Experimental support for gitlab-git-http-server

https://gitlab.com/gitlab-org/gitlab-git-http-server

This change introduces the GITLAB_GRACK_AUTH_ONLY environment
variable. When set, Grack requests to GitLab will only respond with
the user's GL_ID (if the request is OK) or an error. This allows
gitlab-git-http-server to use the main GitLab application as an
authentication and authorization backend.

If we like how this works we should drop the GITLAB_GRACK_AUTH_ONLY
variable at some point in the future.

2 files changed, 50 insertions, 0 deletions

diff --git a/lib/support/nginx/gitlab b/lib/support/nginx/gitlab
index edb987875df..efa0898900f 100644
--- a/lib/support/nginx/gitlab
+++ b/lib/support/nginx/gitlab
@@ -38,6 +38,11 @@ upstream gitlab {
   server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
 }
 
+## Experimental: gitlab-git-http-server
+# upstream gitlab-git-http-server {
+#   server localhost:8181;
+# }
+
 ## Normal HTTP host
 server {
   ## Either remove "default_server" from the listen line below, 
@@ -109,6 +114,26 @@ server {
     proxy_pass http://gitlab;
   }
 
+  ## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn
+  # location ~ [-\/\w\.]+\.git\/ {
+  #   ## If you use HTTPS make sure you disable gzip compression
+  #   ## to be safe against BREACH attack.
+  #   # gzip off;
+
+  #   ## https://github.com/gitlabhq/gitlabhq/issues/694
+  #   ## Some requests take more than 30 seconds.
+  #   proxy_read_timeout      300;
+  #   proxy_connect_timeout   300;
+  #   proxy_redirect          off;
+
+  #   proxy_set_header    Host                $http_host;
+  #   proxy_set_header    X-Real-IP           $remote_addr;
+  #   proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+  #   proxy_set_header    X-Forwarded-Proto   $scheme;
+
+  #   proxy_pass http://gitlab-git-http-server;
+  # }
+
   ## Enable gzip compression as per rails guide:
   ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
   ## WARNING: If you are using relative urls remove the block below
diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl
index 766559b49f6..314525518f1 100644
--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
@@ -42,6 +42,11 @@ upstream gitlab {
   server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
 }
 
+## Experimental: gitlab-git-http-server
+# upstream gitlab-git-http-server {
+#   server localhost:8181;
+# }
+
 ## Redirects all HTTP traffic to the HTTPS host
 server {
   ## Either remove "default_server" from the listen line below, 
@@ -156,6 +161,26 @@ server {
     proxy_pass http://gitlab;
   }
 
+  ## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn
+  # location ~ [-\/\w\.]+\.git\/ {
+  #   ## If you use HTTPS make sure you disable gzip compression
+  #   ## to be safe against BREACH attack.
+  #   gzip off;
+
+  #   ## https://github.com/gitlabhq/gitlabhq/issues/694
+  #   ## Some requests take more than 30 seconds.
+  #   proxy_read_timeout      300;
+  #   proxy_connect_timeout   300;
+  #   proxy_redirect          off;
+
+  #   proxy_set_header    Host                $http_host;
+  #   proxy_set_header    X-Real-IP           $remote_addr;
+  #   proxy_set_header    X-Forwarded-Ssl     on;
+  #   proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+  #   proxy_set_header    X-Forwarded-Proto   $scheme;
+  #   proxy_pass http://gitlab-git-http-server;
+  # }
+
   ## Enable gzip compression as per rails guide:
   ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
   ## WARNING: If you are using relative urls remove the block below