|
Theo Chatzimichos |
8f379a |
include:
|
|
Theo Chatzimichos |
8f379a |
- role.common.nginx
|
|
Theo Chatzimichos |
8f379a |
|
|
Theo Chatzimichos |
8f379a |
nginx:
|
|
|
a20cbc |
servers:
|
|
|
a20cbc |
managed:
|
|
|
a20cbc |
gitlab.infra.opensuse.org.conf:
|
|
|
a20cbc |
config:
|
|
|
a20cbc |
- upstream gitlab:
|
|
|
775ed9 |
- server: unix:/srv/www/vhosts/gitlab-ce/tmp/sockets/gitlab.socket fail_timeout=0
|
|
|
a20cbc |
- upstream gitlab-workhorse:
|
|
|
775ed9 |
- server: unix:/srv/www/vhosts/gitlab-ce/tmp/sockets/gitlab-workhorse.socket fail_timeout=0
|
|
|
a20cbc |
- map $http_upgrade $connection_upgrade_gitlab_ssl:
|
|
|
a20cbc |
- default: upgrade
|
|
|
a20cbc |
- "''": close
|
|
|
a20cbc |
## NGINX 'combined' log format with filtered query strings
|
|
|
a20cbc |
- log_format: >-
|
|
|
00b05b |
gitlab_ssl_access
|
|
|
00b05b |
'$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri
|
|
|
00b05b |
$server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"'
|
|
|
a20cbc |
## Remove private_token from the request URI
|
|
|
a20cbc |
# In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...
|
|
|
a20cbc |
# Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
|
|
|
a20cbc |
- map $request_uri $gitlab_ssl_temp_request_uri_1:
|
|
|
a20cbc |
- default: $request_uri
|
|
|
a20cbc |
- ~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$: '"$start$temp=[FILTERED]$rest"'
|
|
|
a20cbc |
## Remove authenticity_token from the request URI
|
|
|
a20cbc |
# In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
|
|
|
a20cbc |
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
|
|
|
a20cbc |
- map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2:
|
|
|
a20cbc |
- default: $gitlab_ssl_temp_request_uri_1
|
|
|
a20cbc |
- ~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$: '"$start$temp=[FILTERED]$rest"'
|
|
|
a20cbc |
## Remove rss_token from the request URI
|
|
|
a20cbc |
# In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
|
|
|
a20cbc |
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...
|
|
|
a20cbc |
- map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri:
|
|
|
a20cbc |
- default: $gitlab_ssl_temp_request_uri_2
|
|
|
a20cbc |
- ~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$: '"$start$temp=[FILTERED]$rest"'
|
|
|
a20cbc |
## A version of the referer without the query string
|
|
|
a20cbc |
- map $http_referer $gitlab_ssl_filtered_http_referer:
|
|
|
a20cbc |
- default: $http_referer
|
|
|
a20cbc |
- ~^(?<temp>.*)\?: $temp
|
|
|
a20cbc |
## Redirects all HTTP traffic to the HTTPS host
|
|
|
a20cbc |
- server:
|
|
|
68e999 |
- listen: '[::]:80 ipv6only=on default_server'
|
|
|
a20cbc |
- server_name: gitlab.infra.opensuse.org
|
|
|
a20cbc |
- server_tokens: 'off'
|
|
|
a20cbc |
- include: acme-challenge
|
|
|
a20cbc |
- location /:
|
|
|
a20cbc |
- return 301: https://$http_host$request_uri
|
|
|
8eb007 |
- access_log: /var/log/nginx/gitlab_access.log gitlab_ssl_access
|
|
|
a20cbc |
- error_log: /var/log/nginx/gitlab_error.log
|
|
|
a20cbc |
- server:
|
|
|
68e999 |
- listen: '[::]:443 ipv6only=on ssl default_server'
|
|
|
a20cbc |
- server_name: gitlab.infra.opensuse.org
|
|
|
a20cbc |
- server_tokens: 'off'
|
|
|
a20cbc |
## Strong SSL Security
|
|
|
a20cbc |
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
|
|
|
b4799d |
- ssl_certificate: /etc/ssl/services/git.infra.opensuse.org/fullchain.pem
|
|
|
b4799d |
- ssl_certificate_key: /etc/ssl/services/git.infra.opensuse.org/privkey.pem
|
|
|
a20cbc |
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
|
|
|
00b05b |
- ssl_ciphers: >- # noqa 204
|
|
|
00b05b |
'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
|
|
|
a20cbc |
- ssl_protocols:
|
|
|
a20cbc |
- TLSv1.3
|
|
|
a20cbc |
- ssl_prefer_server_ciphers: 'off'
|
|
|
a20cbc |
- ssl_session_cache: shared:SSL:10m
|
|
|
a20cbc |
- ssl_session_timeout: 1d
|
|
|
a20cbc |
## [Optional] Enable HTTP Strict Transport Security
|
|
|
a20cbc |
- add_header: Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
|
8eb007 |
- access_log: /var/log/nginx/gitlab_access.log gitlab_ssl_access
|
|
|
a20cbc |
- error_log: /var/log/nginx/gitlab_error.log
|
|
|
a20cbc |
- location /:
|
|
|
a20cbc |
- client_max_body_size: 0
|
|
|
a20cbc |
- gzip: 'off'
|
|
|
a20cbc |
## https://github.com/gitlabhq/gitlabhq/issues/694
|
|
|
a20cbc |
## Some requests take more than 30 seconds.
|
|
|
a20cbc |
- proxy_read_timeout: 300
|
|
|
a20cbc |
- proxy_connect_timeout: 300
|
|
|
a20cbc |
- proxy_redirect: 'off'
|
|
|
a20cbc |
- proxy_http_version: 1.1
|
|
|
a20cbc |
- proxy_set_header: Host $http_host
|
|
|
a20cbc |
- proxy_set_header: X-Real-IP $remote_addr
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-Ssl on
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-Proto $scheme
|
|
|
a20cbc |
- proxy_set_header: Upgrade $http_upgrade
|
|
|
a20cbc |
- proxy_set_header: Connection $connection_upgrade_gitlab_ssl
|
|
|
a20cbc |
- proxy_pass: http://gitlab-workhorse
|
|
|
a20cbc |
# display .txt job artifacts in the browser instead of downloading them
|
|
|
a20cbc |
# without the need for GitLab pages
|
|
|
a20cbc |
- location ~ .*\/raw\/(.*\.txt)$:
|
|
|
a20cbc |
- proxy_hide_header: Content-Disposition
|
|
|
a20cbc |
- proxy_hide_header: Content-Type
|
|
|
a20cbc |
- access_log: /var/log/nginx/gitlab_txt_access.log
|
|
|
a20cbc |
- add_header: >-
|
|
|
a20cbc |
Content-Disposition 'inline; "filename=$1"'
|
|
|
a20cbc |
- add_header: Content-Type text/plain
|
|
|
a20cbc |
- proxy_pass: http://gitlab-workhorse
|
|
|
a20cbc |
# display said artifacts immediately instead of having the user go through the "download instead" page
|
|
|
a20cbc |
- location ~ .*\/file\/(.*\.txt)$:
|
|
|
a20cbc |
- rewrite: ^(.*)/file/(.*)$ $1/raw/$2
|
|
|
a20cbc |
- error_page: 404 /404.html
|
|
|
a20cbc |
- error_page: 422 /422.html
|
|
|
a20cbc |
- error_page: 500 /500.html
|
|
|
a20cbc |
- error_page: 502 /502.html
|
|
|
a20cbc |
- error_page: 503 /503.html
|
|
|
a20cbc |
- location ~ ^/(404|422|500|502|503)\.html$:
|
|
|
a20cbc |
- root: /srv/www/vhosts/gitlab-ce/public
|
|
|
a20cbc |
- internal
|
|
|
a20cbc |
enabled: True
|
|
|
58c7ce |
|
|
|
58c7ce |
sshd_config:
|
|
|
58c7ce |
matches:
|
|
|
58c7ce |
gitlab:
|
|
|
58c7ce |
type:
|
|
|
58c7ce |
User: git
|
|
|
58c7ce |
options:
|
|
|
58c7ce |
AuthorizedKeysCommand: /usr/lib/gitlab/shell/bin/gitlab-shell-authorized-keys-check gitlab %u %k
|
|
|
58c7ce |
AuthorizedKeysCommandUser: gitlab
|