From 9637023441c5bdd00a51fe8ceb3d61c9a5156dd1 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Mon, 22 Sep 2014 11:30:00 +0530 Subject: [PATCH] upgrade to gitlab-ce 7.3.0.rc1 --- Changelog.md | 1 + VERSION | 2 +- assets/config/gitlabhq/gitlab.yml | 14 ++-- assets/config/gitlabhq/rack_attack.rb | 12 +++- assets/config/gitlabhq/unicorn.rb | 7 +- assets/config/nginx/gitlab | 97 ++++++++++++++++----------- assets/config/nginx/gitlab-ssl | 96 ++++++++++---------------- assets/setup/install | 2 +- 8 files changed, 122 insertions(+), 109 deletions(-) diff --git a/Changelog.md b/Changelog.md index bf0e149f..2ecc55b9 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changelog **latest** +- upgrade to gitlab-ce 7.3.0.rc1 - upgrade to gitlab-shell 2.0.0 - removed internal redis server - shutdown the container gracefully diff --git a/VERSION b/VERSION index 77f5bec5..f36c3504 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.2.2 +7.3.0.rc1 diff --git a/assets/config/gitlabhq/gitlab.yml b/assets/config/gitlabhq/gitlab.yml index c816a554..567d7dda 100644 --- a/assets/config/gitlabhq/gitlab.yml +++ b/assets/config/gitlabhq/gitlab.yml @@ -3,9 +3,11 @@ # # # # # # # # # # # # # # # # # # # # How to use: -# 1. copy file as gitlab.yml -# 2. Replace gitlab -> host with your domain -# 3. Replace gitlab -> email_from +# 1. Copy file as gitlab.yml +# 2. Update gitlab -> host with your fully qualified domain name +# 3. Update gitlab -> email_from +# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git +# 5. Review this configuration file for other settings you may want to adjust production: &base # @@ -78,6 +80,10 @@ production: &base snippets: false visibility_level: "{{GITLAB_PROJECTS_VISIBILITY}}" # can be "private" | "internal" | "public" + ## Webhook settings + # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) + # webhook_timeout: 10 + ## Repository downloads directory # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. # The default is 'tmp/repositories' relative to the root of the Rails app. @@ -224,7 +230,7 @@ production: &base # CAUTION! # Use the default values unless you really know what you are doing git: - bin_path: "/usr/bin/git" + bin_path: /usr/bin/git # The next value is the maximum memory size grit can use # Given in number of bytes per git object (e.g. a commit) # This value can be increased if you have very large commits diff --git a/assets/config/gitlabhq/rack_attack.rb b/assets/config/gitlabhq/rack_attack.rb index bc3234bf..332865d2 100644 --- a/assets/config/gitlabhq/rack_attack.rb +++ b/assets/config/gitlabhq/rack_attack.rb @@ -8,11 +8,19 @@ paths_to_be_protected = [ "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", "#{Rails.application.config.relative_url_root}/users", - "#{Rails.application.config.relative_url_root}/users/confirmation" + "#{Rails.application.config.relative_url_root}/users/confirmation", + "#{Rails.application.config.relative_url_root}/unsubscribes/" + ] +# Create one big regular expression that matches strings starting with any of +# the paths_to_be_protected. +paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ }) + unless Rails.env.test? Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req| - req.ip if paths_to_be_protected.include?(req.path) && req.post? + if req.post? && req.path =~ paths_regex + req.ip + end end end diff --git a/assets/config/gitlabhq/unicorn.rb b/assets/config/gitlabhq/unicorn.rb index 7182d6aa..900049cb 100644 --- a/assets/config/gitlabhq/unicorn.rb +++ b/assets/config/gitlabhq/unicorn.rb @@ -28,9 +28,10 @@ worker_processes {{UNICORN_WORKERS}} # "current" directory that Capistrano sets up. working_directory "{{GITLAB_INSTALL_DIR}}" # available in 0.94.0+ -# listen on both a Unix domain socket and a TCP port, -# we use a shorter backlog for quicker failover when busy -listen "{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket", :backlog => 64 +# Listen on both a Unix domain socket and a TCP port. +# If you are load-balancing multiple Unicorn masters, lower the backlog +# setting to e.g. 64 for faster failover. +listen "{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket", :backlog => 1024 listen "127.0.0.1:8080", :tcp_nopush => true # nuke workers after 30 seconds instead of 60 seconds (the default) diff --git a/assets/config/nginx/gitlab b/assets/config/nginx/gitlab index 71ed9e90..a0ce6e50 100644 --- a/assets/config/nginx/gitlab +++ b/assets/config/nginx/gitlab @@ -1,66 +1,85 @@ -# GITLAB -# Maintainer: @randx - -# CHUNKED TRANSFER -# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not -# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file) -# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either -# - installing an old version of Nginx with the chunkin module [2] compiled in, or -# - using a newer version of Nginx. -# -# At the time of writing we do not know if either of these theoretical solutions works. As a workaround -# users can use Git over SSH to push large files. -# -# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 -# [1] https://github.com/agentzh/chunkin-nginx-module#status -# [2] https://github.com/agentzh/chunkin-nginx-module +## GitLab +## Maintainer: @randx +## +## Lines starting with two hashes (##) are comments with information. +## Lines starting with one hash (#) are configuration parameters that can be uncommented. +## +################################## +## CHUNKED TRANSFER ## +################################## +## +## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] +## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object +## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get +## around this by tweaking this configuration file and either: +## - installing an old version of Nginx with the chunkin module [2] compiled in, or +## - using a newer version of Nginx. +## +## At the time of writing we do not know if either of these theoretical solutions works. +## As a workaround users can use Git over SSH to push large files. +## +## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 +## [1] https://github.com/agentzh/chunkin-nginx-module#status +## [2] https://github.com/agentzh/chunkin-nginx-module +## +################################### +## configuration ## +################################### +## upstream gitlab { - server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket; + server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket fail_timeout=0; } +## Normal HTTP host server { - listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea - server_name {{YOUR_SERVER_FQDN}}; # e.g., server_name source.example.com; - server_tokens off; # don't show the version number, a security best practice + listen *:80 default_server; + server_name {{YOUR_SERVER_FQDN}}; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice root {{GITLAB_INSTALL_DIR}}/public; - - # Increase this if you want to upload large attachments - # Or if you want to accept large git objects over http + + ## Increase this if you want to upload large attachments + ## Or if you want to accept large git objects over http client_max_body_size {{NGINX_MAX_UPLOAD_SIZE}}; - # individual nginx logs for this gitlab vhost + ## Individual nginx logs for this GitLab vhost access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; location {{GITLAB_RELATIVE_URL_ROOT}} { # alias {{GITLAB_INSTALL_DIR}}/public; - # serve static files from defined root folder;. - # @gitlab is a named location for the upstream fallback, see below + ## Serve static files from defined root folder. + ## @gitlab is a named location for the upstream fallback, see below. try_files $uri $uri/index.html $uri.html @gitlab; } - # if a file, which is not found in the root folder is requested, - # then the proxy pass the request to the upsteam (gitlab unicorn) + ## If a file, which is not found in the root folder is requested, + ## then the proxy passes the request to the upsteam (gitlab unicorn). location @gitlab { - # If you use https make sure you disable gzip compression - # to be safe against BREACH attack + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. # gzip off; - proxy_read_timeout 300; # Some requests take more than 30 seconds. - proxy_connect_timeout 300; # Some requests take more than 30 seconds. - proxy_redirect off; + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; - proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://gitlab; } - # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + ## Enable gzip compression as per rails guide: + ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + ## WARNING: If you are using relative urls remove the block below + ## See config/application.rb under "Relative url support" for the list of + ## other files that need to be changed for relative url support location ~ ^{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}}assets/(.*) { alias {{GITLAB_INSTALL_DIR}}/public/assets/$1; gzip_static on; # to serve pre-gzipped version diff --git a/assets/config/nginx/gitlab-ssl b/assets/config/nginx/gitlab-ssl index 95dcd92e..c6e63059 100644 --- a/assets/config/nginx/gitlab-ssl +++ b/assets/config/nginx/gitlab-ssl @@ -3,33 +3,10 @@ ## ## Modified from nginx http version ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ +## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ## -## Lines starting with two hashes (##) are comments containing information -## for configuration. One hash (#) comments are actual configuration parameters -## which you can comment/uncomment to your liking. -## -################################### -## SSL configuration ## -################################### -## -## Optimal configuration is taken from: -## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html -## Make sure to read it and understand what each option does. -## -## [Optional] Generate a self-signed ssl certificate: -## mkdir /etc/nginx/ssl/ -## cd /etc/nginx/ssl/ -## sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key -## sudo chmod o-r gitlab.key -## -## Edit `gitlab-shell/config.yml`: -## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com` -## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt` -## 3) Set "self_signed_cert" to `true` -## Edit `gitlab/config/gitlab.yml`: -## 1) Define port for http "port: 443" -## 2) Enable https "https: true" -## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm" +## Lines starting with two hashes (##) are comments with information. +## Lines starting with one hash (#) are configuration parameters that can be uncommented. ## ################################## ## CHUNKED TRANSFER ## @@ -42,39 +19,39 @@ ## - installing an old version of Nginx with the chunkin module [2] compiled in, or ## - using a newer version of Nginx. ## -## At the time of writing we do not know if either of these theoretical solutions works. As a workaround -## users can use Git over SSH to push large files. +## At the time of writing we do not know if either of these theoretical solutions works. +## As a workaround users can use Git over SSH to push large files. ## ## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 ## [1] https://github.com/agentzh/chunkin-nginx-module#status ## [2] https://github.com/agentzh/chunkin-nginx-module - +## +## +################################### +## SSL configuration ## +################################### +## +## See installation.md#using-https for additional HTTPS configuration details. upstream gitlab { - - ## Uncomment if you have set up unicorn to listen on a unix socket (recommended). - server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket; - - ## Uncomment if unicorn is configured to listen on a tcp port. - ## Check the port number in {{GITLAB_INSTALL_DIR}}/config/unicorn.rb - # server 127.0.0.1:8080; + server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket fail_timeout=0; } -## This is a normal HTTP host which redirects all traffic to the HTTPS host. +## Normal HTTP host server { - listen *:80; - ## Replace git.example.com with your FQDN. - server_name _; - server_tokens off; - ## root doesn't have to be a valid path since we are redirecting - root /nowhere; + listen *:80 default_server; + server_name _; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + + ## Redirects all traffic to the HTTPS host + root /nowhere; ## root doesn't have to be a valid path since we are redirecting rewrite ^ https://$host:{{GITLAB_PORT}}$request_uri? permanent; } +## HTTPS host server { listen 443 ssl spdy; - ## Replace git.example.com with your FQDN. - server_name {{YOUR_SERVER_FQDN}}; + server_name {{YOUR_SERVER_FQDN}}; ## Replace this with something like gitlab.example.com server_tokens off; root {{GITLAB_INSTALL_DIR}}/public; @@ -88,32 +65,34 @@ server { ssl_certificate {{SSL_CERTIFICATE_PATH}}; ssl_certificate_key {{SSL_KEY_PATH}}; - ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; + ssl_ciphers 'AES256+EECDH:AES256+EDH'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache builtin:1000 shared:SSL:10m; - ## Enable OCSP stapling to reduce the overhead and latency of running SSL. + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security max-age={{GITLAB_HTTPS_HSTS_MAXAGE}}; + # add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. ## Replace with your ssl_trusted_certificate. For more info see: ## - https://medium.com/devops-programming/4445f4862461 ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx # ssl_stapling on; # ssl_stapling_verify on; # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; - # resolver 208.67.222.222 208.67.222.220 valid=300s; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired # resolver_timeout 10s; - ssl_prefer_server_ciphers on; - ## [Optional] Generate a stronger DHE parameter (recommended): + ## [Optional] Generate a stronger DHE parameter: ## cd /etc/ssl/certs - ## openssl dhparam -out dhparam.pem 2048 + ## sudo openssl dhparam -out dhparam.pem 4096 ## ssl_dhparam {{SSL_DHPARAM_PATH}}; - add_header Strict-Transport-Security max-age={{GITLAB_HTTPS_HSTS_MAXAGE}}; - # add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - ## Individual nginx logs for this GitLab vhost access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; @@ -126,10 +105,9 @@ server { } ## If a file, which is not found in the root folder is requested, - ## then the proxy pass the request to the upsteam (gitlab unicorn). + ## then the proxy passes the request to the upsteam (gitlab unicorn). location @gitlab { - - ## If you use https make sure you disable gzip compression + ## If you use HTTPS make sure you disable gzip compression ## to be safe against BREACH attack. gzip off; @@ -151,7 +129,7 @@ server { ## Enable gzip compression as per rails guide: ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression - ## WARNING: If you are using relative urls do remove the block below + ## WARNING: If you are using relative urls remove the block below ## See config/application.rb under "Relative url support" for the list of ## other files that need to be changed for relative url support location ~ ^{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}}assets/(.*) { diff --git a/assets/setup/install b/assets/setup/install index 7455fd44..3ecca76a 100755 --- a/assets/setup/install +++ b/assets/setup/install @@ -1,7 +1,7 @@ #!/bin/bash set -e -GITLAB_VERSION=7.2.2 +GITLAB_VERSION=7.3.0.rc1 GITLAB_SHELL_VERSION=2.0.0 GITLAB_INSTALL_DIR="/home/git/gitlab"