Merge branch 'nginx-support-ssl-reverse-proxy' into 'master'

Support proxied SSL This MR makes it possible to proxy SSL by disabling HTTPS on the GitLab nginx server. This is used to support the use case where a reverse proxy handles all the HTTPS interaction with the user but the GitLab nginx process communicates over HTTP with the reverse proxy: ``` User <-> HTTPS (reverse proxy) on https://mydomain.com <-> GitLab nginx server on http://localhost:8080 ``` Tested by configuring a GitLab Docker image with the options: ``` external_url 'https://mydomain.com' nginx['listen_port'] = 8080 nginx['listen_https'] = false ``` The nginx reverse proxy settings: ``` location / { proxy_pass http://localhost:8080; proxy_set_header Host $host; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } ``` See #489 See merge request !319

Merge branch 'nginx-support-ssl-reverse-proxy' into 'master'
65c12ad2 · Marin Jankovski · a195ab47 · 2901ce0d · 65c12ad2 · 65c12ad2
Commit 65c12ad2 authored 9 years ago by Marin Jankovski
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@
 The latest version of this file can be found at the master branch of the
 omnibus-gitlab repository.
  
+7.10.0
+
+- Add option to disable HTTPS on nginx to support proxied SSL (Stan Hu) 80f4204052ceb3d47a0fdde2e006e79c099e5237
+
 7.9.0
  
 - Restart nginx instead of issuing a HUP signal changes so that changes in listen_address work (Stan Hu) 428ee157c346f3f0eae53762b51145502b1456a6

--- a/doc/settings/nginx.md
+++ b/doc/settings/nginx.md
@@ -145,6 +145,27 @@ something else.  For example, to use port 8080:
 nginx['listen_port'] = 8080
 ```
  
+## Supporting proxied SSL
+
+By default NGINX will auto-detect whether to use SSL if `external_url`
+contains `https://`.  If you are running GitLab behind a reverse proxy, you
+may wish to keep the `external_url` as an HTTPS address but communicate with
+the GitLab NGINX internally over HTTP. To do this, you can disable HTTPS using
+the `listen_https` option:
+
+```ruby
+nginx['listen_https'] = false
+```
+
+Note that you may need to configure your reverse proxy to forward certain
+headers (e.g. `Host`, `X-Forwarded-Ssl'`, `X-Forwarded-For``) to GitLab. You
+may see improper redirections or errors (e.g. "422 Unprocessable Entity",
+"Can't verify CSRF token authenticity") if you forget this step. For more
+information, see:
+
+http://stackoverflow.com/questions/16042647/whats-the-de-facto-standard-for-a-reverse-proxy-to-tell-the-backend-ssl-is-used
+https://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy
+
 ## Inserting custom NGINX settings into the GitLab server block
  
 If you need to add custom settings into the NGINX `server` block for GitLab for

--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@@ -342,6 +342,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
 # nginx['listen_addresses'] = ['*']
 # nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
+# nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
 # nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
 # nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
  

--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -300,6 +300,7 @@ default['gitlab']['nginx']['ssl_session_cache'] = "builtin:1000  shared:SSL:10m"
 default['gitlab']['nginx']['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
 default['gitlab']['nginx']['listen_addresses'] = ['*']
 default['gitlab']['nginx']['listen_port'] = nil # override only if you have a reverse proxy
+default['gitlab']['nginx']['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP
 default['gitlab']['nginx']['custom_gitlab_server_config'] = nil
 default['gitlab']['nginx']['custom_nginx_config'] = nil
  

--- a/files/gitlab-cookbooks/gitlab/recipes/nginx.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/nginx.rb
@@ -51,6 +51,12 @@ if nginx_vars['listen_port'].nil?
  nginx_vars['listen_port'] = gitlab_port
 end
  
+if nginx_vars['listen_https'].nil?
+  nginx_vars['https'] = node['gitlab']['gitlab-rails']['gitlab_https']
+else
+  nginx_vars['https'] = nginx_vars['listen_https']
+end
+
 template nginx_vars[:gitlab_http_config] do
  source "nginx-gitlab-http.conf.erb"
  owner "root"
@@ -59,7 +65,6 @@ template nginx_vars[:gitlab_http_config] do
  variables(nginx_vars.merge(
    {
      :fqdn => node['gitlab']['gitlab-rails']['gitlab_host'],
-      :https => node['gitlab']['gitlab-rails']['gitlab_https'],
      :socket => node['gitlab']['unicorn']['socket'],
      :port => gitlab_port
    }