Merge branch 'set_proxy_headers' into 'master'
Allow users to set proxy headers they need This should allow users who need to set different headers with `proxy_set_header` than what we assume/recommend/guess to do so. We retain the previous behaviour of setting few headers with our own defaults however, users will now be free to override those based on their needs. In theory, Fixes #696, #331, #882, #848, See merge request !632
This commit is contained in:
commit
3807ed87ec
|
@ -347,10 +347,23 @@ You can increase the default timeout value by setting the value in `/etc/gitlab/
|
|||
gitlab_workhorse['proxy_headers_timeout'] = "2m0s"
|
||||
```
|
||||
|
||||
Save the file and [reconfigure GitLab](http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure)
|
||||
for the changes to take effect.
|
||||
Save the file and [reconfigure GitLab][] for the changes to take effect.
|
||||
|
||||
### The change you wanted was rejected
|
||||
|
||||
Most likely you have GitLab setup in an environment that has proxy in front
|
||||
of Gitlab and the proxy headers set in package by default are incorrect
|
||||
for your environment.
|
||||
|
||||
See [Change the default proxy headers section of nginx doc][] for details on
|
||||
how to override the default headers.
|
||||
|
||||
### Can't verify CSRF token authenticity Completed 422 Unprocessable
|
||||
|
||||
|
||||
[CAcert.org]: http://www.cacert.org/
|
||||
[certificate link shell script]: https://gitlab.com/snippets/6285
|
||||
[script source]: https://www.madboa.com/geek/openssl/#verify-new
|
||||
[gitlab.rb.template]: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
|
||||
[Change the default proxy headers section of nginx doc]: doc/settings/nginx.md](doc/settings/nginx.md
|
||||
[reconfigure GitLab]: http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure
|
||||
|
|
|
@ -68,7 +68,9 @@ as part of the external_url.
|
|||
external_url "https://gitlab.example.com:2443"
|
||||
```
|
||||
|
||||
To set the location of ssl certificates create `/etc/gitlab/ssl` directory, place the `.crt` and `.key` files in the directory and specify the following configuration:
|
||||
To set the location of ssl certificates create `/etc/gitlab/ssl` directory,
|
||||
place the `.crt` and `.key` files in the directory and specify the following
|
||||
configuration:
|
||||
|
||||
```ruby
|
||||
# For GitLab
|
||||
|
@ -78,6 +80,40 @@ nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.example.com.key"
|
|||
|
||||
Run `sudo gitlab-ctl reconfigure` for the change to take effect.
|
||||
|
||||
## Change the default proxy headers
|
||||
|
||||
By default, when you specify `external_url` omnibus-gitlab will set a few
|
||||
NGINX proxy headers that are assumed to be sane in most environments.
|
||||
|
||||
For example, omnibus-gitlab will set:
|
||||
|
||||
```
|
||||
"X-Forwarded-Proto" => "https",
|
||||
"X-Forwarded-Ssl" => "on"
|
||||
```
|
||||
|
||||
if you have specified `https` schema in the `external_url`.
|
||||
|
||||
However, if you have a situation where your GitLab is in a more complex setup
|
||||
like behind a reverse proxy, you will need to tweak the proxy headers in order
|
||||
to avoid errors like `The change you wanted was rejected` or
|
||||
`Can't verify CSRF token authenticity Completed 422 Unprocessable`.
|
||||
|
||||
This can be achieved by overriding the default headers, eg. specify
|
||||
in `/etc/gitlab/gitlab.rb`:
|
||||
|
||||
```ruby
|
||||
nginx['proxy_set_headers'] = {
|
||||
"X-Forwarded-Proto" => "http",
|
||||
"CUSTOM_HEADER" => "VALUE"
|
||||
}
|
||||
```
|
||||
|
||||
Save the file and [reconfigure GitLab](http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure)
|
||||
for the changes to take effect.
|
||||
|
||||
This way you can specify any header supported by NGINX you require.
|
||||
|
||||
## Using a non-bundled web-server
|
||||
|
||||
By default, omnibus-gitlab installs GitLab with bundled Nginx.
|
||||
|
|
|
@ -472,6 +472,13 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
|
||||
# nginx['proxy_read_timeout'] = 300
|
||||
# nginx['proxy_connect_timeout'] = 300
|
||||
# nginx['proxy_set_headers'] = {
|
||||
# "Host" => "$http_host",
|
||||
# "X-Real-IP" => "$remote_addr",
|
||||
# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
|
||||
# "X-Forwarded-Proto" => "https",
|
||||
# "X-Forwarded-Ssl" => "on"
|
||||
# }
|
||||
|
||||
## Advanced settings
|
||||
# nginx['dir'] = "/var/opt/gitlab/nginx"
|
||||
|
|
|
@ -432,6 +432,14 @@ default['gitlab']['nginx']['custom_gitlab_server_config'] = nil
|
|||
default['gitlab']['nginx']['custom_nginx_config'] = nil
|
||||
default['gitlab']['nginx']['proxy_read_timeout'] = 300
|
||||
default['gitlab']['nginx']['proxy_connect_timeout'] = 300
|
||||
default['gitlab']['nginx']['proxy_set_headers'] = {
|
||||
"Host" => "$http_host",
|
||||
"X-Real-IP" => "$remote_addr",
|
||||
"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
|
||||
"X-Forwarded-Proto" => "http",
|
||||
"X-Forwarded-Ssl" => nil
|
||||
}
|
||||
|
||||
|
||||
###
|
||||
# Logging
|
||||
|
|
|
@ -126,10 +126,12 @@ module Gitlab
|
|||
case uri.scheme
|
||||
when "http"
|
||||
Gitlab['gitlab_rails']['gitlab_https'] = false
|
||||
parse_nginx_proxy_headers(false)
|
||||
when "https"
|
||||
Gitlab['gitlab_rails']['gitlab_https'] = true
|
||||
Gitlab['nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
|
||||
Gitlab['nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
|
||||
parse_nginx_proxy_headers(true)
|
||||
else
|
||||
raise "Unsupported external URL scheme: #{uri.scheme}"
|
||||
end
|
||||
|
@ -311,6 +313,22 @@ module Gitlab
|
|||
end
|
||||
end
|
||||
|
||||
def parse_nginx_proxy_headers(https)
|
||||
value_from_gitlab_rb = Gitlab['nginx']['proxy_set_headers']
|
||||
default_from_attributes = node['gitlab']['nginx']['proxy_set_headers']
|
||||
|
||||
if https
|
||||
default_from_attributes = default_from_attributes.to_hash.merge('X-Forwarded-Proto' => "https") unless value_from_gitlab_rb && value_from_gitlab_rb['X-Forwarded-Proto']
|
||||
default_from_attributes = default_from_attributes.to_hash.merge('X-Forwarded-Ssl' => "on") unless value_from_gitlab_rb && value_from_gitlab_rb['X-Forwarded-Ssl']
|
||||
end
|
||||
|
||||
Gitlab['nginx']['proxy_set_headers'] = if value_from_gitlab_rb
|
||||
default_from_attributes.merge(value_from_gitlab_rb.to_hash)
|
||||
else
|
||||
default_from_attributes
|
||||
end
|
||||
end
|
||||
|
||||
def parse_ci_external_url
|
||||
return unless ci_external_url
|
||||
# Enable gitlab_ci. This setting will be picked up by parse_gitlab_ci
|
||||
|
|
|
@ -105,13 +105,10 @@ server {
|
|||
|
||||
proxy_http_version 1.1;
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
<% if @https %>
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
<% @proxy_set_headers.each do |header| %>
|
||||
<% next if header[1].nil? %>
|
||||
proxy_set_header <%= header[0] %> <%= header[1] %>;
|
||||
<% end %>
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto <%= @https ? "https" : "http" %>;
|
||||
|
||||
proxy_pass http://gitlab-workhorse;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue