Add option to disable HTTPS on nginx to support proxied SSL

Closes #489

CHANGELOG.md

@@ -3,6 +3,10 @@
 The latest version of this file can be found at the master branch of the
 omnibus-gitlab repository.
 
+7.10.0
+
+- Add option to disable HTTPS on nginx to support proxied SSL (Stan Hu) 455b15a63e428c294b115438469705678a26493d
+
 7.9.0
 
 - Restart nginx instead of issuing a HUP signal changes so that changes in listen_address work (Stan Hu) 428ee157c346f3f0eae53762b51145502b1456a6

doc/settings/nginx.md

@@ -145,6 +145,27 @@ something else.  For example, to use port 8080:
 nginx['listen_port'] = 8080
 ```
 
+## Supporting proxied SSL
+
+By default NGINX will auto-detect whether to use SSL if `external_url`
+contains `https://`.  If you are running GitLab behind a reverse proxy, you
+may wish to keep the `external_url` as an HTTPS address but communicate with
+the GitLab NGINX internally over HTTP. To do this, you can disable HTTPS using
+the `listen_https` option:
+
+```ruby
+nginx['listen_https'] = false
+```
+
+Note that you may need to configure your reverse proxy to forward certain
+headers (e.g. `Host`, `X-Forwarded-Ssl'`, `X-Forwarded-For``) to GitLab. You
+may see improper redirections or errors (e.g. "422 Unprocessable Entity",
+"Can't verify CSRF token authenticity") if you forget this step. For more
+information, see:
+
+http://stackoverflow.com/questions/16042647/whats-the-de-facto-standard-for-a-reverse-proxy-to-tell-the-backend-ssl-is-used
+https://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy
+
 ## Inserting custom NGINX settings into the GitLab server block
 
 If you need to add custom settings into the NGINX `server` block for GitLab for

files/gitlab-config-template/gitlab.rb.template

@@ -342,6 +342,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
 # nginx['listen_addresses'] = ['*']
 # nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
+# nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
 # nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
 # nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
 

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -300,6 +300,7 @@ default['gitlab']['nginx']['ssl_session_cache'] = "builtin:1000  shared:SSL:10m"
 default['gitlab']['nginx']['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
 default['gitlab']['nginx']['listen_addresses'] = ['*']
 default['gitlab']['nginx']['listen_port'] = nil # override only if you have a reverse proxy
+default['gitlab']['nginx']['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP
 default['gitlab']['nginx']['custom_gitlab_server_config'] = nil
 default['gitlab']['nginx']['custom_nginx_config'] = nil
 

files/gitlab-cookbooks/gitlab/recipes/nginx.rb

@@ -51,6 +51,12 @@ if nginx_vars['listen_port'].nil?
   nginx_vars['listen_port'] = gitlab_port
 end
 
+if nginx_vars['listen_https'].nil?
+  nginx_vars['https'] = node['gitlab']['gitlab-rails']['gitlab_https']
+else
+  nginx_vars['https'] = nginx_vars['listen_https']
+end
+
 template nginx_vars[:gitlab_http_config] do
   source "nginx-gitlab-http.conf.erb"
   owner "root"
@@ -59,7 +65,6 @@ template nginx_vars[:gitlab_http_config] do
   variables(nginx_vars.merge(
     {
       :fqdn => node['gitlab']['gitlab-rails']['gitlab_host'],
-      :https => node['gitlab']['gitlab-rails']['gitlab_https'],
       :socket => node['gitlab']['unicorn']['socket'],
       :port => gitlab_port
     }