diff options
| author | Achilleas Pipinellis <axil@gitlab.com> | 2019-02-12 12:34:21 +0000 |
|---|---|---|
| committer | Achilleas Pipinellis <axil@gitlab.com> | 2019-02-12 12:34:21 +0000 |
| commit | 8d7ed982ef361120fef3b431249684333a5462c3 (patch) | |
| tree | eb3ddf3e0feeff4699f0c302e65db82e90b0ca6c | |
| parent | 8ef6e10c6c4d4539bbb39ff3c1c42abfcdfd29ed (diff) | |
| parent | 284b7bc1387100a3bfe761aa594258de42b4600f (diff) | |
| download | gitlab-ce-8d7ed982ef361120fef3b431249684333a5462c3.tar.gz | |
Merge branch 'docs-realignment-ce' into 'master'
Docs: Realign several CE docs that diverged from EE unnecessarily
See merge request gitlab-org/gitlab-ce!24849
| -rw-r--r-- | doc/administration/high_availability/gitlab.md | 8 | ||||
| -rw-r--r-- | doc/administration/high_availability/load_balancer.md | 54 | ||||
| -rw-r--r-- | doc/administration/uploads.md | 2 | ||||
| -rw-r--r-- | doc/ci/examples/sast_docker.md | 2 |
4 files changed, 58 insertions, 8 deletions
diff --git a/doc/administration/high_availability/gitlab.md b/doc/administration/high_availability/gitlab.md index 2ca860bd763..e554c06532e 100644 --- a/doc/administration/high_availability/gitlab.md +++ b/doc/administration/high_availability/gitlab.md @@ -58,6 +58,7 @@ for each GitLab application server in your environment. # Disable components that will not be on the GitLab application server roles ['application_role'] + nginx['enable'] = true # PostgreSQL connection details gitlab_rails['db_adapter'] = 'postgresql' @@ -90,6 +91,8 @@ for each GitLab application server in your environment. certificates are not present, Nginx will fail to start. See [Nginx documentation](http://docs.gitlab.com/omnibus/settings/nginx.html#enable-https) for more information. + > + > **Note:** It is best to set the `uid` and `gid`s prior to the initial reconfigure of GitLab. Omnibus will not recursively `chown` directories if set after the initial reconfigure. ## First GitLab application server @@ -108,8 +111,9 @@ Additional GitLab servers (servers configured **after** the first GitLab server) need some extra configuration. 1. Configure shared secrets. These values can be obtained from the primary - GitLab server in `/etc/gitlab/gitlab-secrets.json`. Add these to - `/etc/gitlab/gitlab.rb` **prior to** running the first `reconfigure`. + GitLab server in `/etc/gitlab/gitlab-secrets.json`. Copy this file to the + secondary servers **prior to** running the first `reconfigure` in the steps + above. ```ruby gitlab_shell['secret_token'] = 'fbfb19c355066a9afb030992231c4a363357f77345edd0f2e772359e5be59b02538e1fa6cae8f93f7d23355341cea2b93600dab6d6c3edcdced558fc6d739860' diff --git a/doc/administration/high_availability/load_balancer.md b/doc/administration/high_availability/load_balancer.md index 359de0efadb..28b226cacd5 100644 --- a/doc/administration/high_availability/load_balancer.md +++ b/doc/administration/high_availability/load_balancer.md @@ -8,7 +8,53 @@ choice already. Some examples including HAProxy (open-source), F5 Big-IP LTM, and Citrix Net Scaler. This documentation will outline what ports and protocols you need to use with GitLab. -## Basic ports +## SSL + +How will you handle SSL in your HA environment? There are several different +options: + +- Each application node terminates SSL +- The load balancer(s) terminate SSL and communication is not secure between + the load balancer(s) and the application nodes +- The load balancer(s) terminate SSL and communication is *secure* between the + load balancer(s) and the application nodes + +### Application nodes terminate SSL + +Configure your load balancer(s) to pass connections on port 443 as 'TCP' rather +than 'HTTP(S)' protocol. This will pass the connection to the application nodes +Nginx service untouched. Nginx will have the SSL certificate and listen on port 443. + +See [Nginx HTTPS documentation](https://docs.gitlab.com/omnibus/settings/nginx.html#enable-https) +for details on managing SSL certificates and configuring Nginx. + +### Load Balancer(s) terminate SSL without backend SSL + +Configure your load balancer(s) to use the 'HTTP(S)' protocol rather than 'TCP'. +The load balancer(s) will then be responsible for managing SSL certificates and +terminating SSL. + +Since communication between the load balancer(s) and GitLab will not be secure, +there is some additional configuration needed. See +[Nginx Proxied SSL documentation](https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl) +for details. + +### Load Balancer(s) terminate SSL with backend SSL + +Configure your load balancer(s) to use the 'HTTP(S)' protocol rather than 'TCP'. +The load balancer(s) will be responsible for managing SSL certificates that +end users will see. + +Traffic will also be secure between the load balancer(s) and Nginx in this +scenario. There is no need to add configuration for proxied SSL since the +connection will be secure all the way. However, configuration will need to be +added to GitLab to configure SSL certificates. See +[Nginx HTTPS documentation](https://docs.gitlab.com/omnibus/settings/nginx.html#enable-https) +for details on managing SSL certificates and configuring Nginx. + +## Ports + +### Basic ports | LB Port | Backend Port | Protocol | | ------- | ------------ | --------------- | @@ -16,9 +62,9 @@ you need to use with GitLab. | 443 | 443 | TCP or HTTPS [^1] [^2] | | 22 | 22 | TCP | -## GitLab Pages Ports +### GitLab Pages Ports -If you're using GitLab Pages with custom domain support you will need some +If you're using GitLab Pages with custom domain support you will need some additional port configurations. GitLab Pages requires a separate virtual IP address. Configure DNS to point the `pages_external_url` from `/etc/gitlab/gitlab.rb` at the new virtual IP address. See the @@ -29,7 +75,7 @@ GitLab Pages requires a separate virtual IP address. Configure DNS to point the | 80 | Varies [^3] | HTTP | | 443 | Varies [^3] | TCP [^4] | -## Alternate SSH Port +### Alternate SSH Port Some organizations have policies against opening SSH port 22. In this case, it may be helpful to configure an alternate SSH hostname that allows users diff --git a/doc/administration/uploads.md b/doc/administration/uploads.md index 476ae8e8a76..9dfe085425f 100644 --- a/doc/administration/uploads.md +++ b/doc/administration/uploads.md @@ -149,7 +149,7 @@ _The uploads are stored by default in [reconfigure gitlab]: restart_gitlab.md#omnibus-gitlab-reconfigure "How to reconfigure Omnibus GitLab" [restart gitlab]: restart_gitlab.md#installations-from-source "How to restart GitLab" -[eep]: https://about.gitlab.com/gitlab-ee/ "GitLab Enterprise Edition Premium" +[eep]: https://about.gitlab.com/gitlab-ee/ "GitLab Premium" [ce]: https://about.gitlab.com/gitlab-ce/ "GitLab Community Edition" [ee-3867]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3867 [ce-17358]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17358 diff --git a/doc/ci/examples/sast_docker.md b/doc/ci/examples/sast_docker.md index 9f4a63e296d..3a657b3a3d5 100644 --- a/doc/ci/examples/sast_docker.md +++ b/doc/ci/examples/sast_docker.md @@ -1 +1 @@ -This document was moved to [another location](./container_scanning.md).
\ No newline at end of file +This document was moved to [another location](./container_scanning.md). |