Merge branch 'trusted-ip-config' into 'master'

Add configuration option for setting trusted_ip

And default it to whatever was set for the trusted addresses in the nginx real_ip module.

Fixes https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1208

See merge request !733

CHANGELOG.md

@@ -7,6 +7,7 @@ omnibus-gitlab repository.
 
 - Added db_sslca to the configuration options for connecting to an external database 2b4033cb
 - Compile NGINX with the real_ip module and add configuration options b4830b90
+- Added trusted_proxies configuration option for non-bundled web-server
 - Support the ability to change mattermost UID and GID c5a588da
 - Updated libicu to 56.1 4de944d9
 - Updated liblzma to 5.2.2 4de944d9

doc/settings/nginx.md

@@ -114,9 +114,9 @@ for the changes to take effect.
 
 This way you can specify any header supported by NGINX you require.
 
-## Configuring the `real_ip` module
+## Configuring GitLab `trusted_proxies` and the NGINX `real_ip` module
 
-By default, NGINX will use the IP address of the connected client in the logs.
+By default, NGINX and GitLab will log the IP address of the connected client.
 
 If your GitLab is behind a reverse proxy, you may not want the IP address of
 the proxy to show up as the client address.
@@ -135,6 +135,10 @@ nginx['real_ip_recursive'] = 'on'
 Description of the options:
 * http://nginx.org/en/docs/http/ngx_http_realip_module.html
 
+By default, omnibus-gitlab will use the IP addresses in `real_ip_trusted_addresses`
+as GitLab's trusted proxies, which will keep users from being listed as signed
+in from those IPs.
+
 Save the file and [reconfigure GitLab](http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure)
 for the changes to take effect.
 
@@ -209,6 +213,19 @@ will have to perform the following steps:
 
     *Note: make sure that the webserver user has the correct permissions on all directories used by external web-server, otherwise you will receive `failed (XX: Permission denied) while reading upstream` errors.
 
+1. **Add the non-bundled web-server to the list of trusted proxies**
+
+    Normally, omnibus-gitlab defaults the list of trusted proxies to the what was
+    configured in the real_ip module for the bundled NGINX.
+
+    For non-bundled web-servers the list needs to be configured directly, and should
+    include the IP address of your web-server if it not on the same machine as GitLab.
+    Otherwise users will be shown as being signed in from your web-server's IP address.
+
+    ```ruby
+    gitlab_rails['trusted_proxies'] = [ '192.168.1.0/24', '192.168.2.1', '2001:0db8::/32' ]
+    ```
+
 1. **(Optional) Set the right gitlab-workhorse settings if using Apache**
 
     *Note: The values below were added in GitLab 8.2, make sure you have the latest version installed.*

files/gitlab-config-template/gitlab.rb.template

@@ -44,6 +44,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # gitlab_rails['ldap_sync_worker_cron'] = "30 1 * * *"
 # gitlab_rails['geo_bulk_notify_worker_cron'] = "*/10 * * * * *"
 # gitlab_rails['webhook_timeout'] = 10
+# gitlab_rails['trusted_proxies'] = [] 
 
 ## Reply by email
 # Allow users to comment on issues and merge requests by replying to notification emails.

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -239,6 +239,7 @@ default['gitlab']['gitlab-rails']['smtp_ca_file'] = "#{node['package']['install-
 default['gitlab']['gitlab-rails']['webhook_timeout'] = nil
 
 default['gitlab']['gitlab-rails']['initial_root_password'] = nil
+default['gitlab']['gitlab-rails']['trusted_proxies'] = nil
 
 ####
 # Unicorn

files/gitlab-cookbooks/gitlab/libraries/gitlab.rb

@@ -341,6 +341,11 @@ module Gitlab
       Gitlab['nginx']['proxy_set_headers'] = default_from_attributes
     end
 
+    def parse_gitlab_trusted_proxies
+      Gitlab['nginx']['real_ip_trusted_addresses'] ||= node['gitlab']['nginx']['real_ip_trusted_addresses']
+      Gitlab['gitlab_rails']['trusted_proxies'] ||= Gitlab['nginx']['real_ip_trusted_addresses']
+    end
+
     def parse_ci_external_url
       return unless ci_external_url
       # Disable gitlab_ci. This setting will be picked up by parse_gitlab_ci
@@ -545,6 +550,7 @@ module Gitlab
       parse_unicorn_listen_address
       parse_nginx_listen_address
       parse_nginx_listen_ports
+      parse_gitlab_trusted_proxies
       parse_gitlab_ci
       parse_gitlab_mattermost
       parse_incoming_email

files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb

@@ -23,6 +23,14 @@ production: &base
     # other files that need to be changed for relative url support
     relative_url_root: <%= @gitlab_relative_url %>
 
+    # Trusted Proxies
+    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
+    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
+    trusted_proxies:
+<% @trusted_proxies.each do |proxy| %>
+      - <%= proxy %>
+<% end %>
+
     # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
     user: <%= node['gitlab']['user']['username'] %>