From d389bf1ef3ebb7c2419fa07240cf5fb6ea3c737d Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sat, 26 Apr 2014 22:07:50 +0530 Subject: [PATCH] added gitlab.https nginx template for ssl support --- assets/config/nginx/gitlab.https | 88 ++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 assets/config/nginx/gitlab.https diff --git a/assets/config/nginx/gitlab.https b/assets/config/nginx/gitlab.https new file mode 100644 index 00000000..5c037d6b --- /dev/null +++ b/assets/config/nginx/gitlab.https @@ -0,0 +1,88 @@ +# GITLAB +# Maintainer: @randx + +# CHUNKED TRANSFER +# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not +# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file) +# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either +# - installing an old version of Nginx with the chunkin module [2] compiled in, or +# - using a newer version of Nginx. +# +# At the time of writing we do not know if either of these theoretical solutions works. As a workaround +# users can use Git over SSH to push large files. +# +# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 +# [1] https://github.com/agentzh/chunkin-nginx-module#status +# [2] https://github.com/agentzh/chunkin-nginx-module + +upstream gitlab { + server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; +} + +server { + listen *:80 default_server; + server_name {{YOUR_SERVER_FQDN}}; + server_tokens off; + rewrite ^ https://$server_name$request_uri? permanent; +} + +server { + listen *:443 default_server ssl; + server_name {{YOUR_SERVER_FQDN}}; + server_tokens off; + root /home/git/gitlab/public; + + ssl on; + ssl_certificate /home/git/data/certs/gitlab.crt; + ssl_certificate_key /home/git/data/certs/gitlab.key; + ssl_protocols SSLv3 TLSv1 TLSv1.2; + + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; + + ssl_prefer_server_ciphers on; + # ssl_session_cache builtin:1000 shared:SSL:10m; + # ssl_dhparam /home/git/data/certs/dhparam.pem; + + # Increase this if you want to upload large attachments + # Or if you want to accept large git objects over http + client_max_body_size 20m; + + # individual nginx logs for this gitlab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + # serve static files from defined root folder;. + # @gitlab is a named location for the upstream fallback, see below + try_files $uri $uri/index.html $uri.html @gitlab; + } + + # if a file, which is not found in the root folder is requested, + # then the proxy pass the request to the upsteam (gitlab unicorn) + location @gitlab { + # If you use https make sure you disable gzip compression + # to be safe against BREACH attack + # gzip off; + + proxy_read_timeout 300; # Some requests take more than 30 seconds. + proxy_connect_timeout 300; # Some requests take more than 30 seconds. + proxy_redirect off; + + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://gitlab; + } + + # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + location ~ ^/(assets)/ { + root /home/git/gitlab/public; + gzip_static on; # to serve pre-gzipped version + expires max; + add_header Cache-Control public; + } + + error_page 502 /502.html; +} \ No newline at end of file