include: - role.common.nginx nginx: servers: managed: gitlab.infra.opensuse.org.conf: config: - upstream gitlab: - server: unix:/srv/www/vhosts/gitlab-ce/tmp/sockets/gitlab.socket fail_timeout=0 - upstream gitlab-workhorse: - server: unix:/srv/www/vhosts/gitlab-ce/tmp/sockets/gitlab-workhorse.socket fail_timeout=0 - map $http_upgrade $connection_upgrade_gitlab_ssl: - default: upgrade - "''": close ## NGINX 'combined' log format with filtered query strings - log_format: >- gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"' ## Remove private_token from the request URI # In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&... - map $request_uri $gitlab_ssl_temp_request_uri_1: - default: $request_uri - ~(?i)^(?.*)(?[\?&]private[\-_]token)=[^&]*(?.*)$: '"$start$temp=[FILTERED]$rest"' ## Remove authenticity_token from the request URI # In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&... - map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2: - default: $gitlab_ssl_temp_request_uri_1 - ~(?i)^(?.*)(?[\?&]authenticity[\-_]token)=[^&]*(?.*)$: '"$start$temp=[FILTERED]$rest"' ## Remove rss_token from the request URI # In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&... - map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri: - default: $gitlab_ssl_temp_request_uri_2 - ~(?i)^(?.*)(?[\?&]feed[\-_]token)=[^&]*(?.*)$: '"$start$temp=[FILTERED]$rest"' ## A version of the referer without the query string - map $http_referer $gitlab_ssl_filtered_http_referer: - default: $http_referer - ~^(?.*)\?: $temp ## Redirects all HTTP traffic to the HTTPS host - server: - listen: '[::]:80 ipv6only=on default_server' - server_name: gitlab.infra.opensuse.org - server_tokens: 'off' - include: acme-challenge - location /: - return 301: https://$http_host$request_uri - access_log: /var/log/nginx/gitlab_access.log gitlab_ssl_access - error_log: /var/log/nginx/gitlab_error.log - server: - listen: '[::]:443 ipv6only=on ssl default_server' - server_name: gitlab.infra.opensuse.org - server_tokens: 'off' ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ - ssl_certificate: /etc/ssl/services/git.infra.opensuse.org/fullchain.pem - ssl_certificate_key: /etc/ssl/services/git.infra.opensuse.org/privkey.pem # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs - ssl_ciphers: >- # noqa 204 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' - ssl_protocols: - TLSv1.3 - ssl_prefer_server_ciphers: 'off' - ssl_session_cache: shared:SSL:10m - ssl_session_timeout: 1d ## [Optional] Enable HTTP Strict Transport Security - add_header: Strict-Transport-Security "max-age=31536000; includeSubDomains" - access_log: /var/log/nginx/gitlab_access.log gitlab_ssl_access - error_log: /var/log/nginx/gitlab_error.log - location /: - client_max_body_size: 0 - gzip: 'off' ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. - proxy_read_timeout: 300 - proxy_connect_timeout: 300 - proxy_redirect: 'off' - proxy_http_version: 1.1 - proxy_set_header: Host $http_host - proxy_set_header: X-Real-IP $remote_addr - proxy_set_header: X-Forwarded-Ssl on - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for - proxy_set_header: X-Forwarded-Proto $scheme - proxy_set_header: Upgrade $http_upgrade - proxy_set_header: Connection $connection_upgrade_gitlab_ssl - proxy_pass: http://gitlab-workhorse # display .txt job artifacts in the browser instead of downloading them # without the need for GitLab pages - location ~ .*\/raw\/(.*\.txt)$: - proxy_hide_header: Content-Disposition - proxy_hide_header: Content-Type - access_log: /var/log/nginx/gitlab_txt_access.log - add_header: >- Content-Disposition 'inline; "filename=$1"' - add_header: Content-Type text/plain - proxy_pass: http://gitlab-workhorse # display said artifacts immediately instead of having the user go through the "download instead" page - location ~ .*\/file\/(.*\.txt)$: - rewrite: ^(.*)/file/(.*)$ $1/raw/$2 - error_page: 404 /404.html - error_page: 422 /422.html - error_page: 500 /500.html - error_page: 502 /502.html - error_page: 503 /503.html - location ~ ^/(404|422|500|502|503)\.html$: - root: /srv/www/vhosts/gitlab-ce/public - internal enabled: True sshd_config: matches: gitlab: type: User: git options: AuthorizedKeysCommand: /usr/lib/gitlab/shell/bin/gitlab-shell-authorized-keys-check gitlab %u %k AuthorizedKeysCommandUser: gitlab