diff --git a/Changelog.md b/Changelog.md
index cbe8a6e4..1464dd6c 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -2,6 +2,13 @@
 
 This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) for the list of changes in GitLab.
 
+**latest**
+- gitlab-shell: upgrade to v.2.7.2
+- gitlab: upgrade to CE v8.7.0
+- SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list of providers.
+- OAuth: Added `OAUTH_EXTERNAL_PROVIDERS` to specify external oauth providers.
+- Exposed `GITLAB_TRUSTED_PROXIES` configuration parameter
+
 **8.6.7**
 - added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups
 - gitlab: upgrade to CE v8.6.7
diff --git a/Dockerfile b/Dockerfile
index fa1e2fb5..74129b2a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,8 @@
 FROM sameersbn/ubuntu:14.04.20160422
 MAINTAINER sameer@damagehead.com
 
-ENV GITLAB_VERSION=8.6.7 \
-    GITLAB_SHELL_VERSION=2.6.12 \
+ENV GITLAB_VERSION=8.7.0 \
+    GITLAB_SHELL_VERSION=2.7.2 \
     GITLAB_WORKHORSE_VERSION=0.7.1 \
     GOLANG_VERSION=1.5.3 \
     GITLAB_USER="git" \
diff --git a/README.md b/README.md
index b1b4632e..30a56005 100644
--- a/README.md
+++ b/README.md
@@ -457,15 +457,18 @@ Please refer the [Available Configuration Parameters](#available-configuration-p
 
 #### Reply by email
 
-Since version `8.0.0` GitLab adds support for commenting on issues by replying to emails. Please read the [documentation on reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) to understand the requirements of this feature.
+Since version `8.0.0` GitLab adds support for commenting on issues by replying to emails.
 
 To enable this feature you need to provide IMAP configuration parameters that will allow GitLab to connect to your mail server and read mails. Additionally, you may need to specify `GITLAB_INCOMING_EMAIL_ADDRESS` if your incoming email address is not the same as the `IMAP_USER`.
 
+If your email provider supports email [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) then you should add the `+%{key}` placeholder after the user part of the email address, eg. `GITLAB_INCOMING_EMAIL_ADDRESS=reply+%{key}@example.com`. Please read the [documentation on reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) to understand the requirements for this feature.
+
 If you are using Gmail then all you need to do is:
 
 ```bash
 docker run --name gitlab -d \
     --env 'IMAP_USER=USER@gmail.com' --env 'IMAP_PASS=PASSWORD' \
+    --env 'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
     sameersbn/gitlab:8.6.7-1
 ```
@@ -658,7 +661,7 @@ Once you have the client ID and secret keys generated, configure them using the
 
 For example, if your client ID is `xxx.apps.googleusercontent.com` and client secret key is `yyy`, then adding `--env 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' --env 'OAUTH_GOOGLE_APP_SECRET=yyy'` to the docker run command enables support for Google OAuth.
 
-You can also restrict logins to a single domain by adding `--env 'OAUTH_GOOGLE_RESTRICT_DOMAIN=example.com'`. This is particularly useful when combined with `--env 'OAUTH_ALLOW_SSO=true'` and `--env 'OAUTH_BLOCK_AUTO_CREATED_USERS=false'`.
+You can also restrict logins to a single domain by adding `--env 'OAUTH_GOOGLE_RESTRICT_DOMAIN=example.com'`.
 
 #### Facebook
 
@@ -783,7 +786,7 @@ Below is the complete list of available options that can be used to customize yo
 - **GITLAB_EMAIL_DISPLAY_NAME**: The name displayed in emails sent out by the GitLab mailer. Defaults to `GitLab`.
 - **GITLAB_EMAIL_REPLY_TO**: The reply-to address of emails sent out by GitLab. Defaults to value of `GITLAB_EMAIL`, else defaults to `noreply@example.com`.
 - **GITLAB_EMAIL_ENABLED**: Enable or disable gitlab mailer. Defaults to the `SMTP_ENABLED` configuration.
-- **GITLAB_INCOMING_EMAIL_ADDRESS**: The incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`.
+- **GITLAB_INCOMING_EMAIL_ADDRESS**: The incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`. Please read the [reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) documentation to curretly set this parameter.
 - **GITLAB_INCOMING_EMAIL_ENABLED**: Enable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`.
 - **GITLAB_SIGNUP_ENABLED**: Enable or disable user signups (first run only). Default is `true`.
 - **GITLAB_USERNAME_CHANGE**: Enable or disable ability for users to change their username. Defaults is `true`.
@@ -816,6 +819,7 @@ Below is the complete list of available options that can be used to customize yo
 - **GITLAB_SSH_HOST**: The ssh host. Defaults to **GITLAB_HOST**.
 - **GITLAB_SSH_PORT**: The ssh port number. Defaults to `22`.
 - **GITLAB_RELATIVE_URL_ROOT**: The relative url of the GitLab server, e.g. `/git`. No default.
+- **GITLAB_TRUSTED_PROXIES**: Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults.
 - **GITLAB_HTTPS**: Set to `true` to enable https support, disabled by default.
 - **SSL_SELF_SIGNED**: Set to `true` when using self signed ssl certificates. `false` by default.
 - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt`
@@ -880,11 +884,12 @@ Below is the complete list of available options that can be used to customize yo
 - **LDAP_BASE**: Base where we can search for users. No default.
 - **LDAP_USER_FILTER**: Filter LDAP users. No default.
 - **OAUTH_ENABLED**: Enable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`.
-- **OAUTH_AUTO_SIGN_IN_WITH_PROVIDER**: Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `google_oauth2`, `twitter`, `github`, `gitlab`, `bitbucket` and `saml`. No default.
-- **OAUTH_ALLOW_SSO**: This allows users to login without having a user account first. User accounts will be created automatically when authentication was successful. Defaults to `false`.
+- **OAUTH_AUTO_SIGN_IN_WITH_PROVIDER**: Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.
+- **OAUTH_ALLOW_SSO**: Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.
 - **OAUTH_BLOCK_AUTO_CREATED_USERS**: Locks down those users until they have been cleared by the admin. Defaults to `true`.
 - **OAUTH_AUTO_LINK_LDAP_USER**: Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`.
 - **OAUTH_AUTO_LINK_SAML_USER**: Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`.
+- **OAUTH_EXTERNAL_PROVIDERS**: Comma separated list if oauth providers to disallow access to `internal` projects. Users creating accounts via these providers will have access internal projects. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.
 - **OAUTH_CAS3_LABEL**: The "Sign in with" button label. Defaults to "cas3".
 - **OAUTH_CAS3_SERVER**: CAS3 server URL. No defaults.
 - **OAUTH_CAS3_DISABLE_SSL_VERIFICATION**: Disable CAS3 SSL verification. Defaults to `false`.
diff --git a/assets/build/install.sh b/assets/build/install.sh
index 8bc608cf..b3c84a0f 100755
--- a/assets/build/install.sh
+++ b/assets/build/install.sh
@@ -43,6 +43,7 @@ EOF
 
 # configure git for ${GITLAB_USER}
 exec_as_git git config --global core.autocrlf input
+exec_as_git git config --global gc.auto 0
 
 # install gitlab-shell
 echo "Downloading gitlab-workhorse v.${GITLAB_SHELL_VERSION}..."
@@ -83,6 +84,9 @@ exec_as_git git clone -q -b v${GITLAB_VERSION} --depth 1 ${GITLAB_CLONE_URL} ${G
 # remove HSTS config from the default headers, we configure it in nginx
 exec_as_git sed -i "/headers\['Strict-Transport-Security'\]/d" ${GITLAB_INSTALL_DIR}/app/controllers/application_controller.rb
 
+# revert `rake gitlab:setup` changes from gitlabhq/gitlabhq@a54af831bae023770bf9b2633cc45ec0d5f5a66a
+exec_as_git sed -i 's/db:reset/db:setup/' ${GITLAB_INSTALL_DIR}/lib/tasks/gitlab/setup.rake
+
 cd ${GITLAB_INSTALL_DIR}
 
 # install gems, use local cache if available
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index 83037543..04959783 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -46,6 +46,12 @@ production: &base
     #
     relative_url_root: {{GITLAB_RELATIVE_URL_ROOT}}
 
+    # Trusted Proxies
+    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
+    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
+    trusted_proxies:
+      - {{GITLAB_TRUSTED_PROXIES}}
+
     # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
     # user: git
 
@@ -83,7 +89,7 @@ production: &base
     # This happens when the commit is pushed or merged into the default branch of a project.
     # When not specified the default issue_closing_pattern as specified below will be used.
     # Tip: you can test your closing pattern at http://rubular.com.
-    # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?))+)'
+    # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing))(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
 
     ## Default project features settings
     default_projects_features:
@@ -109,7 +115,7 @@ production: &base
     enabled: {{GITLAB_INCOMING_EMAIL_ENABLED}}
 
     # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
-    # The `%{key}` placeholder is added after the user part, after a `+` character, before the `@`.
+    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
     address: "{{GITLAB_INCOMING_EMAIL_ADDRESS}}"
 
     # Email account username
@@ -158,7 +164,17 @@ production: &base
     # Flag stuck CI builds as failed
     stuck_ci_builds_worker:
       cron: "0 0 * * *"
+    # Periodically run 'git fsck' on all repositories. If started more than
+    # once per hour you will have concurrent 'git fsck' jobs.
+    repository_check_worker:
+      cron: "20 * * * *"
+    # Send admin emails once a day
+    admin_email_worker:
+      cron: "0 0 * * *"
 
+    # Remove outdated repository archives
+    repository_archive_cache_worker:
+      cron: "0 * * * *"
 
   #
   # 2. GitLab CI settings
@@ -294,7 +310,8 @@ production: &base
     # This allows users to login without having a user account first. Define the allowed providers
     # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
     # User accounts will be created automatically when authentication was successful.
-    allow_single_sign_on: {{OAUTH_ALLOW_SSO}}
+    allow_single_sign_on: [{{OAUTH_ALLOW_SSO}}]
+
     # Locks down those users until they have been cleared by the admin (default: true).
     block_auto_created_users: {{OAUTH_BLOCK_AUTO_CREATED_USERS}}
     # Look up new users in LDAP servers. If a match is found (same uid), automatically
@@ -306,6 +323,13 @@ production: &base
     # (default: false)
     auto_link_saml_user: {{OAUTH_AUTO_LINK_SAML_USER}}
 
+    # Set different Omniauth providers as external so that all users creating accounts
+    # via these providers will not be able to have access to internal projects. You
+    # will need to use the full name of the provider, like `google_oauth2` for Google.
+    # Refer to the examples below for the full names of the supported providers.
+    # (default: [])
+    external_providers: [{{OAUTH_EXTERNAL_PROVIDERS}}]
+
     ## Auth providers
     # Uncomment the following lines and fill in the data of the auth provider you want to use
     # If your favorite auth provider is not listed you can use others:
@@ -349,6 +373,8 @@ production: &base
           app_secret: '{{OAUTH_TWITTER_APP_SECRET}}' }
       - { name: 'saml',
           label: '{{OAUTH_SAML_LABEL}}',
+          groups_attribute: 'Groups',
+          external_groups: ['Contractors', 'Freelancers'],
           args: {
                   assertion_consumer_service_url: '{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}}',
                   idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}',
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index c5939b37..6ecdc8a0 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -71,6 +71,7 @@ GITLAB_PROJECTS_WIKI=${GITLAB_PROJECTS_WIKI:-true}
 GITLAB_PROJECTS_SNIPPETS=${GITLAB_PROJECTS_SNIPPETS:-false}
 GITLAB_PROJECTS_BUILDS=${GITLAB_PROJECTS_BUILDS:-true}
 GITLAB_RELATIVE_URL_ROOT=${GITLAB_RELATIVE_URL_ROOT:-}
+GITLAB_TRUSTED_PROXIES=${GITLAB_TRUSTED_PROXIES:-}
 if [[ -z ${GITLAB_RELATIVE_URL_ROOT} || ${GITLAB_RELATIVE_URL_ROOT} == / ]]; then # should not be set to `/`
   GITLAB_RELATIVE_URL_ROOT=
 fi
@@ -184,9 +185,6 @@ IMAP_ENABLED=${IMAP_ENABLED:-false}
 GITLAB_INCOMING_EMAIL_ENABLED=${GITLAB_INCOMING_EMAIL_ENABLED:-${IMAP_ENABLED}}
 GITLAB_INCOMING_EMAIL_ADDRESS=${GITLAB_INCOMING_EMAIL_ADDRESS:-${IMAP_USER}}
 GITLAB_INCOMING_EMAIL_ADDRESS=${GITLAB_INCOMING_EMAIL_ADDRESS:-reply@example.com}
-if ! grep -q '+%{key}@' <<< $GITLAB_INCOMING_EMAIL_ADDRESS; then
-  GITLAB_INCOMING_EMAIL_ADDRESS=$(sed 's/@/+%{key}@/' <<< $GITLAB_INCOMING_EMAIL_ADDRESS)
-fi
 
 ## LDAP
 LDAP_ENABLED=${LDAP_ENABLED:-false}
@@ -216,10 +214,11 @@ GITLAB_GRAVATAR_HTTPS_URL=${GITLAB_GRAVATAR_HTTPS_URL:-}
 ## OAUTH
 OAUTH_ENABLED=${OAUTH_ENABLED:-}
 OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER:-}
-OAUTH_ALLOW_SSO=${OAUTH_ALLOW_SSO:-false}
+OAUTH_ALLOW_SSO=${OAUTH_ALLOW_SSO:-}
 OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true}
 OAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false}
 OAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false}
+OAUTH_EXTERNAL_PROVIDERS=${OAUTH_EXTERNAL_PROVIDERS:-}
 
 ### GOOGLE
 OAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-}
diff --git a/assets/runtime/functions b/assets/runtime/functions
index 4bd5c7d4..82c2f7d9 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -294,6 +294,15 @@ gitlab_configure_relative_url() {
   fi
 }
 
+gitlab_configure_trusted_proxies() {
+  if [[ -n ${GITLAB_TRUSTED_PROXIES} ]]; then
+    echo "Configuring gitlab::trusted_proxies..."
+    update_template ${GITLAB_CONFIG} GITLAB_TRUSTED_PROXIES
+  else
+    exec_as_git sed -i "/{{GITLAB_TRUSTED_PROXIES}}/d" ${GITLAB_CONFIG}
+  fi
+}
+
 gitlab_configure_timezone() {
   echo "Configuring gitlab::timezone..."
   update_template ${GITLAB_CONFIG} GITLAB_TIMEZONE
@@ -590,7 +599,8 @@ gitlab_configure_oauth() {
     OAUTH_ALLOW_SSO \
     OAUTH_BLOCK_AUTO_CREATED_USERS \
     OAUTH_AUTO_LINK_LDAP_USER \
-    OAUTH_AUTO_LINK_SAML_USER
+    OAUTH_AUTO_LINK_SAML_USER \
+    OAUTH_EXTERNAL_PROVIDERS
 
   case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
     cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2)
@@ -1108,6 +1118,7 @@ configure_gitlab() {
   gitlab_configure_sidekiq
   gitlab_configure_gitlab_workhorse
   gitlab_configure_relative_url
+  gitlab_configure_trusted_proxies
   gitlab_configure_unicorn
   gitlab_configure_timezone
   gitlab_configure_rack_attack