Merge branch 'master' into 'master'
added missing config variables allowing TLS termination to reverse proxy the container registry Users who have a proxy sitting in front of their Omnibus installation currently can't use a secure registry because the required config variables can't be set. (ex. https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1304). This PR adds the required variables `proxy_set_headers`, `listen_port` and `listen_https` to the config template. See merge request !796
This commit is contained in:
commit
046c84cbe5
|
@ -9,6 +9,7 @@ omnibus-gitlab repository.
|
|||
- Add log prefix for pages and registry services 48e29b
|
||||
- Change the autovacuum configuration defaults f5ac85
|
||||
- Update redis to 3.2.0 (Takuya Noguchi)
|
||||
- Add configuration that allows overriding proxy headers for Registry NGINX config (Alexander Zigelski)
|
||||
|
||||
8.8.4
|
||||
|
||||
|
|
|
@ -846,3 +846,12 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
|
||||
# registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/certificate.pem"
|
||||
# registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/certificate.key"
|
||||
# registry_nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
|
||||
# registry_nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
|
||||
# registry_nginx['proxy_set_headers'] = {
|
||||
# "Host" => "$http_host",
|
||||
# "X-Real-IP" => "$remote_addr",
|
||||
# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
|
||||
# "X-Forwarded-Proto" => "https",
|
||||
# "X-Forwarded-Ssl" => "on"
|
||||
# }
|
||||
|
|
|
@ -809,3 +809,10 @@ default['gitlab']['pages-nginx']['enable'] = true
|
|||
####
|
||||
default['gitlab']['registry-nginx'] = default['gitlab']['nginx'].dup
|
||||
default['gitlab']['registry-nginx']['enable'] = true
|
||||
default['gitlab']['registry_nginx']['https'] = false
|
||||
default['gitlab']['registry_nginx']['proxy_set_headers'] = {
|
||||
"Host" => "$http_host",
|
||||
"X-Real-IP" => "$remote_addr",
|
||||
"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
|
||||
"X-Forwarded-Proto" => "$scheme"
|
||||
}
|
||||
|
|
|
@ -152,12 +152,12 @@ module Gitlab
|
|||
case uri.scheme
|
||||
when "http"
|
||||
Gitlab['gitlab_rails']['gitlab_https'] = false
|
||||
parse_nginx_proxy_headers(false)
|
||||
parse_proxy_headers('nginx', false)
|
||||
when "https"
|
||||
Gitlab['gitlab_rails']['gitlab_https'] = true
|
||||
Gitlab['nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
|
||||
Gitlab['nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
|
||||
parse_nginx_proxy_headers(true)
|
||||
parse_proxy_headers('nginx', true)
|
||||
else
|
||||
raise "Unsupported external URL scheme: #{uri.scheme}"
|
||||
end
|
||||
|
@ -341,9 +341,9 @@ module Gitlab
|
|||
end
|
||||
end
|
||||
|
||||
def parse_nginx_proxy_headers(https)
|
||||
values_from_gitlab_rb = Gitlab['nginx']['proxy_set_headers']
|
||||
default_from_attributes = node['gitlab']['nginx']['proxy_set_headers'].to_hash
|
||||
def parse_proxy_headers(app, https)
|
||||
values_from_gitlab_rb = Gitlab[app]['proxy_set_headers']
|
||||
default_from_attributes = node['gitlab'][app]['proxy_set_headers'].to_hash
|
||||
|
||||
default_from_attributes = if https
|
||||
default_from_attributes.merge({
|
||||
|
@ -364,7 +364,7 @@ module Gitlab
|
|||
default_from_attributes = default_from_attributes.merge(values_from_gitlab_rb.to_hash)
|
||||
end
|
||||
|
||||
Gitlab['nginx']['proxy_set_headers'] = default_from_attributes
|
||||
Gitlab[app]['proxy_set_headers'] = default_from_attributes
|
||||
end
|
||||
|
||||
def parse_gitlab_trusted_proxies
|
||||
|
@ -522,10 +522,15 @@ module Gitlab
|
|||
Gitlab['gitlab_rails']['registry_host'] = uri.host
|
||||
Gitlab['registry_nginx']['listen_port'] ||= uri.port
|
||||
|
||||
if uri.scheme == "https"
|
||||
case uri.scheme
|
||||
when "http"
|
||||
Gitlab['registry_nginx']['https'] ||= false
|
||||
parse_proxy_headers('registry_nginx', false)
|
||||
when "https"
|
||||
Gitlab['registry_nginx']['https'] ||= true
|
||||
Gitlab['registry_nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
|
||||
Gitlab['registry_nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
|
||||
parse_proxy_headers('registry_nginx', true)
|
||||
else
|
||||
raise "Unsupported GitLab Registry external URL scheme: #{uri.scheme}"
|
||||
end
|
||||
|
|
|
@ -141,6 +141,11 @@ template gitlab_pages_http_conf do
|
|||
end
|
||||
|
||||
registry_nginx_vars = node['gitlab']['registry-nginx'].to_hash
|
||||
|
||||
unless registry_nginx_vars['listen_https'].nil?
|
||||
registry_nginx_vars['https'] = registry_nginx_vars['listen_https']
|
||||
end
|
||||
|
||||
template gitlab_registry_http_conf do
|
||||
source "nginx-gitlab-registry-http.conf.erb"
|
||||
owner "root"
|
||||
|
|
|
@ -58,10 +58,12 @@ server {
|
|||
error_log <%= @log_directory %>/gitlab_registry_error.log;
|
||||
|
||||
location / {
|
||||
proxy_set_header Host $http_host; # required for docker client's sake
|
||||
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
<% @proxy_set_headers.each do |header| %>
|
||||
<% next if header[1].nil? %>
|
||||
proxy_set_header <%= header[0] %> <%= header[1] %>;
|
||||
<% end %>
|
||||
|
||||
proxy_read_timeout 900;
|
||||
|
||||
proxy_pass http://<%= @registry_http_addr %>;
|
||||
|
|
Loading…
Reference in New Issue