diff options
| -rw-r--r-- | Gemfile | 5 | ||||
| -rw-r--r-- | Gemfile.lock | 6 | ||||
| -rw-r--r-- | config/routes.rb | 7 | ||||
| -rw-r--r-- | doc/install/installation.md | 29 | ||||
| -rw-r--r-- | doc/update/7.14-to-8.0.md | 159 | ||||
| -rw-r--r-- | lib/gitlab/backend/grack_auth.rb | 16 | ||||
| -rwxr-xr-x | lib/support/init.d/gitlab | 74 | ||||
| -rwxr-xr-x | lib/support/init.d/gitlab.default.example | 10 | ||||
| -rw-r--r-- | lib/support/nginx/gitlab | 44 | ||||
| -rw-r--r-- | lib/support/nginx/gitlab-ssl | 44 |
10 files changed, 299 insertions, 95 deletions
@@ -40,11 +40,6 @@ gem "browser", '~> 1.0.0' # Provide access to Gitlab::Git library gem "gitlab_git", '~> 7.2.14' -# Ruby/Rack Git Smart-HTTP Server Handler -# GitLab fork with a lot of changes (improved thread-safety, better memory usage etc) -# For full list of changes see https://github.com/SaitoWu/grack/compare/master...gitlabhq:master -gem 'gitlab-grack', '~> 2.0.2', require: 'grack' - # LDAP Auth # GitLab fork with several improvements to original library. For full list of changes # see https://github.com/intridea/omniauth-ldap/compare/master...gitlabhq:master diff --git a/Gemfile.lock b/Gemfile.lock index 814249c7ff6..bedcf9c85b0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -263,8 +263,6 @@ GEM flowdock (~> 0.7) gitlab-grit (>= 2.4.1) multi_json - gitlab-grack (2.0.2) - rack (~> 1.5.1) gitlab-grit (2.7.2) charlock_holmes (~> 0.6) diff-lcs (~> 1.1) @@ -787,7 +785,6 @@ DEPENDENCIES gemnasium-gitlab-service (~> 0.2) github-markup gitlab-flowdock-git-hook (~> 1.0.1) - gitlab-grack (~> 2.0.2) gitlab-linguist (~> 3.0.1) gitlab_emoji (~> 0.1) gitlab_git (~> 7.2.14) @@ -881,6 +878,3 @@ DEPENDENCIES virtus webmock (~> 1.21.0) wikicloth (= 0.8.1) - -BUNDLED WITH - 1.10.6 diff --git a/config/routes.rb b/config/routes.rb index 8ba439f08b8..920ece518ea 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -30,12 +30,7 @@ Gitlab::Application.routes.draw do end # Enable Grack support - mount Grack::Bundle.new({ - git_path: Gitlab.config.git.bin_path, - project_root: Gitlab.config.gitlab_shell.repos_path, - upload_pack: Gitlab.config.gitlab_shell.upload_pack, - receive_pack: Gitlab.config.gitlab_shell.receive_pack - }), at: '/', constraints: lambda { |request| /[-\/\w\.]+\.git\//.match(request.path_info) }, via: [:get, :post] + mount Grack::Auth.new({}), at: '/', constraints: lambda { |request| /[-\/\w\.]+\.git\//.match(request.path_info) }, via: [:get, :post] # Help get 'help' => 'help#index' diff --git a/doc/install/installation.md b/doc/install/installation.md index 73e36fa7e51..52031e9b9a1 100644 --- a/doc/install/installation.md +++ b/doc/install/installation.md @@ -125,13 +125,25 @@ Install the Bundler Gem: sudo gem install bundler --no-ri --no-rdoc -## 3. System Users +## 3. Go + +Since GitLab 8.0, Git HTTP requests are handled by gitlab-git-http-server. +This is a small daemon written in Go. +To install gitlab-git-http-server we need a Go compiler. + + curl -O --progress https://storage.googleapis.com/golang/go1.5.linux-amd64.tar.gz + echo '5817fa4b2252afdb02e11e8b9dc1d9173ef3bd5a go1.5.linux-amd64.tar.gz' | shasum -c - && \ + sudo tar -C /usr/local -xzf go1.5.linux-amd64.tar.gz + sudo ln -sf /usr/local/go/bin/{go,godoc,gofmt} /usr/local/bin/ + rm go1.5.linux-amd64.tar.gz + +## 4. System Users Create a `git` user for GitLab: sudo adduser --disabled-login --gecos 'GitLab' git -## 4. Database +## 5. Database We recommend using a PostgreSQL database. For MySQL check [MySQL setup guide](database_mysql.md). *Note*: because we need to make use of extensions you need at least pgsql 9.1. @@ -157,7 +169,7 @@ We recommend using a PostgreSQL database. For MySQL check [MySQL setup guide](da # Quit the database session gitlabhq_production> \q -## 5. Redis +## 6. Redis sudo apt-get install redis-server @@ -187,7 +199,7 @@ We recommend using a PostgreSQL database. For MySQL check [MySQL setup guide](da # Add git to the redis group sudo usermod -aG redis git -## 6. GitLab +## 7. GitLab # We'll install GitLab into home directory of the user "git" cd /home/git @@ -297,6 +309,13 @@ GitLab Shell is an SSH access and repository management software developed speci **Note:** Make sure your hostname can be resolved on the machine itself by either a proper DNS record or an additional line in /etc/hosts ("127.0.0.1 hostname"). This might be necessary for example if you set up gitlab behind a reverse proxy. If the hostname cannot be resolved, the final installation check will fail with "Check GitLab API access: FAILED. code: 401" and pushing commits will be rejected with "[remote rejected] master -> master (hook declined)". +### Install gitlab-git-http-server + + cd /home/git + sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-git-http-server.git + cd gitlab-git-http-server + sudo -u git -H make + ### Initialize Database and Activate Advanced Features sudo -u git -H bundle exec rake gitlab:setup RAILS_ENV=production @@ -345,7 +364,7 @@ Check if GitLab and its environment are configured correctly: # or sudo /etc/init.d/gitlab restart -## 7. Nginx +## 8. Nginx **Note:** Nginx is the officially supported web server for GitLab. If you cannot or do not want to use Nginx as your web server, have a look at the [GitLab recipes](https://gitlab.com/gitlab-org/gitlab-recipes/). diff --git a/doc/update/7.14-to-8.0.md b/doc/update/7.14-to-8.0.md new file mode 100644 index 00000000000..29a38d07b3d --- /dev/null +++ b/doc/update/7.14-to-8.0.md @@ -0,0 +1,159 @@ +# From 7.14 to 8.0 + +### 0. Double-check your Git version + +**This notice applies only to /usr/local/bin/git** + +If you compiled Git from source on your GitLab server then please double-check +that you are using a version that protects against CVE-2014-9390. For six +months after this vulnerability became known the GitLab installation guide +still contained instructions that would install the outdated, 'vulnerable' Git +version 2.1.2. + +Run the following command to get your current Git version. + +``` +/usr/local/bin/git --version +``` + +If you see 'No such file or directory' then you did not install Git according +to the outdated instructions from the GitLab installation guide and you can go +to the next step 'Stop server' below. + +If you see a version string then it should be v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, +v2.2.1 or newer. You can use the [instructions in the GitLab source +installation +guide](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/install/installation.md#1-packages-dependencies) +to install a newer version of Git. + +### 1. Stop server + + sudo service gitlab stop + +### 2. Backup + +```bash +cd /home/git/gitlab +sudo -u git -H bundle exec rake gitlab:backup:create RAILS_ENV=production +``` + +### 3. Get latest code + +```bash +sudo -u git -H git fetch --all +sudo -u git -H git checkout -- db/schema.rb # local changes will be restored automatically +``` + +For GitLab Community Edition: + +```bash +sudo -u git -H git checkout 8-0-stable +``` + +OR + +For GitLab Enterprise Edition: + +```bash +sudo -u git -H git checkout 8-0-stable-ee +``` + +### 4. Update gitlab-shell + +```bash +cd /home/git/gitlab-shell +sudo -u git -H git fetch +sudo -u git -H git checkout v2.6.4 +``` + +### 5. Install gitlab-git-http-server + +First we download Go 1.5 and install it into /usr/local/go. + + curl -O --progress https://storage.googleapis.com/golang/go1.5.linux-amd64.tar.gz + echo '5817fa4b2252afdb02e11e8b9dc1d9173ef3bd5a go1.5.linux-amd64.tar.gz' | shasum -c - && \ + sudo tar -C /usr/local -xzf go1.5.linux-amd64.tar.gz + sudo ln -sf /usr/local/go/bin/{go,godoc,gofmt} /usr/local/bin/ + rm go1.5.linux-amd64.tar.gz + +Now we download gitlab-git-http-server and install it in /home/git/gitlab-git-http-server. + + cd /home/git + sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-git-http-server.git + cd gitlab-git-http-server + sudo -u git -H make + +If you put your Git repositories in a directory different from /home/git/repositories, you need to tell gitlab-git-http-server about it via /etc/gitlab/default. +See lib/support/init.d/gitlab.default.example for the options. + +### 6. Install libs, migrations, etc. + +```bash +cd /home/git/gitlab + +# MySQL installations (note: the line below states '--without ... postgres') +sudo -u git -H bundle install --without development test postgres --deployment + +# PostgreSQL installations (note: the line below states '--without ... mysql') +sudo -u git -H bundle install --without development test mysql --deployment + +# Run database migrations +sudo -u git -H bundle exec rake db:migrate RAILS_ENV=production + +# Clean up assets and cache +sudo -u git -H bundle exec rake assets:clean assets:precompile cache:clear RAILS_ENV=production + +# Update init.d script +sudo cp lib/support/init.d/gitlab /etc/init.d/gitlab +``` + +### 7. Update config files + +#### New configuration options for `gitlab.yml` + +There are new configuration options available for [`gitlab.yml`](config/gitlab.yml.example). View them with the command below and apply them to your current `gitlab.yml`. + +``` +git diff origin/7-14-stable:config/gitlab.yml.example origin/8-0-stable:config/gitlab.yml.example +`````` + +#### New NGINX configuration + +Because of the new gitlab-git-http-server you need to update your NGINX configuration. +If you skip this step 'git clone' and 'git push' over HTTP(S) will stop working. + +``` +# Remove '-ssl' twice in the diff command below if you use HTTP instead of HTTPS +git diff origin/7-14-stable:lib/support/nginx/gitlab-ssl origin/8-0-stable:lib/support/nginx/gitlab-ssl +``` + +### 8. Start application + + sudo service gitlab start + sudo service nginx restart + +### 9. Check application status + +Check if GitLab and its environment are configured correctly: + + sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production + +To make sure you didn't miss anything run a more thorough check with: + + sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production + +If all items are green, then congratulations, the upgrade is complete! + +## Things went south? Revert to previous version (7.14) + +### 1. Revert the code to the previous version +Follow the [upgrade guide from 7.13 to 7.14](7.13-to-7.14.md), except for the database migration +(The backup is already migrated to the previous version) + +### 2. Restore from the backup: + +```bash +cd /home/git/gitlab +sudo -u git -H bundle exec rake gitlab:backup:restore RAILS_ENV=production +``` +If you have more than one backup *.tar file(s) please add `BACKUP=timestamp_of_backup` to the command above. diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb index 12292f614e9..dc87aa52a3e 100644 --- a/lib/gitlab/backend/grack_auth.rb +++ b/lib/gitlab/backend/grack_auth.rb @@ -26,12 +26,8 @@ module Grack auth! if project && authorized_request? - if ENV['GITLAB_GRACK_AUTH_ONLY'] == '1' - # Tell gitlab-git-http-server the request is OK, and what the GL_ID is - render_grack_auth_ok - else - @app.call(env) - end + # Tell gitlab-git-http-server the request is OK, and what the GL_ID is + render_grack_auth_ok elsif @user.nil? && !@gitlab_ci unauthorized else @@ -132,7 +128,9 @@ module Grack case git_cmd when *Gitlab::GitAccess::DOWNLOAD_COMMANDS - if user + if !Gitlab.config.gitlab_shell.upload_pack + false + elsif user Gitlab::GitAccess.new(user, project).download_access_check.allowed? elsif project.public? # Allow clone/fetch for public projects @@ -141,7 +139,9 @@ module Grack false end when *Gitlab::GitAccess::PUSH_COMMANDS - if user + if !Gitlab.config.gitlab_shell.receive_pack + false + elsif user # Skip user authorization on upload request. # It will be done by the pre-receive hook in the repository. true diff --git a/lib/support/init.d/gitlab b/lib/support/init.d/gitlab index 457bd31e23b..f2923314d48 100755 --- a/lib/support/init.d/gitlab +++ b/lib/support/init.d/gitlab @@ -37,6 +37,10 @@ web_server_pid_path="$pid_path/unicorn.pid" sidekiq_pid_path="$pid_path/sidekiq.pid" mail_room_enabled=false mail_room_pid_path="$pid_path/mail_room.pid" +gitlab_git_http_server_pid_path="$pid_path/gitlab-git-http-server.pid" +gitlab_git_http_server_options="-listenUmask 0 -listenNetwork unix -listenAddr $socket_path/gitlab-git-http-server.socket -authBackend http://127.0.0.1:8080" +gitlab_git_http_server_repo_root='/home/git/repositories' +gitlab_git_http_server_log="$app_root/log/gitlab-git-http-server.log" shell_path="/bin/bash" # Read configuration variable file if it is present @@ -72,6 +76,11 @@ check_pids(){ else spid=0 fi + if [ -f "$gitlab_git_http_server_pid_path" ]; then + hpid=$(cat "$gitlab_git_http_server_pid_path") + else + hpid=0 + fi if [ "$mail_room_enabled" = true ]; then if [ -f "$mail_room_pid_path" ]; then mpid=$(cat "$mail_room_pid_path") @@ -85,7 +94,7 @@ check_pids(){ wait_for_pids(){ # We are sleeping a bit here mostly because sidekiq is slow at writing it's pid i=0; - while [ ! -f $web_server_pid_path ] || [ ! -f $sidekiq_pid_path ] || { [ "$mail_room_enabled" = true ] && [ ! -f $mail_room_pid_path ]; }; do + while [ ! -f $web_server_pid_path ] || [ ! -f $sidekiq_pid_path ] || [ ! -f $gitlab_git_http_server_pid_path ] || { [ "$mail_room_enabled" = true ] && [ ! -f $mail_room_pid_path ]; }; do sleep 0.1; i=$((i+1)) if [ $((i%10)) = 0 ]; then @@ -120,6 +129,12 @@ check_status(){ else sidekiq_status="-1" fi + if [ $hpid -ne 0 ]; then + kill -0 "$hpid" 2>/dev/null + gitlab_git_http_server_status="$?" + else + gitlab_git_http_server_status="-1" + fi if [ "$mail_room_enabled" = true ]; then if [ $mpid -ne 0 ]; then kill -0 "$mpid" 2>/dev/null @@ -128,7 +143,7 @@ check_status(){ mail_room_status="-1" fi fi - if [ $web_status = 0 ] && [ $sidekiq_status = 0 ] && { [ "$mail_room_enabled" != true ] || [ $mail_room_status = 0 ]; }; then + if [ $web_status = 0 ] && [ $sidekiq_status = 0 ] && [ $gitlab_git_http_server_status = 0 ] && { [ "$mail_room_enabled" != true ] || [ $mail_room_status = 0 ]; }; then gitlab_status=0 else # http://refspecs.linuxbase.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html @@ -156,6 +171,13 @@ check_stale_pids(){ exit 1 fi fi + if [ "$hpid" != "0" ] && [ "$gitlab_git_http_server_status" != "0" ]; then + echo "Removing stale gitlab-git-http-server pid. This is most likely caused by gitlab-git-http-server crashing the last time it ran." + if ! rm "$gitlab_git_http_server_pid_path"; then + echo "Unable to remove stale pid, exiting" + exit 1 + fi + fi if [ "$mail_room_enabled" = true ] && [ "$mpid" != "0" ] && [ "$mail_room_status" != "0" ]; then echo "Removing stale MailRoom job dispatcher pid. This is most likely caused by MailRoom crashing the last time it ran." if ! rm "$mail_room_pid_path"; then @@ -168,7 +190,7 @@ check_stale_pids(){ ## If no parts of the service is running, bail out. exit_if_not_running(){ check_stale_pids - if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then + if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_git_http_server_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then echo "GitLab is not running." exit fi @@ -184,6 +206,9 @@ start_gitlab() { if [ "$sidekiq_status" != "0" ]; then echo "Starting GitLab Sidekiq" fi + if [ "$gitlab_git_http_server_status" != "0" ]; then + echo "Starting gitlab-git-http-server" + fi if [ "$mail_room_enabled" = true ] && [ "$mail_room_status" != "0" ]; then echo "Starting GitLab MailRoom" fi @@ -205,6 +230,17 @@ start_gitlab() { RAILS_ENV=$RAILS_ENV bin/background_jobs start & fi + if [ "$gitlab_git_http_server_status" = "0" ]; then + echo "The gitlab-git-http-server is already running with pid $spid, not restarting" + else + # No need to remove a socket, gitlab-git-http-server does this itself + $app_root/bin/daemon_with_pidfile $gitlab_git_http_server_pid_path \ + $app_root/../gitlab-git-http-server/gitlab-git-http-server \ + $gitlab_git_http_server_options \ + $gitlab_git_http_server_repo_root \ + >> $gitlab_git_http_server_log 2>&1 & + fi + if [ "$mail_room_enabled" = true ]; then # If MailRoom is already running, don't start it again. if [ "$mail_room_status" = "0" ]; then @@ -226,33 +262,27 @@ stop_gitlab() { if [ "$web_status" = "0" ]; then echo "Shutting down GitLab Unicorn" + RAILS_ENV=$RAILS_ENV bin/web stop fi if [ "$sidekiq_status" = "0" ]; then echo "Shutting down GitLab Sidekiq" - fi - if [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; then - echo "Shutting down GitLab MailRoom" - fi - - # If the Unicorn web server is running, tell it to stop; - if [ "$web_status" = "0" ]; then - RAILS_ENV=$RAILS_ENV bin/web stop - fi - # And do the same thing for the Sidekiq. - if [ "$sidekiq_status" = "0" ]; then RAILS_ENV=$RAILS_ENV bin/background_jobs stop fi - # And do the same thing for the MailRoom. + if [ "$gitlab_git_http_server_status" = "0" ]; then + echo "Shutting down gitlab-git-http-server" + kill $(cat $gitlab_git_http_server_pid_path) + fi if [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; then + echo "Shutting down GitLab MailRoom" RAILS_ENV=$RAILS_ENV bin/mail_room stop fi # If something needs to be stopped, lets wait for it to stop. Never use SIGKILL in a script. - while [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; do + while [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_git_http_server_status" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; do sleep 1 check_status printf "." - if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then + if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_git_http_server_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then printf "\n" break fi @@ -262,6 +292,7 @@ stop_gitlab() { # Cleaning up unused pids rm "$web_server_pid_path" 2>/dev/null # rm "$sidekiq_pid_path" 2>/dev/null # Sidekiq seems to be cleaning up it's own pid. + rm -f "$gitlab_git_http_server_pid_path" if [ "$mail_room_enabled" = true ]; then rm "$mail_room_pid_path" 2>/dev/null fi @@ -272,7 +303,7 @@ stop_gitlab() { ## Prints the status of GitLab and it's components. print_status() { check_status - if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then + if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_git_http_server_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then echo "GitLab is not running." return fi @@ -286,6 +317,11 @@ print_status() { else printf "The GitLab Sidekiq job dispatcher is \033[31mnot running\033[0m.\n" fi + if [ "$gitlab_git_http_server_status" = "0" ]; then + echo "The gitlab-git-http-server with pid $hpid is running." + else + printf "The gitlab-git-http-server is \033[31mnot running\033[0m.\n" + fi if [ "$mail_room_enabled" = true ]; then if [ "$mail_room_status" = "0" ]; then echo "The GitLab MailRoom email processor with pid $mpid is running." @@ -324,7 +360,7 @@ reload_gitlab(){ ## Restarts Sidekiq and Unicorn. restart_gitlab(){ check_status - if [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; then + if [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_git_http_server" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; then stop_gitlab fi start_gitlab diff --git a/lib/support/init.d/gitlab.default.example b/lib/support/init.d/gitlab.default.example index fd70cb7cc74..aab5acaa72c 100755 --- a/lib/support/init.d/gitlab.default.example +++ b/lib/support/init.d/gitlab.default.example @@ -30,6 +30,16 @@ web_server_pid_path="$pid_path/unicorn.pid" # The default is "$pid_path/sidekiq.pid" sidekiq_pid_path="$pid_path/sidekiq.pid" +gitlab_git_http_server_pid_path="$pid_path/gitlab-git-http-server.pid" +# The -listenXxx settings determine where gitlab-git-http-server +# listens for connections from NGINX. To listen on localhost:8181, write +# '-listenNetwork tcp -listenAddr localhost:8181'. +# The -authBackend setting tells gitlab-git-http-server where it can reach +# Unicorn. +gitlab_git_http_server_options="-listenUmask 0 -listenNetwork unix -listenAddr $socket_path/gitlab-git-http-server.socket -authBackend http://127.0.0.1:8080" +gitlab_git_http_server_repo_root="/home/git/repositories" +gitlab_git_http_server_log="$app_root/log/gitlab-git-http-server.log" + # mail_room_enabled specifies whether mail_room, which is used to process incoming email, is enabled. # This is required for the Reply by email feature. # The default is "false" diff --git a/lib/support/nginx/gitlab b/lib/support/nginx/gitlab index efa0898900f..17f89c8beb6 100644 --- a/lib/support/nginx/gitlab +++ b/lib/support/nginx/gitlab @@ -38,10 +38,9 @@ upstream gitlab { server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0; } -## Experimental: gitlab-git-http-server -# upstream gitlab-git-http-server { -# server localhost:8181; -# } +upstream gitlab-git-http-server { + server unix:/home/git/gitlab/tmp/sockets/gitlab-git-http-server.socket fail_timeout=0; +} ## Normal HTTP host server { @@ -114,25 +113,24 @@ server { proxy_pass http://gitlab; } - ## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn - # location ~ [-\/\w\.]+\.git\/ { - # ## If you use HTTPS make sure you disable gzip compression - # ## to be safe against BREACH attack. - # # gzip off; - - # ## https://github.com/gitlabhq/gitlabhq/issues/694 - # ## Some requests take more than 30 seconds. - # proxy_read_timeout 300; - # proxy_connect_timeout 300; - # proxy_redirect off; - - # proxy_set_header Host $http_host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - - # proxy_pass http://gitlab-git-http-server; - # } + location ~ [-\/\w\.]+\.git\/ { + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + # gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://gitlab-git-http-server; + } ## Enable gzip compression as per rails guide: ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl index 314525518f1..5ba39fc41a4 100644 --- a/lib/support/nginx/gitlab-ssl +++ b/lib/support/nginx/gitlab-ssl @@ -42,10 +42,9 @@ upstream gitlab { server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0; } -## Experimental: gitlab-git-http-server -# upstream gitlab-git-http-server { -# server localhost:8181; -# } +upstream gitlab-git-http-server { + server unix:/home/git/gitlab/tmp/sockets/gitlab-git-http-server.socket fail_timeout=0; +} ## Redirects all HTTP traffic to the HTTPS host server { @@ -161,25 +160,24 @@ server { proxy_pass http://gitlab; } - ## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn - # location ~ [-\/\w\.]+\.git\/ { - # ## If you use HTTPS make sure you disable gzip compression - # ## to be safe against BREACH attack. - # gzip off; - - # ## https://github.com/gitlabhq/gitlabhq/issues/694 - # ## Some requests take more than 30 seconds. - # proxy_read_timeout 300; - # proxy_connect_timeout 300; - # proxy_redirect off; - - # proxy_set_header Host $http_host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-Ssl on; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - # proxy_pass http://gitlab-git-http-server; - # } + location ~ [-\/\w\.]+\.git\/ { + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://gitlab-git-http-server; + } ## Enable gzip compression as per rails guide: ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression |