Merge branch 'acataluddi/gitlab-recipes-master'

302c41b0 · Achilleas Pipinellis · 9626e904 · 1d70fd7c · 302c41b0 · 302c41b0
Commit 302c41b0 authored 9 years ago by Achilleas Pipinellis
--- a/web-server/apache/gitlab-8.0-apache2.2.conf
+++ b/web-server/apache/gitlab-8.0-apache2.2.conf
+#This configuration has been tested on GitLab 8.0.0
+#Note this config assumes unicorn is listening on default port 8080 and gitlab-git-http-server is listening on port 8181.
+#To allow gitlab-git-http-server to listen on port 8181, edit or create /etc/default/gitlab and change or add the following:
+#gitlab_git_http_server_options="-listenUmask 0 -listenNetwork tcp -listenAddr localhost:8181 -authBackend http://127.0.0.1:8080"
+
+#Module dependencies
+#  mod_rewrite
+#  mod_proxy
+#  mod_proxy_http
+# HTTP Configuration
+<VirtualHost *:80>
+  ServerName gitlab.example.com
+  ServerSignature Off
+
+  ProxyPreserveHost On
+
+  # Ensure that encoded slashes are not decoded but left in their encoded state.
+  # http://doc.gitlab.com/ce/api/projects.html#get-single-project
+  AllowEncodedSlashes NoDecode
+
+    # Ensure that encoded slashes are not decoded but left in their encoded state.
+    # http://doc.gitlab.com/ce/api/projects.html#get-single-project
+    #AllowEncodedSlashes NoDecode
+    <Location />
+        #Require all granted
+        Order deny,allow
+        Allow from all
+
+        #Allow forwarding to gitlab-git-http-server
+        ProxyPassReverse http://127.0.0.1:8181
+        #Allow forwarding to GitLab Rails app (Unicorn)
+        ProxyPassReverse http://127.0.0.1:8080
+        ProxyPassReverse http://gitlab.example.com/
+    </Location>
+
+  #apache equivalent of nginx try files
+  # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
+  # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
+  RewriteEngine on
+  #Forward these requests to gitlab-git-http-server
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
+  RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
+
+  #Forward any other requests to GitLab Rails app (Unicorn)
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
+  RewriteCond %{REQUEST_URI} ^/uploads
+  RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
+
+  # needed for downloading attachments
+  DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
+
+  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
+  ErrorDocument 404 /404.html
+  ErrorDocument 422 /422.html
+  ErrorDocument 500 /500.html
+  ErrorDocument 503 /deploy.html
+
+  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
+  ErrorLog  /var/log/httpd/logs/gitlab.example.com_error.log
+  CustomLog /var/log/httpd/logs/gitlab.example.com_forwarded.log common_forwarded
+  CustomLog /var/log/httpd/logs/gitlab.example.com_access.log combined env=!dontlog
+  CustomLog /var/log/httpd/logs/gitlab.example.com.log combined
+
+</VirtualHost>
--- a/web-server/apache/gitlab-8.0-ssl-apache2.2.conf
+++ b/web-server/apache/gitlab-8.0-ssl-apache2.2.conf
+#This configuration has been tested on GitLab 8.0.0
+#Note this config assumes unicorn is listening on default port 8080 and gitlab-git-http-server is listening on port 8181.
+#To allow gitlab-git-http-server to listen on port 8181, edit or create /etc/default/gitlab and change or add the following:
+#gitlab_git_http_server_options="-listenUmask 0 -listenNetwork tcp -listenAddr localhost:8181 -authBackend http://127.0.0.1:8080"
+
+#Module dependencies
+# mod_rewrite
+# mod_ssl
+# mod_proxy
+# mod_proxy_http
+# mod_headers
+
+# This section is only needed if you want to redirect http traffic to https.
+# You can live without it but clients will have to type in https:// to reach gitlab.
+<VirtualHost *:80>
+  ServerName gitlab.example.com
+  ServerSignature Off
+
+  RewriteEngine on
+  RewriteCond %{HTTPS} !=on
+  RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+    SSLEngine on
+    #strong encryption ciphers only
+    #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
+    SSLProtocol all -SSLv2
+    SSLHonorCipherOrder on
+    SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+    Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+    SSLCompression Off
+    SSLCertificateFile    /etc/pki/tls/certs/gitlab.example.com.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/gitlab.example.com.key
+    SSLCACertificateFile  /etc/pki/tls/certs/gitlab.example.com.ca-bundle.crt
+
+    ServerName gitlab.example.com
+    ServerSignature Off
+
+    ProxyPreserveHost On
+
+    # Ensure that encoded slashes are not decoded but left in their encoded state.
+    # http://doc.gitlab.com/ce/api/projects.html#get-single-project
+    AllowEncodedSlashes NoDecode
+    <Location />
+        # New authorization commands for apache 2.4 and up
+        # http://httpd.apache.org/docs/2.4/upgrading.html#access
+        #Require all granted
+        Order deny,allow
+        Allow from all
+
+        #Allow forwarding to gitlab-git-http-server
+        ProxyPassReverse http://127.0.0.1:8181
+        #Allow forwarding to GitLab Rails app (Unicorn)
+        ProxyPassReverse http://127.0.0.1:8080
+        ProxyPassReverse http://gitlab.example.com/
+    </Location>
+
+    #apache equivalent of nginx try files
+    # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
+    # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
+    RewriteEngine on
+    #Forward these requests to gitlab-git-http-server
+    RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
+    RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
+    RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
+    RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
+
+    #Forward any other requests to GitLab Rails app (Unicorn)
+    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
+    RewriteCond %{REQUEST_URI} ^/uploads
+    RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
+    RequestHeader set X_FORWARDED_PROTO 'https'
+    RequestHeader set X-Forwarded-Ssl on
+
+    # needed for downloading attachments
+    DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
+
+    #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
+    ErrorDocument 404 /404.html
+    ErrorDocument 422 /422.html
+    ErrorDocument 500 /500.html
+    ErrorDocument 503 /deploy.html
+
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
+    ErrorLog /var/log/httpd/logs/gitlab.example.com_error.log
+    CustomLog /var/log/httpd/logs/gitlab.example.com_forwarded.log common_forwarded
+    CustomLog /var/log/httpd/logs/gitlab.example.com_access.log combined env=!dontlog
+    CustomLog /var/log/httpd/logs/gitlab.example.com.log combined
+
+</VirtualHost>