325551a465227096e8d39b0e4bcd5b1db21565cf3439e431838c04bc00aa6f07f4d493f3f47fd6b4e25aeb0fe0fc1a05756064706bf5708c960ec sha512sums = c519a51d31300074ea12594fbcc8e9610d991ef04b1dac94d93a2b201df3465999cc7c6ac7f3896e02b117c2366d61dea1ef2f6b9cd7b18998385a7f26e5700f sha512sums = 7a0f649f030b24315cc97f23b704dd1879274304706cf1a1fa125772803a6e918a2fa249bed229b9384552a572452c56379c50f46d2fa8aa999dc71c1ee047e0 @@ -54,8 +59,8 @@ pkgbase = gitlab sha512sums = cd563238011696ba4a7fa1eff2c6604bda8d75c3e6bf9ecb6f0f22e68c9d782e49be3ce2eaad0c1b142116e2c7c59c9242936ba5797f02d5d0880f7e3004aa99 sha512sums = 2388bfd485bb2abaf08e28ed09848ba5dec7eac058836506d2f9f0954cfc75c71da062cc9b503f8f571cdda97c8a696f8aca20cca129ab5146c21b14e1e3ac61 sha512sums = db768f60192f6adb466021776c3cdacc263954bc63dc0fb30d13ef20d4db2816d4d1875637984672373eb71c47e65bcdeac52ab5964796b6285519e9aa19c91b - sha512sums = 5445f2d386ab18277772f42e175a4bf465dfcb448c0fa3d867302a5e018277438e295d238a62077c842b2c2225555b5b2f17a9194ab87e5d5c7e21e4e9c92366 - sha512sums = 78c90dc1a7ef969f6c94a004fa1038b6fb76b50c6f3de077b39d40e2a07550e274338d81e83e2280fbd8c2d66ece1706e44c78c785bbc029f9a8a79d3f1eb063 + sha512sums = e2cb969128b91eec6d435954dad3f3d76c6f6467d5a118043d530b7fdcf8657b1724abe406a20fc60702fcae4b5d02a0a3c782dcbc518db436a6c7bf874beb2f + sha512sums = 31d0ba225105f43f04befdf01cf8978b0cdfe4900d40e30c9427674b1ef70f534b44a8558a9474ae01b833f68d2e505f45faf9b70fdf2c8898b07cbb293ef779 sha512sums = c78b6f46abcf603d8db6e38cf50868e14145928422ddfe17c88e2f006b5b910dddf456ec5d6d724b250994530643963809688a98f7e12ebd5b5dabf7f96f0e06 pkgname = gitlab @@ -6,13 +6,13 @@ # Contributor: Caleb Maclennan <caleb@alerque.com> pkgname=gitlab -pkgver=8.0.3 +pkgver=8.2.1 pkgrel=1 pkgdesc="Project management and code hosting application" arch=('i686' 'x86_64') url="http://gitlab.org/gitlab-ce" license=('MIT') -depends=('ruby2.1' 'git>=1.7.10' 'ruby2.1-bundler>=1.5.2' 'gitlab-shell=2.6.5' 'openssh' 'redis>=2.0' 'libxslt' 'icu' 'nodejs') +depends=('ruby2.1' 'git>=1.7.10' 'ruby2.1-bundler>=1.5.2' 'gitlab-shell=2.6.7' 'openssh' 'redis>=2.0' 'libxslt' 'icu55' 'nodejs' 'gitlab-workhorse=0.4.2') makedepends=('cmake') optdepends=( 'mariadb: database backend' @@ -33,6 +33,8 @@ source=("$pkgname-$pkgver.tar.gz::https://github.com/gitlabhq/gitlabhq/archive/v gitlab-unicorn.service gitlab-sidekiq.service gitlab-backup.service + gitlab-workhorse.service + gitlab-mailroom.service gitlab-backup.timer gitlab.target gitlab.tmpfiles.d @@ -45,10 +47,12 @@ source=("$pkgname-$pkgver.tar.gz::https://github.com/gitlabhq/gitlabhq/archive/v nginx-ssl.conf.example lighttpd.conf.example) install='gitlab.install' -sha512sums=('e247b3677ca86f43e665623c3a2602ab33843860537813fa64e3cd33b408698f0482e1ce437a4a30976b0656977f86890173ca044b7d07bfdfda3d269d311802' +sha512sums=('af6f02a3d5b1d789089b0dcfce1ea59fc30621ccca6e62edc831e5c85731769bc387db9c8d3d261f09b6b8441a111500c13082d8a2bdb115d9e46542155ff2aa' '5dd7a940eee6a84095478af514dcc98c4fc6c4a214de1ddfa4a1e727d4ba34984d66d51affd7844ffebb75fed8f781b38a0da80fba6a5b8fa832948ab39b2249' - '5596dd45dea18f0003305e9e6509745ba45a35937aa7b2ff5b21659a62426f9d889d60e337df9d5d7c4aeb6ba2223d1386036545806d358d294cbce105308aa0' + '3075372952421eecc34475ddd5dbaa02eae37e98ba1760437c1f171ebbc036de758364ca48c57349d06a40bb5c0ddbb070efd47352c12101096eae335e7c9c3c' 'c22439ee4cb34adf42de7619a2b83b02359cada38cbe99dd3031e6e72225ec4b2c2d6306331eadfc1c2044609b7a7e8bceddf7be213b5d4dbcaff86b35fe1ce7' + '6980dad2542f1923f84553799dd9787493762651adc8ae5ea22ba0a85422245bc4d8996690cd7e8346b391500cc2ea36e3593aeb6cd65d16be83fbec467e9c7a' + 'ba4266709079f57e4e3d0e37a46e4ba2cac793ce0a4ac18d2edfe0b7fed8104a3a75bdea2997404a8f363b8017f3be2792745bbdaebf0d09cf78f825a56b0928' 'c11d2c59da8325551a465227096e8d39b0e4bcd5b1db21565cf3439e431838c04bc00aa6f07f4d493f3f47fd6b4e25aeb0fe0fc1a05756064706bf5708c960ec' 'c519a51d31300074ea12594fbcc8e9610d991ef04b1dac94d93a2b201df3465999cc7c6ac7f3896e02b117c2366d61dea1ef2f6b9cd7b18998385a7f26e5700f' '7a0f649f030b24315cc97f23b704dd1879274304706cf1a1fa125772803a6e918a2fa249bed229b9384552a572452c56379c50f46d2fa8aa999dc71c1ee047e0' @@ -57,8 +61,8 @@ sha512sums=('e247b3677ca86f43e665623c3a2602ab33843860537813fa64e3cd33b408698f048 'cd563238011696ba4a7fa1eff2c6604bda8d75c3e6bf9ecb6f0f22e68c9d782e49be3ce2eaad0c1b142116e2c7c59c9242936ba5797f02d5d0880f7e3004aa99' '2388bfd485bb2abaf08e28ed09848ba5dec7eac058836506d2f9f0954cfc75c71da062cc9b503f8f571cdda97c8a696f8aca20cca129ab5146c21b14e1e3ac61' 'db768f60192f6adb466021776c3cdacc263954bc63dc0fb30d13ef20d4db2816d4d1875637984672373eb71c47e65bcdeac52ab5964796b6285519e9aa19c91b' - '5445f2d386ab18277772f42e175a4bf465dfcb448c0fa3d867302a5e018277438e295d238a62077c842b2c2225555b5b2f17a9194ab87e5d5c7e21e4e9c92366' - '78c90dc1a7ef969f6c94a004fa1038b6fb76b50c6f3de077b39d40e2a07550e274338d81e83e2280fbd8c2d66ece1706e44c78c785bbc029f9a8a79d3f1eb063' + 'e2cb969128b91eec6d435954dad3f3d76c6f6467d5a118043d530b7fdcf8657b1724abe406a20fc60702fcae4b5d02a0a3c782dcbc518db436a6c7bf874beb2f' + '31d0ba225105f43f04befdf01cf8978b0cdfe4900d40e30c9427674b1ef70f534b44a8558a9474ae01b833f68d2e505f45faf9b70fdf2c8898b07cbb293ef779' 'c78b6f46abcf603d8db6e38cf50868e14145928422ddfe17c88e2f006b5b910dddf456ec5d6d724b250994530643963809688a98f7e12ebd5b5dabf7f96f0e06') _homedir="/var/lib/${pkgname}" @@ -109,7 +113,7 @@ prepare() { sed -e "s|production: unix:/var/run/redis/redis.sock|production: redis://localhost:6379|" \ config/resque.yml.example > config/resque.yml msg2 "setting up systemd service files ..." - for __srv in gitlab-sidekiq.service gitlab-unicorn.service gitlab.logrotate gitlab.tmpfiles.d gitlab-backup.service; do + for __srv in gitlab-sidekiq.service gitlab-unicorn.service gitlab.logrotate gitlab.tmpfiles.d gitlab-backup.service gitlab-workhorse.service gitlab-mailroom.service; do sed -i "s|<HOMEDIR>|${_homedir}|g" "${srcdir}/${__srv}" sed -i "s|<DATADIR>|${_datadir}|g" "${srcdir}/${__srv}" sed -i "s|<LOGDIR>|${_logdir}|g" "${srcdir}/${__srv}" @@ -142,8 +146,7 @@ package() { "${pkgdir}/usr/share/doc/${pkgname}" \ "${pkgdir}${_homedir}/www" \ "${pkgdir}${_homedir}/satellites" \ - "${pkgdir}${_datadir}/www" \ - "${pkgdir}${_datadir}/public/uploads" + "${pkgdir}${_datadir}/www" ln -fs /run/gitlab "${pkgdir}${_homedir}/pids" ln -fs /run/gitlab "${pkgdir}${_homedir}/sockets" ln -fs ${_datadir}/log "${pkgdir}${_homedir}/log" @@ -176,7 +179,7 @@ package() { find "${pkgdir}${_datadir}/public/help/" -depth -type d -empty -exec rmdir {} \; # Install systemd service files - for _file in gitlab-unicorn.service gitlab-sidekiq.service gitlab-backup.service gitlab-backup.timer gitlab.target; do + for _file in gitlab-unicorn.service gitlab-sidekiq.service gitlab-backup.service gitlab-backup.timer gitlab.target gitlab-workhorse.service gitlab-mailroom.service; do install -Dm0644 "${srcdir}/${_file}" "${pkgdir}/usr/lib/systemd/system/${_file}" done diff --git a/gitlab-mailroom.service b/gitlab-mailroom.service new file mode 100644 index 000000000000..b659a567183a --- /dev/null +++ b/gitlab-mailroom.service @@ -0,0 +1,21 @@ +[Unit] +Description=Gitlab mailroom Worker +Requires=gitlab-unicorn.service +Wants=gitlab-unicorn.service +After=gitlab-unicorn.service + +[Service] +User=gitlab +Group=gitlab +Environment=RAILS_ENV=production PATH=/opt/ruby2.1/bin:/usr/bin +WorkingDirectory=<DATADIR> +SyslogIdentifier=gitlab-mailroom +PIDFile=/run/gitlab/gitlab-mailroom.pid +Type=oneshot +RemainAfterExit=yes + +ExecStart=<DATADIR>/bin/mail_room start +ExecStop=<DATADIR>/bin/mail_room stop + +[Install] +WantedBy=multi-user.target
\ No newline at end of file diff --git a/gitlab-sidekiq.service b/gitlab-sidekiq.service index 306ed8d31104..3e7b05d13d43 100644 --- a/gitlab-sidekiq.service +++ b/gitlab-sidekiq.service @@ -1,8 +1,9 @@ [Unit] Description=GitLab Sidekiq Worker -Requires=redis.service +Requires=redis.service gitlab-unicorn.service Wants=mysqld.service postgresql.service -After=redis.service mysqld.service postgresql.service network.target +After=redis.service mysqld.service postgresql.service network.target gitlab-unicorn.service +JoinsNamespaceOf=gitlab-unicorn.service [Service] User=gitlab @@ -21,7 +22,7 @@ ProtectHome=true # instead you can safely enable this security feature. #NoNewPrivileges=true -ExecStart=/usr/bin/bundle-2.1 exec "sidekiq -q post_receive -q mailer -q system_hook -q project_web_hook -q gitlab_shell -q common -q default -q archive_repo -e production -L <LOGDIR>/sidekiq.log >> <LOGDIR>/sidekiq.log 2>&1" +ExecStart=/usr/bin/bundle-2.1 exec "sidekiq -q post_receive -q mailer -q system_hook -q incoming_email -q project_web_hook -q gitlab_shell -q common -q default -q archive_repo -e production -L <LOGDIR>/sidekiq.log >> <LOGDIR>/sidekiq.log 2>&1" [Install] WantedBy=multi-user.target diff --git a/gitlab-workhorse.service b/gitlab-workhorse.service new file mode 100644 index 000000000000..2fba0c65f567 --- /dev/null +++ b/gitlab-workhorse.service @@ -0,0 +1,19 @@ +[Unit] +Description=Gitlab Workhorse +Requires=gitlab-unicorn.service +Wants=gitlab-unicorn.service +After=gitlab-unicorn.service + +[Service] +User=gitlab +Group=gitlab +Type=forking +#WorkingDirectory=/home/git/gitlab-workhorse +WorkingDirectory=<DATADIR> +SyslogIdentifier=gitlab-workhorse +PIDFile=/run/gitlab/workhorse.pid + +ExecStart=<DATADIR>/bin/daemon_with_pidfile /run/gitlab/workhorse.pid /usr/bin/gitlab-workhorse -listenUmask 0 -listenNetwork unix -listenAddr <HOMEDIR>/sockets/gitlab-workhorse.socket -authBackend http://127.0.0.1:8080 <HOMEDIR>/repositories >> <LOGDIR>/gitlab-workhorse.log 2>&1 + +[Install] +WantedBy=multi-user.target diff --git a/nginx-ssl.conf.example b/nginx-ssl.conf.example index 9b311eef3ffb..08641bbcc178 100644 --- a/nginx-ssl.conf.example +++ b/nginx-ssl.conf.example @@ -1,5 +1,4 @@ ## GitLab -## Contributors: randx, yin8086, sashkab, orkoden, axilleas ## ## Modified from nginx http version ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ @@ -9,6 +8,13 @@ ## Lines starting with one hash (#) are configuration parameters that can be uncommented. ## ################################## +## CONTRIBUTING ## +################################## +## +## If you change this file in a Merge Request, please also create +## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests +## +################################## ## CHUNKED TRANSFER ## ################################## ## @@ -26,9 +32,8 @@ ## [1] https://github.com/agentzh/chunkin-nginx-module#status ## [2] https://github.com/agentzh/chunkin-nginx-module ## -## ################################### -## SSL configuration ## +## configuration ## ################################### ## ## See installation.md#using-https for additional HTTPS configuration details. @@ -37,20 +42,30 @@ upstream gitlab { server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0; } -## Normal HTTP host +upstream gitlab-git-http-server { + server unix:/home/git/gitlab/tmp/sockets/gitlab-git-http-server.socket fail_timeout=0; +} + +## Redirects all HTTP traffic to the HTTPS host server { - listen *:80; + ## Either remove "default_server" from the listen line below, + ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab + ## to be served if you visit any address that your server responds to, eg. + ## the ip address of the server (http://x.x.x.x/) + listen 0.0.0.0:80; + listen [::]:80 ipv6only=on default_server; server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice - - ## Redirects all traffic to the HTTPS host - root /nowhere; ## root doesn't have to be a valid path since we are redirecting - rewrite ^ https://$server_name$request_uri? permanent; + return 301 https://$server_name$request_uri; + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; } + ## HTTPS host server { - listen 443 ssl; + listen 0.0.0.0:443 ssl; + listen [::]:443 ipv6only=on ssl default_server; server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice root /home/git/gitlab/public; @@ -66,7 +81,7 @@ server { ssl_certificate_key /etc/nginx/ssl/gitlab.key; # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; @@ -74,12 +89,6 @@ server { ## See app/controllers/application_controller.rb for headers set - ## [WARNING] The following header states that the browser should only communicate - ## with your server over a secure connection for the next 24 months. - add_header Strict-Transport-Security max-age=63072000; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. ## Replace with your ssl_trusted_certificate. For more info see: ## - https://medium.com/devops-programming/4445f4862461 @@ -106,6 +115,28 @@ server { try_files $uri $uri/index.html $uri.html @gitlab; } + ## We route uploads through GitLab to prevent XSS and enforce access control. + location /uploads/ { + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://gitlab; + } + ## If a file, which is not found in the root folder is requested, ## then the proxy passes the request to the upsteam (gitlab unicorn). location @gitlab { @@ -129,6 +160,52 @@ server { proxy_pass http://gitlab; } + location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ { + # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block + error_page 418 = @gitlab-git-http-server; + return 418; + } + + location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive { + # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block + error_page 418 = @gitlab-git-http-server; + return 418; + } + + location ~ ^/api/v3/projects/.*/repository/archive { + # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block + error_page 418 = @gitlab-git-http-server; + return 418; + } + + location @gitlab-git-http-server { + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + # Do not buffer Git HTTP responses + proxy_buffering off; + + # The following settings only work with NGINX 1.7.11 or newer + # + # # Pass chunked request bodies to gitlab-git-http-server as-is + # proxy_request_buffering off; + # proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://gitlab-git-http-server; + } + ## Enable gzip compression as per rails guide: ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression ## WARNING: If you are using relative urls remove the block below diff --git a/nginx.conf.example b/nginx.conf.example index ee32d533475a..1e55c5a04868 100644 --- a/nginx.conf.example +++ b/nginx.conf.example @@ -1,10 +1,16 @@ ## GitLab -## Maintainer: @randx ## ## Lines starting with two hashes (##) are comments with information. ## Lines starting with one hash (#) are configuration parameters that can be uncommented. ## ################################## +## CONTRIBUTING ## +################################## +## +## If you change this file in a Merge Request, please also create +## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests +## +################################## ## CHUNKED TRANSFER ## ################################## ## @@ -26,14 +32,24 @@ ## configuration ## ################################### ## +## See installation.md#using-https for additional HTTPS configuration details. upstream gitlab { server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0; } +upstream gitlab-git-http-server { + server unix:/home/git/gitlab/tmp/sockets/gitlab-git-http-server.socket fail_timeout=0; +} + ## Normal HTTP host server { - listen *:80; + ## Either remove "default_server" from the listen line below, + ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab + ## to be served if you visit any address that your server responds to, eg. + ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server; + listen 0.0.0.0:80 default_server; + listen [::]:80 default_server; server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice root /home/git/gitlab/public; @@ -42,6 +58,8 @@ server { ## Or if you want to accept large git objects over http client_max_body_size 20m; + ## See app/controllers/application_controller.rb for headers set + ## Individual nginx logs for this GitLab vhost access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; @@ -52,6 +70,27 @@ server { try_files $uri $uri/index.html $uri.html @gitlab; } + ## We route uploads through GitLab to prevent XSS and enforce access control. + location /uploads/ { + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + # gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://gitlab; + } + ## If a file, which is not found in the root folder is requested, ## then the proxy passes the request to the upsteam (gitlab unicorn). location @gitlab { @@ -74,6 +113,52 @@ server { proxy_pass http://gitlab; } + location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ { + # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block + error_page 418 = @gitlab-git-http-server; + return 418; + } + + location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive { + # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block + error_page 418 = @gitlab-git-http-server; + return 418; + } + + location ~ ^/api/v3/projects/.*/repository/archive { + # 'Error' 418 is a hack to re-use the @gitlab-git-http-server block + error_page 418 = @gitlab-git-http-server; + return 418; + } + + location @gitlab-git-http-server { + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + # gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + # Do not buffer Git HTTP responses + proxy_buffering off; + + # The following settings only work with NGINX 1.7.11 or newer + # + # # Pass chunked request bodies to gitlab-git-http-server as-is + # proxy_request_buffering off; + # proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://gitlab-git-http-server; + } + ## Enable gzip compression as per rails guide: ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression ## WARNING: If you are using relative urls remove the block below |