Merge branch 'trusted-ip-config' into 'master'
Add configuration option for setting trusted_ip And default it to whatever was set for the trusted addresses in the nginx real_ip module. Fixes https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1208 See merge request !733
This commit is contained in:
commit
3f137f1c3d
|
@ -7,6 +7,7 @@ omnibus-gitlab repository.
|
|||
|
||||
- Added db_sslca to the configuration options for connecting to an external database 2b4033cb
|
||||
- Compile NGINX with the real_ip module and add configuration options b4830b90
|
||||
- Added trusted_proxies configuration option for non-bundled web-server
|
||||
- Support the ability to change mattermost UID and GID c5a588da
|
||||
- Updated libicu to 56.1 4de944d9
|
||||
- Updated liblzma to 5.2.2 4de944d9
|
||||
|
|
|
@ -114,9 +114,9 @@ for the changes to take effect.
|
|||
|
||||
This way you can specify any header supported by NGINX you require.
|
||||
|
||||
## Configuring the `real_ip` module
|
||||
## Configuring GitLab `trusted_proxies` and the NGINX `real_ip` module
|
||||
|
||||
By default, NGINX will use the IP address of the connected client in the logs.
|
||||
By default, NGINX and GitLab will log the IP address of the connected client.
|
||||
|
||||
If your GitLab is behind a reverse proxy, you may not want the IP address of
|
||||
the proxy to show up as the client address.
|
||||
|
@ -135,6 +135,10 @@ nginx['real_ip_recursive'] = 'on'
|
|||
Description of the options:
|
||||
* http://nginx.org/en/docs/http/ngx_http_realip_module.html
|
||||
|
||||
By default, omnibus-gitlab will use the IP addresses in `real_ip_trusted_addresses`
|
||||
as GitLab's trusted proxies, which will keep users from being listed as signed
|
||||
in from those IPs.
|
||||
|
||||
Save the file and [reconfigure GitLab](http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure)
|
||||
for the changes to take effect.
|
||||
|
||||
|
@ -209,6 +213,19 @@ will have to perform the following steps:
|
|||
|
||||
*Note: make sure that the webserver user has the correct permissions on all directories used by external web-server, otherwise you will receive `failed (XX: Permission denied) while reading upstream` errors.
|
||||
|
||||
1. **Add the non-bundled web-server to the list of trusted proxies**
|
||||
|
||||
Normally, omnibus-gitlab defaults the list of trusted proxies to the what was
|
||||
configured in the real_ip module for the bundled NGINX.
|
||||
|
||||
For non-bundled web-servers the list needs to be configured directly, and should
|
||||
include the IP address of your web-server if it not on the same machine as GitLab.
|
||||
Otherwise users will be shown as being signed in from your web-server's IP address.
|
||||
|
||||
```ruby
|
||||
gitlab_rails['trusted_proxies'] = [ '192.168.1.0/24', '192.168.2.1', '2001:0db8::/32' ]
|
||||
```
|
||||
|
||||
1. **(Optional) Set the right gitlab-workhorse settings if using Apache**
|
||||
|
||||
*Note: The values below were added in GitLab 8.2, make sure you have the latest version installed.*
|
||||
|
|
|
@ -44,6 +44,7 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# gitlab_rails['ldap_sync_worker_cron'] = "30 1 * * *"
|
||||
# gitlab_rails['geo_bulk_notify_worker_cron'] = "*/10 * * * * *"
|
||||
# gitlab_rails['webhook_timeout'] = 10
|
||||
# gitlab_rails['trusted_proxies'] = []
|
||||
|
||||
## Reply by email
|
||||
# Allow users to comment on issues and merge requests by replying to notification emails.
|
||||
|
|
|
@ -239,6 +239,7 @@ default['gitlab']['gitlab-rails']['smtp_ca_file'] = "#{node['package']['install-
|
|||
default['gitlab']['gitlab-rails']['webhook_timeout'] = nil
|
||||
|
||||
default['gitlab']['gitlab-rails']['initial_root_password'] = nil
|
||||
default['gitlab']['gitlab-rails']['trusted_proxies'] = nil
|
||||
|
||||
####
|
||||
# Unicorn
|
||||
|
|
|
@ -341,6 +341,11 @@ module Gitlab
|
|||
Gitlab['nginx']['proxy_set_headers'] = default_from_attributes
|
||||
end
|
||||
|
||||
def parse_gitlab_trusted_proxies
|
||||
Gitlab['nginx']['real_ip_trusted_addresses'] ||= node['gitlab']['nginx']['real_ip_trusted_addresses']
|
||||
Gitlab['gitlab_rails']['trusted_proxies'] ||= Gitlab['nginx']['real_ip_trusted_addresses']
|
||||
end
|
||||
|
||||
def parse_ci_external_url
|
||||
return unless ci_external_url
|
||||
# Disable gitlab_ci. This setting will be picked up by parse_gitlab_ci
|
||||
|
@ -545,6 +550,7 @@ module Gitlab
|
|||
parse_unicorn_listen_address
|
||||
parse_nginx_listen_address
|
||||
parse_nginx_listen_ports
|
||||
parse_gitlab_trusted_proxies
|
||||
parse_gitlab_ci
|
||||
parse_gitlab_mattermost
|
||||
parse_incoming_email
|
||||
|
|
|
@ -23,6 +23,14 @@ production: &base
|
|||
# other files that need to be changed for relative url support
|
||||
relative_url_root: <%= @gitlab_relative_url %>
|
||||
|
||||
# Trusted Proxies
|
||||
# Customize if you have GitLab behind a reverse proxy which is running on a different machine.
|
||||
# Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
|
||||
trusted_proxies:
|
||||
<% @trusted_proxies.each do |proxy| %>
|
||||
- <%= proxy %>
|
||||
<% end %>
|
||||
|
||||
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
|
||||
user: <%= node['gitlab']['user']['username'] %>
|
||||
|
||||
|
|
Loading…
Reference in New Issue