Merge branch 'master' into mmonaco/gitlab-ce-api-user-noconfirm

Conflicts: lib/api/users.rb
author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-02-27 13:01:57 -0800
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2015-02-27 13:01:57 -0800
commit: 0d22b75b03496ced3d783f8fee9584098602ea1c (patch)
tree: c7ddec6072c716fd63a8703f2dfeb0e4234a633f /lib/support/nginx/gitlab-ssl
parent: 5f682094d9b7c985ad62ebe29664bb6fe87b54be (diff)
parent: d4aab6528cb80b0f41bdac2240dd9cc32543481d (diff)
download: gitlab-ce-0d22b75b03496ced3d783f8fee9584098602ea1c.tar.gz
1 files changed, 46 insertions, 16 deletions
diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl
index cbb198086b5..a9699bac611 100644
--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
@@ -1,5 +1,5 @@
 ## GitLab
-## Contributors: randx, yin8086, sashkab, orkoden, axilleas
+## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller, DouweM
 ##
 ## Modified from nginx http version
 ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
@@ -26,9 +26,8 @@
 ## [1] https://github.com/agentzh/chunkin-nginx-module#status
 ## [2] https://github.com/agentzh/chunkin-nginx-module
 ##
-##
 ###################################
-##        SSL configuration      ##
+##         configuration         ##
 ###################################
 ##
 ## See installation.md#using-https for additional HTTPS configuration details.
@@ -37,22 +36,24 @@ upstream gitlab {
   server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
 }
 
-## Normal HTTP host
+## Redirects all HTTP traffic to the HTTPS host
 server {
-  listen *:80 default_server;
+  listen 0.0.0.0:80;
+  listen [::]:80 ipv6only=on default_server;
   server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
   server_tokens off; ## Don't show the nginx version number, a security best practice
-
-  ## Redirects all traffic to the HTTPS host
-  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
-  rewrite ^ https://$server_name$request_uri? permanent;
+  return 301 https://$server_name$request_uri;
+  access_log  /var/log/nginx/gitlab_access.log;
+  error_log   /var/log/nginx/gitlab_error.log;
 }
 
+
 ## HTTPS host
 server {
-  listen 443 ssl;
+  listen 0.0.0.0:443 ssl;
+  listen [::]:443 ipv6only=on ssl default_server;
   server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
-  server_tokens off;
+  server_tokens off; ## Don't show the nginx version number, a security best practice
   root /home/git/gitlab/public;
 
   ## Increase this if you want to upload large attachments
@@ -70,12 +71,9 @@ server {
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 5m;
 
-  ## [WARNING] The following header states that the browser should only communicate
-  ## with your server over a secure connection for the next 24 months.
-  add_header Strict-Transport-Security max-age=63072000;
-  add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff;
+  ## See app/controllers/application_controller.rb for headers set
 
   ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
   ## Replace with your ssl_trusted_certificate. For more info see:
@@ -103,6 +101,38 @@ server {
     try_files $uri $uri/index.html $uri.html @gitlab;
   }
 
+  ## We route uploads through GitLab to prevent XSS and enforce access control.
+  location /uploads/ {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-Ssl     on;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
+
+    proxy_pass http://gitlab;
+  }
+
+  ## If ``go get`` detected, return go-import meta tag.
+  ## This works for public and for private repositories.
+  ## See also http://golang.org/cmd/go/#hdr-Remote_import_paths
+  if ($http_user_agent ~* "Go") {
+    return 200 "
+      <!DOCTYPE html>
+      <head><meta content='$host$uri git $scheme://$host$uri.git' name='go-import'></head>
+      </html>";
+  }
+
   ## If a file, which is not found in the root folder is requested,
   ## then the proxy passes the request to the upsteam (gitlab unicorn).
   location @gitlab {
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2015-02-27 13:01:57 -0800
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2015-02-27 13:01:57 -0800
commit	0d22b75b03496ced3d783f8fee9584098602ea1c (patch)
tree	c7ddec6072c716fd63a8703f2dfeb0e4234a633f /lib/support/nginx/gitlab-ssl
parent	5f682094d9b7c985ad62ebe29664bb6fe87b54be (diff)
parent	d4aab6528cb80b0f41bdac2240dd9cc32543481d (diff)
download	gitlab-ce-0d22b75b03496ced3d783f8fee9584098602ea1c.tar.gz