Merge branch 'compile-real-ip-module' into 'master'

Compile nginx using the real-ip module

Fixes https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1153

See merge request !709

CHANGELOG.md

@@ -5,6 +5,7 @@ omnibus-gitlab repository.
 
 8.7.0
 
+- Compile NGINX with the real_ip module and add configuration options
 - Support the ability to change mattermost UID and GID
 - Updated libicu to 56.1 4de944d9
 - Updated liblzma to 5.2.2 4de944d9

config/software/nginx.rb

@@ -34,6 +34,7 @@ build do
            "--with-http_stub_status_module",
            "--with-http_gzip_static_module",
            "--with-http_v2_module",
+           "--with-http_realip_module",
            "--with-ipv6",
            "--with-debug",
            "--with-ld-opt=-L#{install_dir}/embedded/lib",

doc/settings/nginx.md

@@ -114,6 +114,30 @@ for the changes to take effect.
 
 This way you can specify any header supported by NGINX you require.
 
+## Configuring the `real_ip` module
+
+By default, NGINX will use the IP address of the connected client in the logs.
+
+If your GitLab is behind a reverse proxy, you may not want the IP address of
+the proxy to show up as the client address.
+
+You can have NGINX look for a different address to use by adding your reverse
+proxy to the `real_ip_trusted_addresses` list:
+
+```ruby
+# Each address is added to the the NGINX config as 'set_real_ip_from <address>;'
+nginx['real_ip_trusted_addresses'] = [ '192.168.1.0/24', '192.168.2.1', '2001:0db8::/32' ]
+# other real_ip config options
+nginx['real_ip_header'] = 'X-Real-IP'
+nginx['real_ip_recursive'] = 'on'
+```
+
+Description of the options:
+* http://nginx.org/en/docs/http/ngx_http_realip_module.html
+
+Save the file and [reconfigure GitLab](http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure)
+for the changes to take effect.
+
 ## Configuring HTTP2 protocol
 
 By default, when you specify that your Gitlab instance should be reachable

files/gitlab-config-template/gitlab.rb.template

@@ -494,6 +494,9 @@ external_url 'GENERATED_EXTERNAL_URL'
 # nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
 # nginx['proxy_cache'] = 'gitlab'
 # nginx['http2_enabled'] = true
+# nginx['real_ip_trusted_addresses'] = []
+# nginx['real_ip_header'] = nil
+# nginx['real_ip_recursive'] = nil
 
 ## Advanced settings
 # nginx['dir'] = "/var/opt/gitlab/nginx"
@@ -727,6 +730,9 @@ external_url 'GENERATED_EXTERNAL_URL'
 # mattermost_nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
 # mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
 # mattermost_nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
+# mattermost_nginx['real_ip_trusted_addresses'] = []
+# mattermost_nginx['real_ip_header'] = nil
+# mattermost_nginx['real_ip_recursive'] = nil
 
 ## Advanced settings
 # mattermost_nginx['dir'] = "/var/opt/gitlab/nginx"

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -463,6 +463,10 @@ default['gitlab']['nginx']['http2_enabled'] = true
 default['gitlab']['nginx']['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
 # Set to 'off' to disable proxy caching.
 default['gitlab']['nginx']['proxy_cache'] = 'gitlab'
+# Config for the http_realip_module http://nginx.org/en/docs/http/ngx_http_realip_module.html
+default['gitlab']['nginx']['real_ip_trusted_addresses'] = [] # Each entry creates a set_real_ip_from directive
+default['gitlab']['nginx']['real_ip_header'] = nil
+default['gitlab']['nginx']['real_ip_recursive'] = nil
 
 
 ###

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb

@@ -86,6 +86,18 @@ server {
   <% end %>
   <% end %>
 
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  <% if @real_ip_header %>
+  real_ip_header <%= @real_ip_header %>;
+  <% end %>
+  <% if @real_ip_recursive %>
+  real_ip_recursive <%= @real_ip_recursive %>;
+  <% end %>
+  <% @real_ip_trusted_addresses.each do |trusted_address| %>
+  set_real_ip_from <%= trusted_address %>;
+  <% end %>
+
   ## Individual nginx logs for this GitLab vhost
   access_log  <%= @log_directory %>/gitlab_access.log gitlab_access;
   error_log   <%= @log_directory %>/gitlab_error.log;

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-mattermost-http.conf.erb

@@ -48,6 +48,18 @@ server {
   <% end %>
   <% end %>
 
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  <% if @real_ip_header %>
+  real_ip_header <%= @real_ip_header %>;
+  <% end %>
+  <% if @real_ip_recursive %>
+  real_ip_recursive <%= @real_ip_recursive %>;
+  <% end %>
+  <% @real_ip_trusted_addresses.each do |trusted_address| %>
+  set_real_ip_from <%= trusted_address %>;
+  <% end %>
+
   access_log  <%= @log_directory %>/gitlab_mattermost_access.log gitlab_mattermost_access;
   error_log   <%= @log_directory %>/gitlab_mattermost_error.log;