Merge branch 'set_proxy_headers' into 'master'

Allow users to set proxy headers they need

This should allow users who need to set different headers with `proxy_set_header` than what we assume/recommend/guess to do so.

We retain the previous behaviour of setting few headers with our own defaults however,
users will now be free to override those based on their needs.

In theory,

Fixes #696, #331, #882, #848, 

See merge request !632

doc/common_installation_problems/README.md

@@ -347,10 +347,23 @@ You can increase the default timeout value by setting the value in `/etc/gitlab/
 gitlab_workhorse['proxy_headers_timeout'] = "2m0s"
 ```
 
-Save the file and [reconfigure GitLab](http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure)
-for the changes to take effect.
+Save the file and [reconfigure GitLab][] for the changes to take effect.
+
+### The change you wanted was rejected
+
+Most likely you have GitLab setup in an environment that has proxy in front
+of Gitlab and the proxy headers set in package by default are incorrect
+for your environment.
+
+See [Change the default proxy headers section of nginx doc][] for details on
+how to override the default headers.
+
+### Can't verify CSRF token authenticity Completed 422 Unprocessable
+
 
 [CAcert.org]: http://www.cacert.org/
 [certificate link shell script]: https://gitlab.com/snippets/6285
 [script source]: https://www.madboa.com/geek/openssl/#verify-new
 [gitlab.rb.template]: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
+[Change the default proxy headers section of nginx doc]: doc/settings/nginx.md](doc/settings/nginx.md
+[reconfigure GitLab]: http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure

doc/settings/nginx.md

@@ -68,7 +68,9 @@ as part of the external_url.
 external_url "https://gitlab.example.com:2443"
 ```
 
-To set the location of ssl certificates create `/etc/gitlab/ssl` directory, place the `.crt` and `.key` files in the directory and specify the following configuration:
+To set the location of ssl certificates create `/etc/gitlab/ssl` directory,
+place the `.crt` and `.key` files in the directory and specify the following
+configuration:
 
 ```ruby
 # For GitLab
@@ -78,6 +80,40 @@ nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.example.com.key"
 
 Run `sudo gitlab-ctl reconfigure` for the change to take effect.
 
+## Change the default proxy headers
+
+By default, when you specify `external_url` omnibus-gitlab will set a few
+NGINX proxy headers that are assumed to be sane in most environments.
+
+For example, omnibus-gitlab will set:
+
+```
+  "X-Forwarded-Proto" => "https",
+  "X-Forwarded-Ssl" => "on"
+```
+
+if you have specified `https` schema in the `external_url`.
+
+However, if you have a situation where your GitLab is in a more complex setup
+like behind a reverse proxy, you will need to tweak the proxy headers in order
+to avoid errors like `The change you wanted was rejected` or
+`Can't verify CSRF token authenticity Completed 422 Unprocessable`.
+
+This can be achieved by overriding the default headers, eg. specify
+in `/etc/gitlab/gitlab.rb`:
+
+```ruby
+ nginx['proxy_set_headers'] = {
+  "X-Forwarded-Proto" => "http",
+  "CUSTOM_HEADER" => "VALUE"
+ }
+```
+
+Save the file and [reconfigure GitLab](http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure)
+for the changes to take effect.
+
+This way you can specify any header supported by NGINX you require.
+
 ## Using a non-bundled web-server
 
 By default, omnibus-gitlab installs GitLab with bundled Nginx.

files/gitlab-config-template/gitlab.rb.template

@@ -472,6 +472,13 @@ external_url 'GENERATED_EXTERNAL_URL'
 # nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
 # nginx['proxy_read_timeout'] = 300
 # nginx['proxy_connect_timeout'] = 300
+# nginx['proxy_set_headers'] = {
+#  "Host" => "$http_host",
+#  "X-Real-IP" => "$remote_addr",
+#  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
+#  "X-Forwarded-Proto" => "https",
+#  "X-Forwarded-Ssl" => "on"
+# }
 
 ## Advanced settings
 # nginx['dir'] = "/var/opt/gitlab/nginx"

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -432,6 +432,14 @@ default['gitlab']['nginx']['custom_gitlab_server_config'] = nil
 default['gitlab']['nginx']['custom_nginx_config'] = nil
 default['gitlab']['nginx']['proxy_read_timeout'] = 300
 default['gitlab']['nginx']['proxy_connect_timeout'] = 300
+default['gitlab']['nginx']['proxy_set_headers'] = {
+  "Host" => "$http_host",
+  "X-Real-IP" => "$remote_addr",
+  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
+  "X-Forwarded-Proto" => "http",
+  "X-Forwarded-Ssl" => nil
+}
+
 
 ###
 # Logging

files/gitlab-cookbooks/gitlab/libraries/gitlab.rb

@@ -126,10 +126,12 @@ module Gitlab
       case uri.scheme
       when "http"
         Gitlab['gitlab_rails']['gitlab_https'] = false
+        parse_nginx_proxy_headers(false)
       when "https"
         Gitlab['gitlab_rails']['gitlab_https'] = true
         Gitlab['nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
         Gitlab['nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
+        parse_nginx_proxy_headers(true)
       else
         raise "Unsupported external URL scheme: #{uri.scheme}"
       end
@@ -311,6 +313,22 @@ module Gitlab
       end
     end
 
+    def parse_nginx_proxy_headers(https)
+      value_from_gitlab_rb = Gitlab['nginx']['proxy_set_headers']
+      default_from_attributes = node['gitlab']['nginx']['proxy_set_headers']
+
+      if https
+        default_from_attributes = default_from_attributes.to_hash.merge('X-Forwarded-Proto' => "https") unless value_from_gitlab_rb && value_from_gitlab_rb['X-Forwarded-Proto']
+        default_from_attributes = default_from_attributes.to_hash.merge('X-Forwarded-Ssl' => "on") unless value_from_gitlab_rb && value_from_gitlab_rb['X-Forwarded-Ssl']
+      end
+
+      Gitlab['nginx']['proxy_set_headers'] = if value_from_gitlab_rb
+                                               default_from_attributes.merge(value_from_gitlab_rb.to_hash)
+                                             else
+                                               default_from_attributes
+                                             end
+    end
+
     def parse_ci_external_url
       return unless ci_external_url
       # Enable gitlab_ci. This setting will be picked up by parse_gitlab_ci

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb

@@ -105,13 +105,10 @@ server {
 
     proxy_http_version 1.1;
 
-    proxy_set_header    Host                $http_host;
-    proxy_set_header    X-Real-IP           $remote_addr;
-    <% if @https %>
-    proxy_set_header    X-Forwarded-Ssl     on;
+    <% @proxy_set_headers.each do |header| %>
+    <% next if header[1].nil? %>
+    proxy_set_header <%= header[0] %> <%= header[1] %>;
     <% end %>
-    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   <%= @https ? "https" : "http" %>;
 
     proxy_pass http://gitlab-workhorse;
   }