Commit b2ce3828 authored by Carlo Landmeter's avatar Carlo Landmeter
Browse files

nginx: use upstream config with changes

parent f5b8daff
--- ./lib/support/nginx/gitlab
+++ ./lib/support/nginx/gitlab
@@ -19,7 +19,8 @@
upstream gitlab-workhorse {
# GitLab socket file,
# for Omnibus this would be: unix:/var/opt/gitlab/gitlab-workhorse/socket
- server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
+ # server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
+ server localhost:8181 fail_timeout=0;
}
map $http_upgrade $connection_upgrade_gitlab {
@@ -68,21 +69,27 @@ server {
## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
listen 0.0.0.0:80 default_server;
listen [::]:80 default_server;
- server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
+ # server_name YOUR_SERVER_FQDN; ## Replacdde this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
+ access_log /dev/stdout;
+ error_log /dev/stdout;
## See app/controllers/application_controller.rb for headers set
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
- real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
+ real_ip_header X-Forwarded-For; ## X-Real-IP or X-Forwarded-For or proxy_protocol
real_ip_recursive off; ## If you enable 'on'
## If you have a trusted IP address, uncomment it and set it
# set_real_ip_from YOUR_TRUSTED_ADDRESS; ## Replace this with something like 192.168.1.0/24
+ set_real_ip_from 10.0.0.0/8;
+ set_real_ip_from 172.16.0.0/12;
+ set_real_ip_from 192.168.0.0/16;
+ real_ip_recursive on;
## Individual nginx logs for this GitLab vhost
- access_log /var/log/nginx/gitlab_access.log gitlab_access;
- error_log /var/log/nginx/gitlab_error.log;
+ # access_log /var/log/nginx/gitlab_access.log gitlab_access;
+ # error_log /var/log/nginx/gitlab_error.log;
location / {
client_max_body_size 0;
......@@ -47,6 +47,10 @@ install_conf() {
install -Dm644 /home/git/gitlab/lib/support/logrotate/gitlab \
/etc/gitlab/logrotate/gitlab
fi
if [ ! -f "/etc/gitlab/nginx/conf.d/default.conf" ]; then
install -Dm644 /home/git/gitlab/lib/support/nginx/gitlab \
/etc/gitlab/nginx/conf.d/default.conf
fi
}
link_config() {
......@@ -108,60 +112,6 @@ redis_conf() {
EOF
}
nginx_config() {
mkdir -p /etc/gitlab/nginx/conf.d
cat <<- EOF > /etc/gitlab/nginx/conf.d/default.conf
upstream gitlab-workhorse {
server localhost:8181 fail_timeout=0;
}
map \$http_upgrade \$connection_upgrade_gitlab {
default upgrade;
'' close;
}
server {
listen 0.0.0.0:80 default_server;
listen [::]:80 default_server;
server_tokens off;
access_log /dev/stdout;
location / {
client_max_body_size 0;
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host \$http_host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$connection_upgrade_gitlab;
proxy_pass http://gitlab-workhorse;
}
error_page 404 /404.html;
error_page 422 /422.html;
error_page 500 /500.html;
error_page 502 /502.html;
error_page 503 /503.html;
location ~ ^/(404|422|500|502|503)\.html$ {
root /var/www/gitlab/public;
internal;
}
}
EOF
}
setup_ssh() {
echo "Creating ssh keys..."
local keytype
......@@ -216,7 +166,6 @@ setup() {
create_db
postgres_conf
redis_conf
nginx_config
install_conf
setup_ssh
prepare_dirs
......
......@@ -86,6 +86,7 @@ patch -p0 -i /tmp/gitlab/disable-check-gitaly.patch
patch -p0 -i /tmp/gitlab/unicorn-log-to-stdout.patch
patch -p0 -i /tmp/gitlab/puma-no-redirect.patch
patch -p0 -i /tmp/logrotate/logrotate-defaults.patch
patch -p0 -i /tmp/nginx/nginx-config.patch
# temporary symlink the example configs to make setup happy
for config in gitlab.yml.example database.yml.postgresql; do
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment