From 91238240731ce343cf277dfe35edd9e361010fca Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Fri, 29 Aug 2014 12:39:59 +0530 Subject: [PATCH 01/10] install the gitlab vhost to /etc/nginx/sites-enabled/ --- assets/init | 38 +++++++++++++++++++------------------- assets/setup/install | 3 +-- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/assets/init b/assets/init index 9d7f849f..1dd1e235 100755 --- a/assets/init +++ b/assets/init @@ -173,16 +173,16 @@ case "${GITLAB_HTTPS}" in true) if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" -a -f "${SSL_DHPARAM_PATH}" ]; then case "${GITLAB_HTTPS_ONLY}" in - true) cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-available/gitlab ;; - *) cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive /etc/nginx/sites-available/gitlab ;; + true) cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-enabled/gitlab ;; + *) cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive /etc/nginx/sites-enabled/gitlab ;; esac else echo "SSL keys and certificates were not found." echo "Assuming that the container is running behind a HTTPS enabled load balancer." - cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab /etc/nginx/sites-available/gitlab + cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab /etc/nginx/sites-enabled/gitlab fi ;; - *) cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab /etc/nginx/sites-available/gitlab ;; + *) cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab /etc/nginx/sites-enabled/gitlab ;; esac sudo -u git -H cp ${SYSCONF_TEMPLATES_DIR}/gitlab-shell/config.yml ${GITLAB_SHELL_INSTALL_DIR}/config.yml @@ -199,11 +199,11 @@ sudo -u git -H cp ${SYSCONF_TEMPLATES_DIR}/gitlabhq/smtp_settings.rb config/ini case "${GITLAB_HTTPS}" in true) case "${GITLAB_HTTPS_ONLY}" in - true) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-available/gitlab ;; - *) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive /etc/nginx/sites-available/gitlab ;; + true) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-enabled/gitlab ;; + *) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive /etc/nginx/sites-enabled/gitlab ;; esac ;; - *) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab /etc/nginx/sites-available/gitlab ;; + *) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab /etc/nginx/sites-enabled/gitlab ;; esac [ -f ${USERCONF_TEMPLATES_DIR}/gitlab-shell/config.yml ] && sudo -u git -H cp ${USERCONF_TEMPLATES_DIR}/gitlab-shell/config.yml ${GITLAB_SHELL_INSTALL_DIR}/config.yml [ -f ${USERCONF_TEMPLATES_DIR}/gitlabhq/gitlab.yml ] && sudo -u git -H cp ${USERCONF_TEMPLATES_DIR}/gitlabhq/gitlab.yml config/gitlab.yml @@ -476,26 +476,26 @@ sudo -u git -H sed 's/{{OAUTH_ALLOW_SSO}}/'"${OAUTH_ALLOW_SSO}"'/' -i config/git sudo -u git -H sed 's/{{OAUTH_BLOCK_AUTO_CREATED_USERS}}/'"${OAUTH_BLOCK_AUTO_CREATED_USERS}"'/' -i config/gitlab.yml # configure nginx vhost -sed 's,{{GITLAB_INSTALL_DIR}},'"${GITLAB_INSTALL_DIR}"',g' -i /etc/nginx/sites-available/gitlab -sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/g' -i /etc/nginx/sites-available/gitlab -sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-available/gitlab -sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i /etc/nginx/sites-available/gitlab -sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i /etc/nginx/sites-available/gitlab -sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-available/gitlab -sed 's/{{NGINX_MAX_UPLOAD_SIZE}}/'"${NGINX_MAX_UPLOAD_SIZE}"'/g' -i /etc/nginx/sites-available/gitlab +sed 's,{{GITLAB_INSTALL_DIR}},'"${GITLAB_INSTALL_DIR}"',g' -i /etc/nginx/sites-enabled/gitlab +sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/g' -i /etc/nginx/sites-enabled/gitlab +sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-enabled/gitlab +sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i /etc/nginx/sites-enabled/gitlab +sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i /etc/nginx/sites-enabled/gitlab +sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-enabled/gitlab +sed 's/{{NGINX_MAX_UPLOAD_SIZE}}/'"${NGINX_MAX_UPLOAD_SIZE}"'/g' -i /etc/nginx/sites-enabled/gitlab # configure relative_url_root if [ -n "${GITLAB_RELATIVE_URL_ROOT}" ]; then - sed 's,{{GITLAB_RELATIVE_URL_ROOT}},'"${GITLAB_RELATIVE_URL_ROOT}"',g' -i /etc/nginx/sites-available/gitlab - sed 's,{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}},'"${GITLAB_RELATIVE_URL_ROOT}/"',g' -i /etc/nginx/sites-available/gitlab - sed 's,# alias '"${GITLAB_INSTALL_DIR}"'/public,alias '"${GITLAB_INSTALL_DIR}"'/public,g' -i /etc/nginx/sites-available/gitlab + sed 's,{{GITLAB_RELATIVE_URL_ROOT}},'"${GITLAB_RELATIVE_URL_ROOT}"',g' -i /etc/nginx/sites-enabled/gitlab + sed 's,{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}},'"${GITLAB_RELATIVE_URL_ROOT}/"',g' -i /etc/nginx/sites-enabled/gitlab + sed 's,# alias '"${GITLAB_INSTALL_DIR}"'/public,alias '"${GITLAB_INSTALL_DIR}"'/public,g' -i /etc/nginx/sites-enabled/gitlab sudo -u git -H sed 's,# config.relative_url_root = "/gitlab",config.relative_url_root = "'${GITLAB_RELATIVE_URL_ROOT}'",' -i config/application.rb sudo -u git -H sed 's,# relative_url_root: {{GITLAB_RELATIVE_URL_ROOT}},relative_url_root: '${GITLAB_RELATIVE_URL_ROOT}',' -i config/gitlab.yml sudo -u git -H sed 's,{{GITLAB_RELATIVE_URL_ROOT}},'"${GITLAB_RELATIVE_URL_ROOT}"',' -i config/unicorn.rb else - sed 's,{{GITLAB_RELATIVE_URL_ROOT}},/,g' -i /etc/nginx/sites-available/gitlab - sed 's,{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}},/,g' -i /etc/nginx/sites-available/gitlab + sed 's,{{GITLAB_RELATIVE_URL_ROOT}},/,g' -i /etc/nginx/sites-enabled/gitlab + sed 's,{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}},/,g' -i /etc/nginx/sites-enabled/gitlab sudo -u git -H sed '/{{GITLAB_RELATIVE_URL_ROOT}}/d' -i config/unicorn.rb fi diff --git a/assets/setup/install b/assets/setup/install index 0e13ff4e..d1781acd 100755 --- a/assets/setup/install +++ b/assets/setup/install @@ -41,7 +41,7 @@ sudo -u git -H git clone -b v${GITLAB_VERSION} --depth 1 \ cd ${GITLAB_INSTALL_DIR} # copy default configurations -cp lib/support/nginx/gitlab /etc/nginx/sites-available/gitlab +cp lib/support/nginx/gitlab /etc/nginx/sites-enabled/gitlab sudo -u git -H cp config/gitlab.yml.example config/gitlab.yml sudo -u git -H cp config/resque.yml.example config/resque.yml sudo -u git -H cp config/database.yml.mysql config/database.yml @@ -87,7 +87,6 @@ cp lib/support/logrotate/gitlab /etc/logrotate.d/gitlab # disable default nginx configuration and enable gitlab's nginx configuration rm -f /etc/nginx/sites-enabled/default -ln -s /etc/nginx/sites-available/gitlab /etc/nginx/sites-enabled/gitlab # silence setlocale message (#93) cat > /etc/default/locale < Date: Fri, 29 Aug 2014 13:02:24 +0530 Subject: [PATCH 02/10] gitlab-shell: talk directly to unicorn worker, instead of going through nginx --- Changelog.md | 3 +++ assets/config/gitlab-shell/config.yml | 2 +- assets/init | 4 +--- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Changelog.md b/Changelog.md index 878c290e..f8b1e782 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,8 @@ # Changelog +**latest** +- optimization: talk directly to the unicorn worker from gitlab-shell + **7.2.1** - upgrade to gitlab-ce 7.2.1 - added new SMTP_ENABLED configuration option. diff --git a/assets/config/gitlab-shell/config.yml b/assets/config/gitlab-shell/config.yml index 604d88a3..30003171 100644 --- a/assets/config/gitlab-shell/config.yml +++ b/assets/config/gitlab-shell/config.yml @@ -2,7 +2,7 @@ user: git # Url to gitlab instance. Used for api calls. Should end with a slash. -gitlab_url: "{{GITLAB_URL}}" +gitlab_url: "http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}}/" http_settings: # user: someone diff --git a/assets/init b/assets/init index 1dd1e235..ff9583f7 100755 --- a/assets/init +++ b/assets/init @@ -131,11 +131,9 @@ esac case "${GITLAB_HTTPS}" in true) - GITLAB_URL="https://${GITLAB_HOST}${GITLAB_PORT:+:$GITLAB_PORT}${GITLAB_RELATIVE_URL_ROOT}/" GITLAB_PORT=${GITLAB_PORT:-443} ;; *) - GITLAB_URL="http://${GITLAB_HOST}${GITLAB_PORT:+:$GITLAB_PORT}${GITLAB_RELATIVE_URL_ROOT}/" GITLAB_PORT=${GITLAB_PORT:-80} ;; esac @@ -328,7 +326,7 @@ sudo -u git -H sed 's/{{REDIS_HOST}}/'"${REDIS_HOST}"'/g' -i config/resque.yml sudo -u git -H sed 's/{{REDIS_PORT}}/'"${REDIS_PORT}"'/g' -i config/resque.yml # configure gitlab-shell -sudo -u git -H sed 's,{{GITLAB_URL}},'"${GITLAB_URL}"',' -i ${GITLAB_SHELL_INSTALL_DIR}/config.yml +sed 's,{{GITLAB_RELATIVE_URL_ROOT}},'"${GITLAB_RELATIVE_URL_ROOT}"',' -i ${GITLAB_SHELL_INSTALL_DIR}/config.yml sudo -u git -H sed 's,{{GITLAB_DATA_DIR}},'"${GITLAB_DATA_DIR}"',g' -i ${GITLAB_SHELL_INSTALL_DIR}/config.yml sudo -u git -H sed 's/{{SSL_SELF_SIGNED}}/'"${SSL_SELF_SIGNED}"'/' -i ${GITLAB_SHELL_INSTALL_DIR}/config.yml sudo -u git -H sed 's/{{REDIS_HOST}}/'"${REDIS_HOST}"'/' -i ${GITLAB_SHELL_INSTALL_DIR}/config.yml From ba648a012b113e82363d9ea2ff62b2b8b179a03e Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Fri, 29 Aug 2014 14:33:34 +0530 Subject: [PATCH 03/10] fix logic for copying user configurations --- assets/init | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/assets/init b/assets/init index ff9583f7..7c99c5e6 100755 --- a/assets/init +++ b/assets/init @@ -196,10 +196,14 @@ sudo -u git -H cp ${SYSCONF_TEMPLATES_DIR}/gitlabhq/smtp_settings.rb config/ini # override default configuration templates with user templates case "${GITLAB_HTTPS}" in true) - case "${GITLAB_HTTPS_ONLY}" in - true) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-enabled/gitlab ;; - *) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive /etc/nginx/sites-enabled/gitlab ;; - esac + if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" -a -f "${SSL_DHPARAM_PATH}" ]; then + case "${GITLAB_HTTPS_ONLY}" in + true) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-enabled/gitlab ;; + *) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive /etc/nginx/sites-enabled/gitlab ;; + esac + else + [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab /etc/nginx/sites-enabled/gitlab + fi ;; *) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab /etc/nginx/sites-enabled/gitlab ;; esac From bab3ab1a7b90f627dee6310f95ec0ffaad5fff73 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Fri, 29 Aug 2014 14:37:22 +0530 Subject: [PATCH 04/10] removed the hack to make git over ssh since commit 4966ffd2045a8405cd06365f6a2b24bbfc570958 the hack to make git over ssh work when the default http/https ports are not used is not required. --- assets/init | 33 +-------------------------------- 1 file changed, 1 insertion(+), 32 deletions(-) diff --git a/assets/init b/assets/init index 7c99c5e6..7e6481f5 100755 --- a/assets/init +++ b/assets/init @@ -272,7 +272,7 @@ sudo -u git -H git config --global user.name "GitLab" sudo -u git -H git config --global user.email "${GITLAB_EMAIL}" sudo -u git -H git config --global core.autocrlf input -# configure server url +# configure gitlab sudo -u git -H sed 's/{{GITLAB_HOST}}/'"${GITLAB_HOST}"'/' -i config/gitlab.yml sudo -u git -H sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i config/gitlab.yml sudo -u git -H sed 's/{{GITLAB_HTTPS}}/'"${GITLAB_HTTPS}"'/' -i config/gitlab.yml @@ -336,37 +336,6 @@ sudo -u git -H sed 's/{{SSL_SELF_SIGNED}}/'"${SSL_SELF_SIGNED}"'/' -i ${GITLAB_S sudo -u git -H sed 's/{{REDIS_HOST}}/'"${REDIS_HOST}"'/' -i ${GITLAB_SHELL_INSTALL_DIR}/config.yml sudo -u git -H sed 's/{{REDIS_PORT}}/'"${REDIS_PORT}"'/' -i ${GITLAB_SHELL_INSTALL_DIR}/config.yml -# hack: make git over ssh work when the default http/https ports are not used. -case "${GITLAB_HTTPS}" in - true) - case "${GITLAB_HTTPS_ONLY}" in - true) - case "${SSL_SELF_SIGNED}" in - true) - # we are using self signed certificates, talk to gitlab over https on localhost - # this will make sure the api access works when the default https port is not used. - sudo -u git -H sed 's,#{config.gitlab_url}/api/v3/internal,https://localhost'${GITLAB_RELATIVE_URL_ROOT}'/api/v3/internal,' -i ${GITLAB_SHELL_INSTALL_DIR}/lib/gitlab_net.rb - ;; - *) - # signed https certificates are in use, talk to gitlab using the default gitlab_url. - # hence we are not editing anything here, just using the default. - # ps. when using signed ssl certificates, you **MUST** use the default https port. - ;; - esac - ;; - *) - # we are not using https only mode, talk to gitlab over plain http on localhost - # using http when available will keep things fast. - sudo -u git -H sed 's,#{config.gitlab_url}/api/v3/internal,http://localhost'${GITLAB_RELATIVE_URL_ROOT}'/api/v3/internal,' -i ${GITLAB_SHELL_INSTALL_DIR}/lib/gitlab_net.rb - ;; - esac - ;; - *) - # ssl is not being used, talk to gitlab over plain http - sudo -u git -H sed 's,#{config.gitlab_url}/api/v3/internal,http://localhost'${GITLAB_RELATIVE_URL_ROOT}'/api/v3/internal,' -i ${GITLAB_SHELL_INSTALL_DIR}/lib/gitlab_net.rb - ;; -esac - # configure unicorn workers sudo -u git -H sed 's,{{GITLAB_INSTALL_DIR}},'"${GITLAB_INSTALL_DIR}"',g' -i config/unicorn.rb sudo -u git -H sed 's/{{UNICORN_WORKERS}}/'"${UNICORN_WORKERS}"'/' -i config/unicorn.rb From 96c964ed0d5eb91d91067d64b0f3a6c1da9fe130 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Fri, 29 Aug 2014 22:00:26 +0530 Subject: [PATCH 05/10] added NGINX_X_FORWARDED_PROTO configuration option --- Changelog.md | 1 + README.md | 1 + assets/config/nginx/gitlab | 2 +- assets/config/nginx/gitlab.https.permissive | 4 ++-- assets/config/nginx/gitlab.https.strict | 2 +- assets/init | 3 +++ 6 files changed, 9 insertions(+), 4 deletions(-) diff --git a/Changelog.md b/Changelog.md index f8b1e782..e9a4ed14 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changelog **latest** +- added NGINX_X_FORWARDED_PROTO configuration option - optimization: talk directly to the unicorn worker from gitlab-shell **7.2.1** diff --git a/README.md b/README.md index 6a409cc0..d4fe0728 100644 --- a/README.md +++ b/README.md @@ -753,6 +753,7 @@ Below is the complete list of available options that can be used to customize yo - **SSL_DHPARAM_PATH**: Location of the dhparam file. Defaults to `/home/git/data/certs/dhparam.pem` - **CA_CERTIFICATES_PATH**: List of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`. - **NGINX_MAX_UPLOAD_SIZE**: Maximum acceptable upload size. Defaults to `20m`. +- **NGINX_X_FORWARDED_PROTO**: Advanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`. - **REDIS_HOST**: The hostname of the redis server. Defaults to `localhost` - **REDIS_PORT**: The connection port of the redis server. Defaults to `6379`. - **UNICORN_WORKERS**: The number of unicorn workers to start. Defaults to `2`. diff --git a/assets/config/nginx/gitlab b/assets/config/nginx/gitlab index 90f22c92..71ed9e90 100644 --- a/assets/config/nginx/gitlab +++ b/assets/config/nginx/gitlab @@ -51,7 +51,7 @@ server { proxy_connect_timeout 300; # Some requests take more than 30 seconds. proxy_redirect off; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/assets/config/nginx/gitlab.https.permissive b/assets/config/nginx/gitlab.https.permissive index f54de154..1cbcec7c 100644 --- a/assets/config/nginx/gitlab.https.permissive +++ b/assets/config/nginx/gitlab.https.permissive @@ -91,7 +91,7 @@ server { proxy_connect_timeout 300; # Some requests take more than 30 seconds. proxy_redirect off; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -183,7 +183,7 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://gitlab; diff --git a/assets/config/nginx/gitlab.https.strict b/assets/config/nginx/gitlab.https.strict index f83057f2..887b3a9c 100644 --- a/assets/config/nginx/gitlab.https.strict +++ b/assets/config/nginx/gitlab.https.strict @@ -143,7 +143,7 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://gitlab; diff --git a/assets/init b/assets/init index 7e6481f5..afdf4353 100755 --- a/assets/init +++ b/assets/init @@ -132,9 +132,11 @@ esac case "${GITLAB_HTTPS}" in true) GITLAB_PORT=${GITLAB_PORT:-443} + NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-https} ;; *) GITLAB_PORT=${GITLAB_PORT:-80} + NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-\$scheme} ;; esac @@ -454,6 +456,7 @@ sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i /etc/nginx/site sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i /etc/nginx/sites-enabled/gitlab sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-enabled/gitlab sed 's/{{NGINX_MAX_UPLOAD_SIZE}}/'"${NGINX_MAX_UPLOAD_SIZE}"'/g' -i /etc/nginx/sites-enabled/gitlab +sed 's/{{NGINX_X_FORWARDED_PROTO}}/'"${NGINX_X_FORWARDED_PROTO}"'/' -i /etc/nginx/sites-enabled/gitlab # configure relative_url_root if [ -n "${GITLAB_RELATIVE_URL_ROOT}" ]; then From 0825f75e446894d02cafac1860a832fe652c7508 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Fri, 29 Aug 2014 23:00:07 +0530 Subject: [PATCH 06/10] removed hack to disable secure sessions store when using a load balancer with ssl. since commit 0c09fc846b29e2d07c5fcce6d551c631d63ab710 the hack to allow login over plain http when ssl is enabled is no longer required since the "proxy_set_header X-Forwarded-Proto" configuration is set to https. --- assets/init | 5 ----- 1 file changed, 5 deletions(-) diff --git a/assets/init b/assets/init index afdf4353..ffaba85a 100755 --- a/assets/init +++ b/assets/init @@ -284,11 +284,6 @@ sudo -u git -H sed 's/{{GITLAB_MAX_SIZE}}/'"${GITLAB_MAX_SIZE}"'/' -i config/git sudo -u git -H sed 's/{{GITLAB_SSH_PORT}}/'"${GITLAB_SSH_PORT}"'/' -i config/gitlab.yml -if [ "${GITLAB_HTTPS}" == "true" -a "${GITLAB_HTTPS_ONLY}" == "false" ]; then - # hack: allow login over plain http when ssl is enabled. required to work with load balancers. - sudo -u git -H sed 's/secure: Gitlab.config.gitlab.https/secure: false/' -i config/initializers/session_store.rb -fi - # configure gitlab signup configuration sudo -u git -H sed 's,{{GITLAB_DATA_DIR}},'"${GITLAB_DATA_DIR}"',g' -i config/gitlab.yml sudo -u git -H sed 's,{{GITLAB_SHELL_INSTALL_DIR}},'"${GITLAB_SHELL_INSTALL_DIR}"',g' -i config/gitlab.yml From 2dc5a6159848c5150c0d03fd73b535501e8f0db1 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Fri, 29 Aug 2014 23:06:19 +0530 Subject: [PATCH 07/10] removed the gitlab.https.permission configuration template --- Changelog.md | 1 + README.md | 8 +- assets/config/nginx/gitlab.https.permissive | 205 -------------------- assets/init | 11 +- 4 files changed, 6 insertions(+), 219 deletions(-) delete mode 100644 assets/config/nginx/gitlab.https.permissive diff --git a/Changelog.md b/Changelog.md index e9a4ed14..bb4afaeb 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changelog **latest** +- removed the GITLAB_HTTPS_ONLY configuration option - added NGINX_X_FORWARDED_PROTO configuration option - optimization: talk directly to the unicorn worker from gitlab-shell diff --git a/README.md b/README.md index d4fe0728..37263642 100644 --- a/README.md +++ b/README.md @@ -587,9 +587,9 @@ In this configuration, any requests made over the plain http protocol will autom #### Using HTTPS with a load balancer -Load balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates in the container are not required. The SSL configuration has to instead be done at the load balancer. +Load balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates are not required and should **NOT** be installed in the container. The SSL configuration has to instead be done at the load balancer. -Hoewever, when using a load balancer you **MUST** set `GITLAB_HTTPS` to `true` and the `GITLAB_HTTPS_ONLY` option to `false`. Additionally you will need to set the `SSL_SELF_SIGNED` option to `true` if self signed SSL certificates are in use. +Hoewever, when using a load balancer you **MUST** set `GITLAB_HTTPS` to `true`. Additionally you will need to set the `SSL_SELF_SIGNED` option to `true` if self signed SSL certificates are in use. With this in place, you should configure the load balancer to support handling of https requests. But that is out of the scope of this document. Please refer to [Using SSL/HTTPS with HAProxy](http://seanmcgary.com/posts/using-sslhttps-with-haproxy) for information on the subject. @@ -602,8 +602,7 @@ In summation, when using a load balancer, the docker command would look for the ```bash docker run --name=gitlab -d -p 10022:22 -p 10080:80 \ -e 'GITLAB_SSH_PORT=10022' -e 'GITLAB_PORT=443' \ - -e 'GITLAB_HTTPS=true' -e 'GITLAB_HTTPS_ONLY=false' \ - -e 'SSL_SELF_SIGNED=true' \ + -e 'GITLAB_HTTPS=true' -e 'SSL_SELF_SIGNED=true' \ -v /opt/gitlab/data:/home/git/data \ sameersbn/gitlab:7.2.1 ``` @@ -746,7 +745,6 @@ Below is the complete list of available options that can be used to customize yo - **GITLAB_SSH_PORT**: The ssh port number. Defaults to `22`. - **GITLAB_RELATIVE_URL_ROOT**: The sub URI of the GitLab server, e.g. `/gitlab`. No default. - **GITLAB_HTTPS**: Set to `true` to enable https support, disabled by default. -- **GITLAB_HTTPS_ONLY**: Configure access over plain http when `GITLAB_HTTPS` is enabled. Should be set to `false` when using a load balancer. Defaults to `true`. - **SSL_SELF_SIGNED**: Set to `true` when using self signed ssl certificates. `false` by default. - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt` - **SSL_KEY_PATH**: Location of the ssl private key. Defaults to `/home/git/data/certs/gitlab.key` diff --git a/assets/config/nginx/gitlab.https.permissive b/assets/config/nginx/gitlab.https.permissive deleted file mode 100644 index 1cbcec7c..00000000 --- a/assets/config/nginx/gitlab.https.permissive +++ /dev/null @@ -1,205 +0,0 @@ -## GitLab -## Contributors: randx, yin8086, sashkab, orkoden, axilleas -## -## Modified from nginx http version -## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ -## -## Lines starting with two hashes (##) are comments containing information -## for configuration. One hash (#) comments are actual configuration parameters -## which you can comment/uncomment to your liking. -## -################################### -## SSL configuration ## -################################### -## -## Optimal configuration is taken from: -## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html -## Make sure to read it and understand what each option does. -## -## [Optional] Generate a self-signed ssl certificate: -## mkdir /etc/nginx/ssl/ -## cd /etc/nginx/ssl/ -## sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key -## sudo chmod o-r gitlab.key -## -## Edit `gitlab-shell/config.yml`: -## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com` -## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt` -## 3) Set "self_signed_cert" to `true` -## Edit `gitlab/config/gitlab.yml`: -## 1) Define port for http "port: 443" -## 2) Enable https "https: true" -## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm" -## -################################## -## CHUNKED TRANSFER ## -################################## -## -## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] -## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object -## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get -## around this by tweaking this configuration file and either: -## - installing an old version of Nginx with the chunkin module [2] compiled in, or -## - using a newer version of Nginx. -## -## At the time of writing we do not know if either of these theoretical solutions works. As a workaround -## users can use Git over SSH to push large files. -## -## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 -## [1] https://github.com/agentzh/chunkin-nginx-module#status -## [2] https://github.com/agentzh/chunkin-nginx-module - -upstream gitlab { - - ## Uncomment if you have set up unicorn to listen on a unix socket (recommended). - server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket; - - ## Uncomment if unicorn is configured to listen on a tcp port. - ## Check the port number in {{GITLAB_INSTALL_DIR}}/config/unicorn.rb - # server 127.0.0.1:8080; -} - -server { - listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea - server_name {{YOUR_SERVER_FQDN}}; # e.g., server_name source.example.com; - server_tokens off; # don't show the version number, a security best practice - root {{GITLAB_INSTALL_DIR}}/public; - - # Increase this if you want to upload large attachments - # Or if you want to accept large git objects over http - client_max_body_size {{NGINX_MAX_UPLOAD_SIZE}}; - - # individual nginx logs for this gitlab vhost - access_log /var/log/nginx/gitlab_access.log; - error_log /var/log/nginx/gitlab_error.log; - - location {{GITLAB_RELATIVE_URL_ROOT}} { - # alias {{GITLAB_INSTALL_DIR}}/public; - # serve static files from defined root folder;. - # @gitlab is a named location for the upstream fallback, see below - try_files $uri $uri/index.html $uri.html @gitlab; - } - - # if a file, which is not found in the root folder is requested, - # then the proxy pass the request to the upsteam (gitlab unicorn) - location @gitlab { - # If you use https make sure you disable gzip compression - # to be safe against BREACH attack - # gzip off; - - proxy_read_timeout 300; # Some requests take more than 30 seconds. - proxy_connect_timeout 300; # Some requests take more than 30 seconds. - proxy_redirect off; - - proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://gitlab; - } - - # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression - location ~ ^{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}}assets/(.*) { - alias {{GITLAB_INSTALL_DIR}}/public/assets/$1; - gzip_static on; # to serve pre-gzipped version - expires max; - add_header Cache-Control public; - } - - error_page 502 /502.html; -} - -server { - listen 443 ssl spdy; - ## Replace git.example.com with your FQDN. - server_name {{YOUR_SERVER_FQDN}}; - server_tokens off; - root {{GITLAB_INSTALL_DIR}}/public; - - ## Increase this if you want to upload large attachments - ## Or if you want to accept large git objects over http - client_max_body_size {{NGINX_MAX_UPLOAD_SIZE}}; - - ## Strong SSL Security - ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl on; - ssl_certificate {{SSL_CERTIFICATE_PATH}}; - ssl_certificate_key {{SSL_KEY_PATH}}; - - ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_session_cache builtin:1000 shared:SSL:10m; - - ## Enable OCSP stapling to reduce the overhead and latency of running SSL. - ## Replace with your ssl_trusted_certificate. For more info see: - ## - https://medium.com/devops-programming/4445f4862461 - ## - https://www.ruby-forum.com/topic/4419319 - # ssl_stapling on; - # ssl_stapling_verify on; - # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; - # resolver 208.67.222.222 208.67.222.220 valid=300s; - # resolver_timeout 10s; - - ssl_prefer_server_ciphers on; - ## [Optional] Generate a stronger DHE parameter (recommended): - ## cd /etc/ssl/certs - ## openssl dhparam -out dhparam.pem 2048 - ## - ssl_dhparam {{SSL_DHPARAM_PATH}}; - - add_header Strict-Transport-Security max-age=63072000; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - - ## Individual nginx logs for this GitLab vhost - access_log /var/log/nginx/gitlab_access.log; - error_log /var/log/nginx/gitlab_error.log; - - location {{GITLAB_RELATIVE_URL_ROOT}} { - # alias {{GITLAB_INSTALL_DIR}}/public; - ## Serve static files from defined root folder. - ## @gitlab is a named location for the upstream fallback, see below. - try_files $uri $uri/index.html $uri.html @gitlab; - } - - ## If a file, which is not found in the root folder is requested, - ## then the proxy pass the request to the upsteam (gitlab unicorn). - location @gitlab { - - ## If you use https make sure you disable gzip compression - ## to be safe against BREACH attack. - gzip off; - - ## https://github.com/gitlabhq/gitlabhq/issues/694 - ## Some requests take more than 30 seconds. - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; - - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Ssl on; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; - proxy_set_header X-Frame-Options SAMEORIGIN; - - proxy_pass http://gitlab; - } - - ## Enable gzip compression as per rails guide: - ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression - ## WARNING: If you are using relative urls do remove the block below - ## See config/application.rb under "Relative url support" for the list of - ## other files that need to be changed for relative url support - location ~ ^{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}}assets/(.*) { - alias {{GITLAB_INSTALL_DIR}}/public/assets/$1; - gzip_static on; # to serve pre-gzipped version - expires max; - add_header Cache-Control public; - } - - error_page 502 /502.html; -} diff --git a/assets/init b/assets/init index ffaba85a..41587f23 100755 --- a/assets/init +++ b/assets/init @@ -14,7 +14,6 @@ GITLAB_PORT=${GITLAB_PORT:-} GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-$GITLAB_SHELL_SSH_PORT} # for backwards compatibility GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-22} GITLAB_HTTPS=${GITLAB_HTTPS:-false} -GITLAB_HTTPS_ONLY=${GITLAB_HTTPS_ONLY:-true} GITLAB_EMAIL=${GITLAB_EMAIL:-example@example.com} GITLAB_SIGNUP=${GITLAB_SIGNUP:-false} GITLAB_SIGNIN=${GITLAB_SIGNIN:-true} @@ -172,10 +171,7 @@ cd ${GITLAB_INSTALL_DIR} case "${GITLAB_HTTPS}" in true) if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" -a -f "${SSL_DHPARAM_PATH}" ]; then - case "${GITLAB_HTTPS_ONLY}" in - true) cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-enabled/gitlab ;; - *) cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive /etc/nginx/sites-enabled/gitlab ;; - esac + cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-enabled/gitlab else echo "SSL keys and certificates were not found." echo "Assuming that the container is running behind a HTTPS enabled load balancer." @@ -199,10 +195,7 @@ sudo -u git -H cp ${SYSCONF_TEMPLATES_DIR}/gitlabhq/smtp_settings.rb config/ini case "${GITLAB_HTTPS}" in true) if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" -a -f "${SSL_DHPARAM_PATH}" ]; then - case "${GITLAB_HTTPS_ONLY}" in - true) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-enabled/gitlab ;; - *) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.permissive /etc/nginx/sites-enabled/gitlab ;; - esac + [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-enabled/gitlab else [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab /etc/nginx/sites-enabled/gitlab fi From 98e5dabaf6c3c61e95055a483985ebe0f04a4c0d Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Fri, 29 Aug 2014 23:09:15 +0530 Subject: [PATCH 08/10] renamed nginx template gitlab.https.strict to gitlab-ssl --- assets/config/nginx/{gitlab.https.strict => gitlab-ssl} | 0 assets/init | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename assets/config/nginx/{gitlab.https.strict => gitlab-ssl} (100%) diff --git a/assets/config/nginx/gitlab.https.strict b/assets/config/nginx/gitlab-ssl similarity index 100% rename from assets/config/nginx/gitlab.https.strict rename to assets/config/nginx/gitlab-ssl diff --git a/assets/init b/assets/init index 41587f23..90fde333 100755 --- a/assets/init +++ b/assets/init @@ -171,7 +171,7 @@ cd ${GITLAB_INSTALL_DIR} case "${GITLAB_HTTPS}" in true) if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" -a -f "${SSL_DHPARAM_PATH}" ]; then - cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-enabled/gitlab + cp ${SYSCONF_TEMPLATES_DIR}/nginx/gitlab-ssl /etc/nginx/sites-enabled/gitlab else echo "SSL keys and certificates were not found." echo "Assuming that the container is running behind a HTTPS enabled load balancer." @@ -195,7 +195,7 @@ sudo -u git -H cp ${SYSCONF_TEMPLATES_DIR}/gitlabhq/smtp_settings.rb config/ini case "${GITLAB_HTTPS}" in true) if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" -a -f "${SSL_DHPARAM_PATH}" ]; then - [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab.https.strict /etc/nginx/sites-enabled/gitlab + [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab-ssl ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab-ssl /etc/nginx/sites-enabled/gitlab else [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab /etc/nginx/sites-enabled/gitlab fi From 06d48d4aa349d8bb681ec7b3a410355611345ceb Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sat, 30 Aug 2014 11:24:44 +0530 Subject: [PATCH 09/10] readme: removed comment about hipache not performing https redirection --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 37263642..54711483 100644 --- a/README.md +++ b/README.md @@ -595,8 +595,6 @@ With this in place, you should configure the load balancer to support handling o When using a load balancer, you probably want to make sure the load balancer performs the automatic http to https redirection. Information on this can also be found in the link above. -Unfortunately hipache does not come with an option to perform http to https redirection, so the only choice you really have is to switch to using haproxy or nginx for load balancing. - In summation, when using a load balancer, the docker command would look for the most part something like this: ```bash From b90bad454d885e8ca5a5f72bd5ac4a8fbf47e6ee Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sat, 30 Aug 2014 13:14:42 +0530 Subject: [PATCH 10/10] cleanup init script --- assets/init | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/assets/init b/assets/init index 90fde333..06b73269 100755 --- a/assets/init +++ b/assets/init @@ -202,6 +202,7 @@ case "${GITLAB_HTTPS}" in ;; *) [ -f ${USERCONF_TEMPLATES_DIR}/nginx/gitlab ] && cp ${USERCONF_TEMPLATES_DIR}/nginx/gitlab /etc/nginx/sites-enabled/gitlab ;; esac + [ -f ${USERCONF_TEMPLATES_DIR}/gitlab-shell/config.yml ] && sudo -u git -H cp ${USERCONF_TEMPLATES_DIR}/gitlab-shell/config.yml ${GITLAB_SHELL_INSTALL_DIR}/config.yml [ -f ${USERCONF_TEMPLATES_DIR}/gitlabhq/gitlab.yml ] && sudo -u git -H cp ${USERCONF_TEMPLATES_DIR}/gitlabhq/gitlab.yml config/gitlab.yml [ -f ${USERCONF_TEMPLATES_DIR}/gitlabhq/resque.yml ] && sudo -u git -H cp ${USERCONF_TEMPLATES_DIR}/gitlabhq/resque.yml config/resque.yml @@ -267,6 +268,10 @@ sudo -u git -H git config --global user.name "GitLab" sudo -u git -H git config --global user.email "${GITLAB_EMAIL}" sudo -u git -H git config --global core.autocrlf input +# configure application paths +sudo -u git -H sed 's,{{GITLAB_DATA_DIR}},'"${GITLAB_DATA_DIR}"',g' -i config/gitlab.yml +sudo -u git -H sed 's,{{GITLAB_SHELL_INSTALL_DIR}},'"${GITLAB_SHELL_INSTALL_DIR}"',g' -i config/gitlab.yml + # configure gitlab sudo -u git -H sed 's/{{GITLAB_HOST}}/'"${GITLAB_HOST}"'/' -i config/gitlab.yml sudo -u git -H sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i config/gitlab.yml @@ -274,12 +279,9 @@ sudo -u git -H sed 's/{{GITLAB_HTTPS}}/'"${GITLAB_HTTPS}"'/' -i config/gitlab.ym sudo -u git -H sed 's/{{GITLAB_EMAIL}}/'"${GITLAB_EMAIL}"'/' -i config/gitlab.yml sudo -u git -H sed 's/{{GITLAB_BACKUP_EXPIRY}}/'"${GITLAB_BACKUP_EXPIRY}"'/' -i config/gitlab.yml sudo -u git -H sed 's/{{GITLAB_MAX_SIZE}}/'"${GITLAB_MAX_SIZE}"'/' -i config/gitlab.yml - sudo -u git -H sed 's/{{GITLAB_SSH_PORT}}/'"${GITLAB_SSH_PORT}"'/' -i config/gitlab.yml # configure gitlab signup configuration -sudo -u git -H sed 's,{{GITLAB_DATA_DIR}},'"${GITLAB_DATA_DIR}"',g' -i config/gitlab.yml -sudo -u git -H sed 's,{{GITLAB_SHELL_INSTALL_DIR}},'"${GITLAB_SHELL_INSTALL_DIR}"',g' -i config/gitlab.yml sudo -u git -H sed 's/{{GITLAB_SIGNUP}}/'"${GITLAB_SIGNUP}"'/' -i config/gitlab.yml sudo -u git -H sed 's/{{GITLAB_SIGNIN}}/'"${GITLAB_SIGNIN}"'/' -i config/gitlab.yml @@ -305,6 +307,7 @@ else echo "Invalid database type: '$DB_TYPE'. Supported choices: [mysql, postgres]." fi +# configure database connection sudo -u git -H sed 's/{{DB_HOST}}/'"${DB_HOST}"'/' -i config/database.yml sudo -u git -H sed 's/{{DB_PORT}}/'"${DB_PORT}"'/' -i config/database.yml sudo -u git -H sed 's/{{DB_NAME}}/'"${DB_NAME}"'/' -i config/database.yml @@ -438,26 +441,26 @@ sudo -u git -H sed 's/{{OAUTH_BLOCK_AUTO_CREATED_USERS}}/'"${OAUTH_BLOCK_AUTO_CR # configure nginx vhost sed 's,{{GITLAB_INSTALL_DIR}},'"${GITLAB_INSTALL_DIR}"',g' -i /etc/nginx/sites-enabled/gitlab -sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/g' -i /etc/nginx/sites-enabled/gitlab +sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/' -i /etc/nginx/sites-enabled/gitlab sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-enabled/gitlab sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i /etc/nginx/sites-enabled/gitlab sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i /etc/nginx/sites-enabled/gitlab sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-enabled/gitlab -sed 's/{{NGINX_MAX_UPLOAD_SIZE}}/'"${NGINX_MAX_UPLOAD_SIZE}"'/g' -i /etc/nginx/sites-enabled/gitlab +sed 's/{{NGINX_MAX_UPLOAD_SIZE}}/'"${NGINX_MAX_UPLOAD_SIZE}"'/' -i /etc/nginx/sites-enabled/gitlab sed 's/{{NGINX_X_FORWARDED_PROTO}}/'"${NGINX_X_FORWARDED_PROTO}"'/' -i /etc/nginx/sites-enabled/gitlab # configure relative_url_root if [ -n "${GITLAB_RELATIVE_URL_ROOT}" ]; then - sed 's,{{GITLAB_RELATIVE_URL_ROOT}},'"${GITLAB_RELATIVE_URL_ROOT}"',g' -i /etc/nginx/sites-enabled/gitlab - sed 's,{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}},'"${GITLAB_RELATIVE_URL_ROOT}/"',g' -i /etc/nginx/sites-enabled/gitlab - sed 's,# alias '"${GITLAB_INSTALL_DIR}"'/public,alias '"${GITLAB_INSTALL_DIR}"'/public,g' -i /etc/nginx/sites-enabled/gitlab + sed 's,{{GITLAB_RELATIVE_URL_ROOT}},'"${GITLAB_RELATIVE_URL_ROOT}"',' -i /etc/nginx/sites-enabled/gitlab + sed 's,{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}},'"${GITLAB_RELATIVE_URL_ROOT}/"',' -i /etc/nginx/sites-enabled/gitlab + sed 's,# alias '"${GITLAB_INSTALL_DIR}"'/public,alias '"${GITLAB_INSTALL_DIR}"'/public,' -i /etc/nginx/sites-enabled/gitlab sudo -u git -H sed 's,# config.relative_url_root = "/gitlab",config.relative_url_root = "'${GITLAB_RELATIVE_URL_ROOT}'",' -i config/application.rb sudo -u git -H sed 's,# relative_url_root: {{GITLAB_RELATIVE_URL_ROOT}},relative_url_root: '${GITLAB_RELATIVE_URL_ROOT}',' -i config/gitlab.yml sudo -u git -H sed 's,{{GITLAB_RELATIVE_URL_ROOT}},'"${GITLAB_RELATIVE_URL_ROOT}"',' -i config/unicorn.rb else - sed 's,{{GITLAB_RELATIVE_URL_ROOT}},/,g' -i /etc/nginx/sites-enabled/gitlab - sed 's,{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}},/,g' -i /etc/nginx/sites-enabled/gitlab + sed 's,{{GITLAB_RELATIVE_URL_ROOT}},/,' -i /etc/nginx/sites-enabled/gitlab + sed 's,{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}},/,' -i /etc/nginx/sites-enabled/gitlab sudo -u git -H sed '/{{GITLAB_RELATIVE_URL_ROOT}}/d' -i config/unicorn.rb fi