## GitLab ## Contributors: randx, yin8086, sashkab, orkoden, axilleas ## ## Modified from nginx http version ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ ## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ## ## Lines starting with two hashes (##) are comments with information. ## Lines starting with one hash (#) are configuration parameters. ## The last category can be commented/uncommented to your liking. ## ################################## ## CHUNKED TRANSFER ## ################################## ## ## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] ## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object ## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get ## around this by tweaking this configuration file and either: ## - installing an old version of Nginx with the chunkin module [2] compiled in, or ## - using a newer version of Nginx. ## ## At the time of writing we do not know if either of these theoretical solutions works. As a workaround ## users can use Git over SSH to push large files. ## ## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 ## [1] https://github.com/agentzh/chunkin-nginx-module#status ## [2] https://github.com/agentzh/chunkin-nginx-module ## ################################### ## SSL file editing ## ################################### ## ## Edit `gitlab-shell/config.yml`: ## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com` ## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt` ## 3) Set "self_signed_cert" to `true` ## Edit `gitlab/config/gitlab.yml`: ## 1) Define port for http "port: 443" ## 2) Enable https "https: true" ## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm" ## ################################### ## SSL configuration ## ################################### ## upstream gitlab { server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; } ## This is a normal HTTP host which redirects all traffic to the HTTPS host. server { listen *:80 default_server; server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice root /nowhere; ## root doesn't have to be a valid path since we are redirecting rewrite ^ https://$server_name$request_uri permanent; } server { listen 443 ssl; server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com server_tokens off; root /home/git/gitlab/public; ## Increase this if you want to upload large attachments ## Or if you want to accept large git objects over http client_max_body_size 20m; ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl on; ssl_certificate /etc/nginx/ssl/gitlab.crt; ssl_certificate_key /etc/nginx/ssl/gitlab.key; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ## Individual nginx logs for this GitLab vhost access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; location / { ## Serve static files from defined root folder. ## @gitlab is a named location for the upstream fallback, see below. try_files $uri $uri/index.html $uri.html @gitlab; } ## If a file, which is not found in the root folder is requested, ## then the proxy pass the request to the upsteam (gitlab unicorn). location @gitlab { ## If you use https make sure you disable gzip compression ## to be safe against BREACH attack. gzip off; ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://gitlab; } ## Enable gzip compression as per rails guide: ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression ## WARNING: If you are using relative urls do remove the block below ## See config/application.rb under "Relative url support" for the list of ## other files that need to be changed for relative url support location ~ ^/(assets)/ { root /home/git/gitlab/public; gzip_static on; # to serve pre-gzipped version expires max; add_header Cache-Control public; } error_page 502 /502.html; }