diff options
author | Rémy Coutable <remy@rymai.me> | 2016-04-13 09:53:13 +0000 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-04-13 09:53:13 +0000 |
commit | e83424a13e1b5d2e55ae5bd0aeae6a4c5f88262a (patch) | |
tree | fbd59aea542ed6661f5261a49a862b07132f7b00 | |
parent | 5d14615a762d63ba3e04fa5ebbbbd990bdbd7572 (diff) | |
parent | e18f20d7118b7c8f2ff18a6e4255d6c7c0995b04 (diff) | |
download | gitlab-ce-e83424a13e1b5d2e55ae5bd0aeae6a4c5f88262a.tar.gz |
Merge branch 'configure_trusted_proxies' into 'master'
Adjust the default trusted_proxies to only include localhost
And also allow other trusted proxies to be added from the config.yml.
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/3538
Omnibus config: https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1208
See merge request !3524
-rw-r--r-- | CHANGELOG | 2 | ||||
-rw-r--r-- | config/gitlab.yml.example | 9 | ||||
-rw-r--r-- | config/initializers/1_settings.rb | 1 | ||||
-rw-r--r-- | config/initializers/trusted_proxies.rb | 2 | ||||
-rw-r--r-- | doc/install/installation.md | 10 |
5 files changed, 24 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG index 9b0c6ba4609..2b2d26c2540 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -6,6 +6,8 @@ v 8.7.0 (unreleased) - Load award emoji images separately unless opening the full picker. Saves several hundred KBs of data for most pages. (Connor Shea) - All images in discussions and wikis now link to their source files !3464 (Connor Shea). - Return status code 303 after a branch DELETE operation to avoid project deletion (Stan Hu) + - Add setting for customizing the list of trusted proxies !3524 + - Fix `signed_in_ip` being set to 127.0.0.1 when using a reverse proxy !3524 - Improved Markdown rendering performance !3389 (Yorick Peterse) - Don't attempt to look up an avatar in repo if repo directory does not exist (Stan Hu) - Expose project badges in project settings diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 35c7c425a5a..56caee47c97 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -46,6 +46,15 @@ production: &base # # relative_url_root: /gitlab + # Trusted Proxies + # Customize if you have GitLab behind a reverse proxy which is running on a different machine. + # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. + trusted_proxies: + # Examples: + #- 192.168.1.0/24 + #- 192.168.2.1 + #- 2001:0db8::/32 + # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') # user: git diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index 72c4d8d61ce..2167da306f2 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -190,6 +190,7 @@ Settings.gitlab.default_projects_features['visibility_level'] = Settings.send Settings.gitlab['repository_downloads_path'] = File.join(Settings.shared['path'], 'cache/archive') if Settings.gitlab['repository_downloads_path'].nil? Settings.gitlab['restricted_signup_domains'] ||= [] Settings.gitlab['import_sources'] ||= ['github','bitbucket','gitlab','gitorious','google_code','fogbugz','git'] +Settings.gitlab['trusted_proxies'] ||= [] # diff --git a/config/initializers/trusted_proxies.rb b/config/initializers/trusted_proxies.rb new file mode 100644 index 00000000000..b8cc025bae2 --- /dev/null +++ b/config/initializers/trusted_proxies.rb @@ -0,0 +1,2 @@ +Rails.application.config.action_dispatch.trusted_proxies = + [ '127.0.0.1', '::1' ] + Array(Gitlab.config.gitlab.trusted_proxies) diff --git a/doc/install/installation.md b/doc/install/installation.md index f8f7d6a9ebe..e721e70a596 100644 --- a/doc/install/installation.md +++ b/doc/install/installation.md @@ -530,6 +530,16 @@ See the [omniauth integration document](../integration/omniauth.md) GitLab can build your projects. To enable that feature you need GitLab Runners to do that for you. Checkout the [GitLab Runner section](https://about.gitlab.com/gitlab-ci/#gitlab-runner) to install it +### Adding your Trusted Proxies + +If you are using a reverse proxy on an separate machine, you may want to add the +proxy to the trusted proxies list. Otherwise users will appear signed in from the +proxy's IP address. + +You can add trusted proxies in `config/gitlab.yml` by customizing the `trusted_proxies` +option in section 1. Save the file and [reconfigure GitLab](../administration/restart_gitlab.md) +for the changes to take effect. + ### Custom Redis Connection If you'd like Resque to connect to a Redis server on a non-standard port or on a different host, you can configure its connection string via the `config/resque.yml` file. |