archive-gh-me/docker-gitlab
1
0
Fork 0
mirror of https://github.com/sameersbn/docker-gitlab.git synced 2026-01-18 13:58:25 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'feature/ssl-support', closes #54

Browse Source
This commit is contained in:
Sameer Naik 2014-04-29 20:50:59 +05:30
commit 4f65bc2d95
7 changed files with 426 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Changelog.md
View File

@ -1,6 +1,12 @@
# Changelog
**latest**
- added SSL support
- added SSL_DHPARAM_PATH configuration option to specify path of dhparam.pem file.
- added SSL_KEY_PATH configuration option to specify path of ssl key.
- added SSL_CERTIFICATE_PATH configuration option to specify path of ssl certificate
- added GITLAB_HTTPS_ONLY configuration option to configure strict https only access
- added SSL_SELF_SIGNED configuration option to specify use of self signed ssl certificates.
- fix git over ssh when the default http/https ports are not used.
- compile the assets only if it does not exist or if the gitlab version has changed.
- upgrade gitlab-shell to version 1.9.4

1
Dockerfile
View File

@ -26,6 +26,7 @@ ADD authorized_keys /root/.ssh/
EXPOSE 22
EXPOSE 80
EXPOSE 443
VOLUME ["/home/git/data"]

117
README.md
View File

@ -27,6 +27,13 @@
- [External Redis Server](#external-redis-server)
- [Linking to Redis Container](#linking-to-redis-container)
- [Mail](#mail)
- [SSL](#ssl)
- [Generation of Self Signed Certificates](#generation-of-self-signed-certificates)
- [Strengthening the server security](#strengthening-the-server-security)
- [Installation of the Certificates](#installation-of-the-certificates)
- [Enabling HTTPS support](#enabling-https-support)
- [Using HTTPS with a load balancer](#using-https-with-a-load-balancer)
- [Establishing trust with your server](#establishing-trust-with-your-server)
- [Putting it all together](#putting-it-all-together)
- [Available Configuration Parameters](#available-configuration-parameters)
- [Maintenance](#maintenance)
@ -424,6 +431,107 @@ docker run --name=gitlab -d \
sameersbn/gitlab:latest
```
### SSL
Access to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self signed certificates can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section.
To secure your application via SSL you basically need two things:
- Private key (.key)
- SSL certificate (.crt)
When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are armed with CA certified SSL certificates.
#### Generation of Self Signed Certificates
Generation of self-signed SSL certificates involves a simple 3 step procedure.
**STEP 1**: Create the server private key
```bash
openssl genrsa -out gitlab.key 2048
```
**STEP 2**: Create the certificate signing request (CSR)
```bash
openssl req -new -key gitlab.key -out gitlab.csr
```
**STEP 3**: Sign the certificate using the private key and CSR
```bash
openssl x509 -req -days 365 -in gitlab.csr -signkey gitlab.key -out gitlab.crt
```
Congratulations! you have now generated an SSL certificate thats valid for 365 days.
#### Strengthening the server security
This section provides you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). To achieve this we need to generate stronger DHE parameters.
```bash
openssl dhparam -out dhparam.pem 2048
```
#### Installation of the SSL Certificates
Out of the four files generated above, we need to install the gitlab.key, gitlab.crt and dhparam.pem files at the gitlab server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
The default path that the gitlab application is configured to look for the SSL certificates is at /home/git/data/certs, this can however be changed using the SSL_KEY_PATH, SSL_CERTIFICATE_PATH and SSL_DHPARAM_PATH configuration options.
If you remember from above, the /home/git/data path is the path of the [data store](#data-store), which means that we have to create a folder named certs inside /opt/gitlab/data/ and copy the files into it and as a measure of security we will update the permission on the gitlab.key file to only be readable by the owner.
```bash
mkdir -p /opt/gitlab/data/certs
cp gitlab.key /opt/gitlab/data/certs/
cp gitlab.crt /opt/gitlab/data/certs/
cp dhparam.pem /opt/gitlab/data/certs/
chmod 400 /opt/gitlab/data/certs/gitlab.key
```
Great! we are now just a step away from having our application secured.
#### Enabling HTTPS support
HTTPS support can be enabled by setting the GITLAB_HTTPS option to true. Additionally, when using self-signed SSL certificates you need to the set SSL_SELF_SIGNED option to true as well. Assuming we are using self-signed certificates
```bash
docker run --name=gitlab -d \
-e "GITLAB_HTTPS=true" -e "SSL_SELF_SIGNED=true" \
-v /opt/gitlab/data:/home/git/data \
sameersbn/gitlab:latest
```
In this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer.
#### Using HTTPS with a load balancer
Load balancers like haproxy/hipache talk to backend applications over plain http. As such, the above configuration is not sufficient for the application to work with a load balancer.
For this to work, you should set the GITLAB_HTTPS_ONLY option to false so that the gitlab application can process both http as well as https requests. Additionally you should also configure the load balancer to support https requests. But that is out of the scope of this document. Please refer to [Using SSL/HTTPS with HAProxy](http://seanmcgary.com/posts/using-sslhttps-with-haproxy) for information on the subject.
Note that when the GITLAB_HTTPS_ONLY is disabled, the application does not perform the automatic http to https redirection and this functionality has to be configured at the load balancer which is also described in the link above. Unfortunately hipache does not come with an option to perform http to https redirection, so the only choice you really have is to switch to using haproxy.
In summation, the docker command would look something like this:
```bash
docker run --name=gitlab -d \
-e "GITLAB_HTTPS=true" -e "SSL_SELF_SIGNED=true" \
-e "GITLAB_HTTPS_ONLY=false" \
-v /opt/gitlab/data:/home/git/data \
sameersbn/gitlab:latest
```
Again, drop the ```-e "SSL_SELF_SIGNED=true"``` option if you are using CA certified SSL certificates.
#### Establishing trust with your server
This section deals will self-signed ssl certificates. If you are using CA certified certificates, your done.
This section is more of a client side configuration so as to add a level of confidence at the client to be 100 percent sure they are communicating with whom they think they.
This is simply done by adding the servers certificate into their list of trusted ceritficates. On ubuntu, this is done by appending the contents of the gitlab.crt file to the ```/etc/ssl/certs/ca-certificates.crt``` file.
Again, this is a client side configuration which means that everyone who is going to communicate with the server should perform this configuration on their machine. In short, distribute the gitlab.crt file among your developers and ask them to add it to their list of trusted ssl certificates. Failure to do so will result in errors that look like this:
```bash
git clone https://git.local.host/gitlab-ce.git
fatal: unable to access 'https://git.local.host/gitlab-ce.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
```
You can do the same at the web browser. Instructions for installing the root certificate for firefox can be found [here](http://portal.threatpulse.com/docs/sol/Content/03Solutions/ManagePolicy/SSL/ssl_firefox_cert_ta.htm). You will find similar options chrome, just make sure you install the certificate under the authorities tab of the certificate manager dialog.
There you have it, thats all there is to it.
### Putting it all together
```bash
@ -460,6 +568,12 @@ Below is the complete list of available options that can be used to customize yo
- **GITLAB_BACKUPS**: Setup cron job to automatic backups. Possible values disable, daily or monthly. Disabled by default
- **GITLAB_BACKUP_EXPIRY**: Configure how long to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds).
- **GITLAB_SHELL_SSH_PORT**: The ssh port number. Defaults to 22.
- **GITLAB_HTTPS**: Set to true to enable https support, disabled by default.
- **GITLAB_HTTPS_ONLY**: Configure access over plain http when GITLAB_HTTPS is enabled. Should be set to false when using a load balancer. Defaults to true.
- **SSL_SELF_SIGNED**: Set to true when using self signed ssl certificates. false by default.
- **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to /home/git/data/certs/gitlab.crt
- **SSL_KEY_PATH**: Location of the ssl key. Defaults to /home/git/data/certs/gitlab.key
- **SSL_DHPARAM_PATH**: Location of the dhparam file. Defaults to /home/git/data/certs/dhparam.pem
- **REDIS_HOST**: The hostname of the redis server. Defaults to localhost
- **REDIS_PORT**: The connection port of the redis server. Defaults to 6379.
- **UNICORN_WORKERS**: The number of unicorn workers to start. Defaults to 2.
@ -606,3 +720,6 @@ For a complete list of available rake tasks please refer https://github.com/gitl
* https://github.com/gitlabhq/gitlabhq
* https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/installation.md
* https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/requirements.md
* http://wiki.nginx.org/HttpSslModule
* https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
* https://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/nginx/gitlab-ssl

2
assets/config/gitlab-shell/config.yml
View File

@ -9,7 +9,7 @@ http_settings:
# password: somepass
# ca_file: /etc/ssl/cert.pem
# ca_path: /etc/pki/tls/certs
self_signed_cert: false
self_signed_cert: {{SSL_SELF_SIGNED}}
# Repositories path
# Give the canonicalized absolute pathname,

134
assets/config/nginx/gitlab.https.permissive Normal file
View File

@ -0,0 +1,134 @@
# GITLAB
# Maintainer: @randx
# CHUNKED TRANSFER
# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not
# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file)
# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either
# - installing an old version of Nginx with the chunkin module [2] compiled in, or
# - using a newer version of Nginx.
#
# At the time of writing we do not know if either of these theoretical solutions works. As a workaround
# users can use Git over SSH to push large files.
#
# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
# [1] https://github.com/agentzh/chunkin-nginx-module#status
# [2] https://github.com/agentzh/chunkin-nginx-module
upstream gitlab {
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
}
server {
listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea
server_name {{YOUR_SERVER_FQDN}}; # e.g., server_name source.example.com;
server_tokens off; # don't show the version number, a security best practice
root /home/git/gitlab/public;
# Increase this if you want to upload large attachments
# Or if you want to accept large git objects over http
client_max_body_size 20m;
# individual nginx logs for this gitlab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
# serve static files from defined root folder;.
# @gitlab is a named location for the upstream fallback, see below
try_files $uri $uri/index.html $uri.html @gitlab;
}
# if a file, which is not found in the root folder is requested,
# then the proxy pass the request to the upsteam (gitlab unicorn)
location @gitlab {
# If you use https make sure you disable gzip compression
# to be safe against BREACH attack
# gzip off;
proxy_read_timeout 300; # Some requests take more than 30 seconds.
proxy_connect_timeout 300; # Some requests take more than 30 seconds.
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://gitlab;
}
# Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
location ~ ^/(assets)/ {
root /home/git/gitlab/public;
gzip_static on; # to serve pre-gzipped version
expires max;
add_header Cache-Control public;
}
error_page 502 /502.html;
}
server {
listen *:443 default_server ssl;
server_name {{YOUR_SERVER_FQDN}};
server_tokens off;
root /home/git/gitlab/public;
ssl on;
ssl_certificate {{SSL_CERTIFICATE_PATH}};
ssl_certificate_key {{SSL_KEY_PATH}};
ssl_protocols SSLv3 TLSv1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_dhparam {{SSL_DHPARAM_PATH}};
# Increase this if you want to upload large attachments
# Or if you want to accept large git objects over http
client_max_body_size 20m;
# individual nginx logs for this gitlab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
# serve static files from defined root folder;.
# @gitlab is a named location for the upstream fallback, see below
try_files $uri $uri/index.html $uri.html @gitlab;
}
# if a file, which is not found in the root folder is requested,
# then the proxy pass the request to the upsteam (gitlab unicorn)
location @gitlab {
# If you use https make sure you disable gzip compression
# to be safe against BREACH attack
# gzip off;
proxy_read_timeout 300; # Some requests take more than 30 seconds.
proxy_connect_timeout 300; # Some requests take more than 30 seconds.
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://gitlab;
}
# Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
location ~ ^/(assets)/ {
root /home/git/gitlab/public;
gzip_static on; # to serve pre-gzipped version
expires max;
add_header Cache-Control public;
}
error_page 502 /502.html;
}

91
assets/config/nginx/gitlab.https.strict Normal file
View File

@ -0,0 +1,91 @@
# GITLAB
# Maintainer: @randx
# CHUNKED TRANSFER
# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not
# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file)
# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either
# - installing an old version of Nginx with the chunkin module [2] compiled in, or
# - using a newer version of Nginx.
#
# At the time of writing we do not know if either of these theoretical solutions works. As a workaround
# users can use Git over SSH to push large files.
#
# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
# [1] https://github.com/agentzh/chunkin-nginx-module#status
# [2] https://github.com/agentzh/chunkin-nginx-module
upstream gitlab {
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
}
server {
listen *:80 default_server;
server_name _;
server_tokens off;
rewrite ^ https://$host:{{GITLAB_PORT}}$request_uri? permanent;
}
server {
listen *:443 default_server ssl;
server_name {{YOUR_SERVER_FQDN}};
server_tokens off;
root /home/git/gitlab/public;
ssl on;
ssl_certificate {{SSL_CERTIFICATE_PATH}};
ssl_certificate_key {{SSL_KEY_PATH}};
ssl_protocols SSLv3 TLSv1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_dhparam {{SSL_DHPARAM_PATH}};
# Increase this if you want to upload large attachments
# Or if you want to accept large git objects over http
client_max_body_size 20m;
# individual nginx logs for this gitlab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
# serve static files from defined root folder;.
# @gitlab is a named location for the upstream fallback, see below
try_files $uri $uri/index.html $uri.html @gitlab;
}
# if a file, which is not found in the root folder is requested,
# then the proxy pass the request to the upsteam (gitlab unicorn)
location @gitlab {
# If you use https make sure you disable gzip compression
# to be safe against BREACH attack
# gzip off;
proxy_read_timeout 300; # Some requests take more than 30 seconds.
proxy_connect_timeout 300; # Some requests take more than 30 seconds.
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://gitlab;
}
# Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
location ~ ^/(assets)/ {
root /home/git/gitlab/public;
gzip_static on; # to serve pre-gzipped version
expires max;
add_header Cache-Control public;
}
error_page 502 /502.html;
}

88
assets/init
View File

@ -4,12 +4,18 @@ set -e
GITLAB_HOST=${GITLAB_HOST:-localhost}
GITLAB_PORT=${GITLAB_PORT:-}
GITLAB_HTTPS=${GITLAB_HTTPS:-false}
GITLAB_HTTPS_ONLY=${GITLAB_HTTPS_ONLY:-true}
GITLAB_EMAIL=${GITLAB_EMAIL:-gitlab@localhost}
GITLAB_SUPPORT=${GITLAB_SUPPORT:-support@localhost}
GITLAB_SIGNUP=${GITLAB_SIGNUP:-false}
GITLAB_SIGNIN=${GITLAB_SIGNIN:-true}
GITLAB_PROJECTS_LIMIT=${GITLAB_PROJECTS_LIMIT:-10}
SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false}
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-/home/git/data/certs/gitlab.crt}
SSL_KEY_PATH=${SSL_KEY_PATH:-/home/git/data/certs/gitlab.key}
SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-/home/git/data/certs/dhparam.pem}
GITLAB_BACKUPS=${GITLAB_BACKUPS:-disable}
GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-}
@ -84,6 +90,18 @@ case "${DB_TYPE}" in
*) echo "Unsupported database adapter. Available adapters are mysql and postgres." && exit 1 ;;
esac
if [ "${GITLAB_HTTPS}" == "true" ]; then
# make sure the required files exist
if [ ! -f "${SSL_CERTIFICATE_PATH}" -o ! -f "${SSL_KEY_PATH}" -o ! -f "${SSL_DHPARAM_PATH}" ]; then
echo ""
echo " WARNING: "
echo " Files required for HTTPS support cannot be found"
echo " Disabling https support."
echo ""
GITLAB_HTTPS="false"
fi
fi
case "${GITLAB_HTTPS}" in
true)
GITLAB_URL="https://${GITLAB_HOST}${GITLAB_PORT:+:$GITLAB_PORT}/"
@ -115,7 +133,16 @@ echo User: root Password: $ROOT_PASSWORD
supervisorctl start sshd
# copy configuration templates
cp /app/setup/config/nginx/gitlab /etc/nginx/sites-available/gitlab
case "${GITLAB_HTTPS}" in
true)
case "${GITLAB_HTTPS_ONLY}" in
true) cp /app/setup/config/nginx/gitlab.https.strict /etc/nginx/sites-available/gitlab ;;
*) cp /app/setup/config/nginx/gitlab.https.permissive /etc/nginx/sites-available/gitlab ;;
esac
;;
*) cp /app/setup/config/nginx/gitlab /etc/nginx/sites-available/gitlab ;;
esac
sudo -u git -H cp -a /app/setup/config/gitlab-shell/config.yml /home/git/gitlab-shell/config.yml
sudo -u git -H cp /app/setup/config/gitlabhq/gitlab.yml /home/git/gitlab/config/gitlab.yml
sudo -u git -H cp /app/setup/config/gitlabhq/resque.yml /home/git/gitlab/config/resque.yml
@ -129,7 +156,16 @@ sudo -u git -H cp /app/setup/config/gitlabhq/smtp_settings.rb /home/git/gitlab/c
if [ -d /home/git/data/config ]; then
chown -R git:git /home/git/data/config
cd /home/git/data/config
[ -f nginx/gitlab ] && cp nginx/gitlab /etc/nginx/sites-available/gitlab
case "${GITLAB_HTTPS}" in
true)
case "${GITLAB_HTTPS_ONLY}" in
true) [ -f nginx/gitlab.https.strict ] && cp nginx/gitlab.https.strict /etc/nginx/sites-available/gitlab ;;
*) [ -f nginx/gitlab.https.permissive ] && cp nginx/gitlab.https.permissive /etc/nginx/sites-available/gitlab ;;
esac
;;
*) [ -f nginx/gitlab ] && cp nginx/gitlab /etc/nginx/sites-available/gitlab ;;
esac
[ -f gitlab-shell/config.yml ] && sudo -u git -H cp gitlab-shell/config.yml /home/git/gitlab-shell/config.yml
[ -f gitlabhq/gitlab.yml ] && sudo -u git -H cp gitlabhq/gitlab.yml /home/git/gitlab/config/gitlab.yml
[ -f gitlabhq/resque.yml ] && sudo -u git -H cp gitlabhq/resque.yml /home/git/gitlab/config/resque.yml
@ -140,7 +176,11 @@ if [ -d /home/git/data/config ]; then
[ -f gitlabhq/smtp_settings.rb ] && sudo -u git -H cp gitlabhq/smtp_settings.rb /home/git/gitlab/config/initializers/smtp_settings.rb
fi
sed 's/{{YOUR_SERVER_FQDN}}/localhost/' -i /etc/nginx/sites-available/gitlab
sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/g' -i /etc/nginx/sites-available/gitlab
sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-available/gitlab
sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i /etc/nginx/sites-available/gitlab
sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i /etc/nginx/sites-available/gitlab
sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-available/gitlab
supervisorctl start nginx
# start mysql server if ${DB_HOST} is localhost
@ -199,6 +239,11 @@ sudo -u git -H sed 's/{{GITLAB_BACKUP_EXPIRY}}/'"${GITLAB_BACKUP_EXPIRY}"'/' -i
sudo -u git -H sed 's/{{GITLAB_SHELL_SSH_PORT}}/'"${GITLAB_SHELL_SSH_PORT}"'/' -i /home/git/gitlab/config/gitlab.yml
if [ "${GITLAB_HTTPS}" == "true" -a "${GITLAB_HTTPS_ONLY}" == "false" ]; then
# hack: allow login over plain http when ssl is enabled. required to work with load balancers.
sudo -u git -H sed 's/secure: Gitlab.config.gitlab.https/secure: false/' -i /home/git/gitlab/config/initializers/session_store.rb
fi
# configure gitlab signup configuration
sudo -u git -H sed 's/{{GITLAB_SIGNUP}}/'"${GITLAB_SIGNUP}"'/' -i /home/git/gitlab/config/gitlab.yml
sudo -u git -H sed 's/{{GITLAB_SIGNIN}}/'"${GITLAB_SIGNIN}"'/' -i /home/git/gitlab/config/gitlab.yml
@ -235,13 +280,39 @@ sudo -u git -H sed 's/{{REDIS_PORT}}/'"${REDIS_PORT}"'/' -i /home/git/gitlab/con
# configure gitlab-shell
sudo -u git -H sed 's,{{GITLAB_URL}},'"${GITLAB_URL}"',' -i /home/git/gitlab-shell/config.yml
sudo -u git -H sed 's/{{SSL_SELF_SIGNED}}/'"${SSL_SELF_SIGNED}"'/' -i /home/git/gitlab-shell/config.yml
sudo -u git -H sed 's/{{REDIS_HOST}}/'"${REDIS_HOST}"'/' -i /home/git/gitlab-shell/config.yml
sudo -u git -H sed 's/{{REDIS_PORT}}/'"${REDIS_PORT}"'/' -i /home/git/gitlab-shell/config.yml
# hack: make git over ssh work when the default http/https ports are not used.
case "${GITLAB_HTTPS}" in
true) sed -i 's,#{config.gitlab_url}/api/v3/internal,https://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb ;;
*) sed -i 's,#{config.gitlab_url}/api/v3/internal,http://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb ;;
true)
case "${GITLAB_HTTPS_ONLY}" in
true)
case "${SSL_SELF_SIGNED}" in
true)
# we are using self signed certificates, talk to gitlab over https on localhost
# this will make sure the api access works when the default https port is not used.
sed -i 's,#{config.gitlab_url}/api/v3/internal,https://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb
;;
*)
# signed https certificates are in use, talk to gitlab using the default gitlab_url.
# hence we are not editing anything here, just using the default.
# ps. when using signed ssl certificates, you **MUST** use the default https port.
;;
esac
;;
*)
# we are not using https only mode, talk to gitlab over plain http on localhost
# using http when available will keep things fast.
sed -i 's,#{config.gitlab_url}/api/v3/internal,http://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb
;;
esac
;;
*)
# ssl is not being used, talk to gitlab over plain http
sed -i 's,#{config.gitlab_url}/api/v3/internal,http://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb
;;
esac
# configure unicorn workers
@ -362,13 +433,6 @@ EOF
esac
crontab -u git /tmp/cron.git && rm -rf /tmp/cron.git
# kickstart the rails application
if [ "${GITLAB_HTTPS}" == "true" ]; then
wget --no-check-certificate "https://${GITLAB_HOST}" -O /dev/null
else
wget "http://${GITLAB_HOST}" -O /dev/null
fi
# watch the access logs
tail -F /var/log/nginx/gitlab_access.log
}