summarylogtreecommitdiffstats
path: root/nginx-ssl.conf.example
blob: 48d89bca94016f6931779c5dca47d89d768ab942 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

# GITLAB CI

# You need to run openssl to generate a self-signed ssl certificate.
# cd /etc/nginx/
# sudo openssl req -new -x509 -nodes -days 3560 -out gitlabci.crt -keyout gitlabci.key
# sudo chmod o-r gitlabci.key
# You also need to edit gitlab-ci/config/application.yml
#  1) Define port for http "port: 443"
#  2) Enable https "https: true"
#  3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"

upstream gitlab_ci {
	## Uncomment if you have set up puma/unicorn to listen on a unix socket (recommended).
	server unix:/var/run/gitlab-ci/gitlab-ci.socket;

	## Uncomment if puma/unicorn are configured to listen on a tcp port.
	## Check the port number in /etc/webapps/gitlab-ci/{puma.rb/unicorn.rb}
	# server 127.0.0.1:8081;
}

# This is a normal HTTP host which redirects all traffic to the HTTPS host.
# Replace git.example.com with your FQDN.
server {
	listen *:80;
	server_name gitlabci.example.com;
	server_tokens off;
	root /nowhere; # this doesn't have to be a valid path since we are redirecting, you don't have to change it.
	rewrite ^ https://$server_name$request_uri permanent;
}
server {
	listen 443 ssl;
	server_name gitlabci.example.com;
	server_tokens off;
	root /usr/share/webapps/gitlab-ci/public;

	ssl on;
	ssl_certificate /etc/nginx/gitlabci.crt;
	ssl_certificate_key /etc/nginx/gitlabci.key;
	ssl_protocols TLSv1 TLSv1.2;
	ssl_ciphers AES:HIGH:!ADH:!MD5;
	ssl_prefer_server_ciphers   on;

	# individual nginx logs for this gitlab vhost
	access_log  /var/log/nginx/gitlab-ci_access.log;
	error_log   /var/log/nginx/gitlab-ci_error.log;

	location / {
		# serve static files from defined root folder;.
		# @gitlab is a named location for the upstream fallback, see below
		try_files $uri $uri/index.html $uri.html @gitlab_ci;
	}

	# if a file, which is not found in the root folder is requested,
	# then the proxy pass the request to the upsteam (gitlab unicorn)
	location @gitlab_ci {
		proxy_read_timeout    300; # https://github.com/gitlabhq/gitlabhq/issues/694
		proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
		proxy_redirect        off;

		proxy_set_header  X-Forwarded-Proto https;
		proxy_set_header  X-Forwarded-Ssl   on;
		proxy_set_header  Host              $http_host;
		proxy_set_header  X-Real-IP         $remote_addr;

		proxy_pass http://gitlab_ci;
	}
}