Add option to disable HTTPS on nginx to support proxied SSL
Closes #489
This commit is contained in:
parent
23599e7596
commit
80f4204052
|
@ -3,6 +3,10 @@
|
|||
The latest version of this file can be found at the master branch of the
|
||||
omnibus-gitlab repository.
|
||||
|
||||
7.10.0
|
||||
|
||||
- Add option to disable HTTPS on nginx to support proxied SSL (Stan Hu) 455b15a63e428c294b115438469705678a26493d
|
||||
|
||||
7.9.0
|
||||
|
||||
- Restart nginx instead of issuing a HUP signal changes so that changes in listen_address work (Stan Hu) 428ee157c346f3f0eae53762b51145502b1456a6
|
||||
|
|
|
@ -145,6 +145,27 @@ something else. For example, to use port 8080:
|
|||
nginx['listen_port'] = 8080
|
||||
```
|
||||
|
||||
## Supporting proxied SSL
|
||||
|
||||
By default NGINX will auto-detect whether to use SSL if `external_url`
|
||||
contains `https://`. If you are running GitLab behind a reverse proxy, you
|
||||
may wish to keep the `external_url` as an HTTPS address but communicate with
|
||||
the GitLab NGINX internally over HTTP. To do this, you can disable HTTPS using
|
||||
the `listen_https` option:
|
||||
|
||||
```ruby
|
||||
nginx['listen_https'] = false
|
||||
```
|
||||
|
||||
Note that you may need to configure your reverse proxy to forward certain
|
||||
headers (e.g. `Host`, `X-Forwarded-Ssl'`, `X-Forwarded-For``) to GitLab. You
|
||||
may see improper redirections or errors (e.g. "422 Unprocessable Entity",
|
||||
"Can't verify CSRF token authenticity") if you forget this step. For more
|
||||
information, see:
|
||||
|
||||
http://stackoverflow.com/questions/16042647/whats-the-de-facto-standard-for-a-reverse-proxy-to-tell-the-backend-ssl-is-used
|
||||
https://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy
|
||||
|
||||
## Inserting custom NGINX settings into the GitLab server block
|
||||
|
||||
If you need to add custom settings into the NGINX `server` block for GitLab for
|
||||
|
|
|
@ -342,6 +342,7 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
# nginx['listen_addresses'] = ['*']
|
||||
# nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
|
||||
# nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
|
||||
# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
|
||||
# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
|
||||
|
||||
|
|
|
@ -300,6 +300,7 @@ default['gitlab']['nginx']['ssl_session_cache'] = "builtin:1000 shared:SSL:10m"
|
|||
default['gitlab']['nginx']['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
default['gitlab']['nginx']['listen_addresses'] = ['*']
|
||||
default['gitlab']['nginx']['listen_port'] = nil # override only if you have a reverse proxy
|
||||
default['gitlab']['nginx']['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP
|
||||
default['gitlab']['nginx']['custom_gitlab_server_config'] = nil
|
||||
default['gitlab']['nginx']['custom_nginx_config'] = nil
|
||||
|
||||
|
|
|
@ -51,6 +51,12 @@ if nginx_vars['listen_port'].nil?
|
|||
nginx_vars['listen_port'] = gitlab_port
|
||||
end
|
||||
|
||||
if nginx_vars['listen_https'].nil?
|
||||
nginx_vars['https'] = node['gitlab']['gitlab-rails']['gitlab_https']
|
||||
else
|
||||
nginx_vars['https'] = nginx_vars['listen_https']
|
||||
end
|
||||
|
||||
template nginx_vars[:gitlab_http_config] do
|
||||
source "nginx-gitlab-http.conf.erb"
|
||||
owner "root"
|
||||
|
@ -59,7 +65,6 @@ template nginx_vars[:gitlab_http_config] do
|
|||
variables(nginx_vars.merge(
|
||||
{
|
||||
:fqdn => node['gitlab']['gitlab-rails']['gitlab_host'],
|
||||
:https => node['gitlab']['gitlab-rails']['gitlab_https'],
|
||||
:socket => node['gitlab']['unicorn']['socket'],
|
||||
:port => gitlab_port
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue