summaryrefslogtreecommitdiff
path: root/lib/support
diff options
context:
space:
mode:
authorAchilleas Pipinellis <axilleas@axilleas.me>2014-06-05 16:03:50 +0300
committerAchilleas Pipinellis <axilleas@axilleas.me>2014-06-05 16:54:50 +0300
commit7be6b8ca73b1bd7fd46f01ca43fe9d57a2ba0809 (patch)
treef5a1a9ecaf741934acf201f2cefa292020511f2c /lib/support
parent7e41eca38ae4598e083372777c20ff6aa2b491ad (diff)
downloadgitlab-ce-7be6b8ca73b1bd7fd46f01ca43fe9d57a2ba0809.tar.gz
Move gitlab-ssl nginx config from gitlab-recipes
Diffstat (limited to 'lib/support')
-rw-r--r--lib/support/nginx/gitlab-ssl164
1 files changed, 164 insertions, 0 deletions
diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl
new file mode 100644
index 00000000000..22e923b377c
--- /dev/null
+++ b/lib/support/nginx/gitlab-ssl
@@ -0,0 +1,164 @@
+## GitLab
+## Contributors: randx, yin8086, sashkab, orkoden, axilleas
+##
+## Modified from nginx http version
+## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
+##
+## Lines starting with two hashes (##) are comments containing information
+## for configuration. One hash (#) comments are actual configuration parameters
+## which you can comment/uncomment to your liking.
+##
+###################################
+## SSL configuration ##
+###################################
+##
+## Optimal configuration is taken from:
+## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+## Make sure to read it and understand what each option does.
+##
+## [Optional] Generate a self-signed ssl certificate:
+## mkdir /etc/nginx/ssl/
+## cd /etc/nginx/ssl/
+## sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
+## sudo chmod o-r gitlab.key
+##
+## Edit `gitlab-shell/config.yml`:
+## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
+## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt`
+## 3) Set "self_signed_cert" to `true`
+## Edit `gitlab/config/gitlab.yml`:
+## 1) Define port for http "port: 443"
+## 2) Enable https "https: true"
+## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
+##
+##################################
+## CHUNKED TRANSFER ##
+##################################
+##
+## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
+## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
+## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
+## around this by tweaking this configuration file and either:
+## - installing an old version of Nginx with the chunkin module [2] compiled in, or
+## - using a newer version of Nginx.
+##
+## At the time of writing we do not know if either of these theoretical solutions works. As a workaround
+## users can use Git over SSH to push large files.
+##
+## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
+## [1] https://github.com/agentzh/chunkin-nginx-module#status
+## [2] https://github.com/agentzh/chunkin-nginx-module
+
+
+upstream gitlab {
+
+ ## Uncomment if you have set up unicorn to listen on a unix socket (recommended).
+ server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
+
+ ## Uncomment if unicorn is configured to listen on a tcp port.
+ ## Check the port number in /home/git/gitlab/config/unicorn.rb
+ # server 127.0.0.1:8080;
+}
+
+## This is a normal HTTP host which redirects all traffic to the HTTPS host.
+server {
+ listen *:80;
+ ## Replace git.example.com with your FQDN.
+ server_name git.example.com;
+ server_tokens off;
+ ## root doesn't have to be a valid path since we are redirecting
+ root /nowhere;
+ rewrite ^ https://$server_name$request_uri permanent;
+}
+
+server {
+ listen 443 ssl;
+ ## Replace git.example.com with your FQDN.
+ server_name git.example.com;
+ server_tokens off;
+ root /home/git/gitlab/public;
+
+ ## Increase this if you want to upload large attachments
+ ## Or if you want to accept large git objects over http
+ client_max_body_size 20m;
+
+ ## Strong SSL Security
+ ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+ ssl on;
+ ssl_certificate /etc/nginx/ssl/gitlab.crt;
+ ssl_certificate_key /etc/nginx/ssl/gitlab.key;
+
+ ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_session_cache builtin:1000 shared:SSL:10m;
+
+ ## Enable OCSP stapling to reduce the overhead and latency of running SSL.
+ ## Replace with your ssl_trusted_certificate. For more info see:
+ ## - https://medium.com/devops-programming/4445f4862461
+ ## - https://www.ruby-forum.com/topic/4419319
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
+ resolver 208.67.222.222 208.67.222.220 valid=300s;
+ resolver_timeout 10s;
+
+ ssl_prefer_server_ciphers on;
+ ## [Optional] Generate a stronger DHE parameter (recommended):
+ ## cd /etc/ssl/certs
+ ## openssl dhparam -out dhparam.pem 2048
+ ##
+ # ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+ add_header Strict-Transport-Security max-age=63072000;
+ add_header X-Frame-Options DENY;
+ add_header X-Content-Type-Options nosniff;
+
+ ## Individual nginx logs for this GitLab vhost
+ access_log /var/log/nginx/gitlab_access.log;
+ error_log /var/log/nginx/gitlab_error.log;
+
+ location / {
+ ## Serve static files from defined root folder.
+ ## @gitlab is a named location for the upstream fallback, see below.
+ try_files $uri $uri/index.html $uri.html @gitlab;
+ }
+
+ ## If a file, which is not found in the root folder is requested,
+ ## then the proxy pass the request to the upsteam (gitlab unicorn).
+ location @gitlab {
+
+ ## If you use https make sure you disable gzip compression
+ ## to be safe against BREACH attack.
+ gzip off;
+
+ ## https://github.com/gitlabhq/gitlabhq/issues/694
+ ## Some requests take more than 30 seconds.
+ proxy_read_timeout 300;
+ proxy_connect_timeout 300;
+ proxy_redirect off;
+
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-Ssl on;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Frame-Options SAMEORIGIN;
+
+ proxy_pass http://gitlab;
+ }
+
+ ## Enable gzip compression as per rails guide:
+ ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
+ ## WARNING: If you are using relative urls do remove the block below
+ ## See config/application.rb under "Relative url support" for the list of
+ ## other files that need to be changed for relative url support
+ location ~ ^/(assets)/ {
+ root /home/git/gitlab/public;
+ gzip_static on; # to serve pre-gzipped version
+ expires max;
+ add_header Cache-Control public;
+ }
+
+ error_page 502 /502.html;
+}