Merge branch 'master' into 'master'

added missing config variables allowing TLS termination to reverse proxy the container registry

Users who have a proxy sitting in front of their Omnibus installation currently can't use a secure registry because the required config variables can't be set.  (ex. https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1304).
This PR adds the required variables `proxy_set_headers`, `listen_port` and `listen_https` to the config template.

See merge request !796

CHANGELOG.md

@@ -9,6 +9,7 @@ omnibus-gitlab repository.
 - Add log prefix for pages and registry services 48e29b
 - Change the autovacuum configuration defaults f5ac85
 - Update redis to 3.2.0 (Takuya Noguchi)
+- Add configuration that allows overriding proxy headers for Registry NGINX config (Alexander Zigelski)
 
 8.8.4
 

files/gitlab-config-template/gitlab.rb.template

@@ -846,3 +846,12 @@ external_url 'GENERATED_EXTERNAL_URL'
 
 # registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/certificate.pem"
 # registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/certificate.key"
+# registry_nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
+# registry_nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
+# registry_nginx['proxy_set_headers'] = {
+#  "Host" => "$http_host",
+#  "X-Real-IP" => "$remote_addr",
+#  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
+#  "X-Forwarded-Proto" => "https",
+#  "X-Forwarded-Ssl" => "on"
+# }

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -809,3 +809,10 @@ default['gitlab']['pages-nginx']['enable'] = true
 ####
 default['gitlab']['registry-nginx'] = default['gitlab']['nginx'].dup
 default['gitlab']['registry-nginx']['enable'] = true
+default['gitlab']['registry_nginx']['https'] = false
+default['gitlab']['registry_nginx']['proxy_set_headers'] = {
+  "Host" => "$http_host",
+  "X-Real-IP" => "$remote_addr",
+  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
+	"X-Forwarded-Proto" => "$scheme"
+}

files/gitlab-cookbooks/gitlab/libraries/gitlab.rb

@@ -152,12 +152,12 @@ module Gitlab
       case uri.scheme
       when "http"
         Gitlab['gitlab_rails']['gitlab_https'] = false
-        parse_nginx_proxy_headers(false)
+        parse_proxy_headers('nginx', false)
       when "https"
         Gitlab['gitlab_rails']['gitlab_https'] = true
         Gitlab['nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
         Gitlab['nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
-        parse_nginx_proxy_headers(true)
+        parse_proxy_headers('nginx', true)
       else
         raise "Unsupported external URL scheme: #{uri.scheme}"
       end
@@ -341,9 +341,9 @@ module Gitlab
       end
     end
 
-    def parse_nginx_proxy_headers(https)
-      values_from_gitlab_rb = Gitlab['nginx']['proxy_set_headers']
-      default_from_attributes = node['gitlab']['nginx']['proxy_set_headers'].to_hash
+    def parse_proxy_headers(app, https)
+      values_from_gitlab_rb = Gitlab[app]['proxy_set_headers']
+      default_from_attributes = node['gitlab'][app]['proxy_set_headers'].to_hash
 
       default_from_attributes = if https
                                   default_from_attributes.merge({
@@ -364,7 +364,7 @@ module Gitlab
         default_from_attributes = default_from_attributes.merge(values_from_gitlab_rb.to_hash)
       end
 
-      Gitlab['nginx']['proxy_set_headers'] = default_from_attributes
+      Gitlab[app]['proxy_set_headers'] = default_from_attributes
     end
 
     def parse_gitlab_trusted_proxies
@@ -522,10 +522,15 @@ module Gitlab
       Gitlab['gitlab_rails']['registry_host'] = uri.host
       Gitlab['registry_nginx']['listen_port'] ||= uri.port
 
-      if uri.scheme == "https"
+      case uri.scheme
+      when "http"
+        Gitlab['registry_nginx']['https'] ||= false
+        parse_proxy_headers('registry_nginx', false)
+      when "https"
         Gitlab['registry_nginx']['https'] ||= true
         Gitlab['registry_nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
         Gitlab['registry_nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
+        parse_proxy_headers('registry_nginx', true)
       else
         raise "Unsupported GitLab Registry external URL scheme: #{uri.scheme}"
       end

files/gitlab-cookbooks/gitlab/recipes/nginx.rb

@@ -141,6 +141,11 @@ template gitlab_pages_http_conf do
 end
 
 registry_nginx_vars = node['gitlab']['registry-nginx'].to_hash
+
+unless registry_nginx_vars['listen_https'].nil?
+  registry_nginx_vars['https'] = registry_nginx_vars['listen_https']
+end
+
 template gitlab_registry_http_conf do
   source "nginx-gitlab-registry-http.conf.erb"
   owner "root"

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-registry-http.conf.erb

@@ -58,10 +58,12 @@ server {
   error_log   <%= @log_directory %>/gitlab_registry_error.log;
 
   location / {
-    proxy_set_header  Host              $http_host;   # required for docker client's sake
-    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
-    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
-    proxy_set_header  X-Forwarded-Proto $scheme;
+
+    <% @proxy_set_headers.each do |header| %>
+    <% next if header[1].nil? %>
+    proxy_set_header <%= header[0] %> <%= header[1] %>;
+    <% end %>
+
     proxy_read_timeout                  900;
 
     proxy_pass          http://<%= @registry_http_addr %>;