Merge branch 'compile-real-ip-module' into 'master'
Compile nginx using the real-ip module Fixes https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1153 See merge request !709
This commit is contained in:
commit
b4830b90dd
|
@ -5,6 +5,7 @@ omnibus-gitlab repository.
|
|||
|
||||
8.7.0
|
||||
|
||||
- Compile NGINX with the real_ip module and add configuration options
|
||||
- Support the ability to change mattermost UID and GID
|
||||
- Updated libicu to 56.1 4de944d9
|
||||
- Updated liblzma to 5.2.2 4de944d9
|
||||
|
|
|
@ -34,6 +34,7 @@ build do
|
|||
"--with-http_stub_status_module",
|
||||
"--with-http_gzip_static_module",
|
||||
"--with-http_v2_module",
|
||||
"--with-http_realip_module",
|
||||
"--with-ipv6",
|
||||
"--with-debug",
|
||||
"--with-ld-opt=-L#{install_dir}/embedded/lib",
|
||||
|
|
|
@ -114,6 +114,30 @@ for the changes to take effect.
|
|||
|
||||
This way you can specify any header supported by NGINX you require.
|
||||
|
||||
## Configuring the `real_ip` module
|
||||
|
||||
By default, NGINX will use the IP address of the connected client in the logs.
|
||||
|
||||
If your GitLab is behind a reverse proxy, you may not want the IP address of
|
||||
the proxy to show up as the client address.
|
||||
|
||||
You can have NGINX look for a different address to use by adding your reverse
|
||||
proxy to the `real_ip_trusted_addresses` list:
|
||||
|
||||
```ruby
|
||||
# Each address is added to the the NGINX config as 'set_real_ip_from <address>;'
|
||||
nginx['real_ip_trusted_addresses'] = [ '192.168.1.0/24', '192.168.2.1', '2001:0db8::/32' ]
|
||||
# other real_ip config options
|
||||
nginx['real_ip_header'] = 'X-Real-IP'
|
||||
nginx['real_ip_recursive'] = 'on'
|
||||
```
|
||||
|
||||
Description of the options:
|
||||
* http://nginx.org/en/docs/http/ngx_http_realip_module.html
|
||||
|
||||
Save the file and [reconfigure GitLab](http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure)
|
||||
for the changes to take effect.
|
||||
|
||||
## Configuring HTTP2 protocol
|
||||
|
||||
By default, when you specify that your Gitlab instance should be reachable
|
||||
|
|
|
@ -494,6 +494,9 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
|
||||
# nginx['proxy_cache'] = 'gitlab'
|
||||
# nginx['http2_enabled'] = true
|
||||
# nginx['real_ip_trusted_addresses'] = []
|
||||
# nginx['real_ip_header'] = nil
|
||||
# nginx['real_ip_recursive'] = nil
|
||||
|
||||
## Advanced settings
|
||||
# nginx['dir'] = "/var/opt/gitlab/nginx"
|
||||
|
@ -727,6 +730,9 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# mattermost_nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
|
||||
# mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
|
||||
# mattermost_nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
|
||||
# mattermost_nginx['real_ip_trusted_addresses'] = []
|
||||
# mattermost_nginx['real_ip_header'] = nil
|
||||
# mattermost_nginx['real_ip_recursive'] = nil
|
||||
|
||||
## Advanced settings
|
||||
# mattermost_nginx['dir'] = "/var/opt/gitlab/nginx"
|
||||
|
|
|
@ -463,6 +463,10 @@ default['gitlab']['nginx']['http2_enabled'] = true
|
|||
default['gitlab']['nginx']['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
|
||||
# Set to 'off' to disable proxy caching.
|
||||
default['gitlab']['nginx']['proxy_cache'] = 'gitlab'
|
||||
# Config for the http_realip_module http://nginx.org/en/docs/http/ngx_http_realip_module.html
|
||||
default['gitlab']['nginx']['real_ip_trusted_addresses'] = [] # Each entry creates a set_real_ip_from directive
|
||||
default['gitlab']['nginx']['real_ip_header'] = nil
|
||||
default['gitlab']['nginx']['real_ip_recursive'] = nil
|
||||
|
||||
|
||||
###
|
||||
|
|
|
@ -86,6 +86,18 @@ server {
|
|||
<% end %>
|
||||
<% end %>
|
||||
|
||||
## Real IP Module Config
|
||||
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
|
||||
<% if @real_ip_header %>
|
||||
real_ip_header <%= @real_ip_header %>;
|
||||
<% end %>
|
||||
<% if @real_ip_recursive %>
|
||||
real_ip_recursive <%= @real_ip_recursive %>;
|
||||
<% end %>
|
||||
<% @real_ip_trusted_addresses.each do |trusted_address| %>
|
||||
set_real_ip_from <%= trusted_address %>;
|
||||
<% end %>
|
||||
|
||||
## Individual nginx logs for this GitLab vhost
|
||||
access_log <%= @log_directory %>/gitlab_access.log gitlab_access;
|
||||
error_log <%= @log_directory %>/gitlab_error.log;
|
||||
|
|
|
@ -48,6 +48,18 @@ server {
|
|||
<% end %>
|
||||
<% end %>
|
||||
|
||||
## Real IP Module Config
|
||||
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
|
||||
<% if @real_ip_header %>
|
||||
real_ip_header <%= @real_ip_header %>;
|
||||
<% end %>
|
||||
<% if @real_ip_recursive %>
|
||||
real_ip_recursive <%= @real_ip_recursive %>;
|
||||
<% end %>
|
||||
<% @real_ip_trusted_addresses.each do |trusted_address| %>
|
||||
set_real_ip_from <%= trusted_address %>;
|
||||
<% end %>
|
||||
|
||||
access_log <%= @log_directory %>/gitlab_mattermost_access.log gitlab_mattermost_access;
|
||||
error_log <%= @log_directory %>/gitlab_mattermost_error.log;
|
||||
|
||||
|
|
Loading…
Reference in New Issue