Support for non-bundled web server (Apache, Nginx)
This is currently blocked by the file permissions for user uploads (attachments): the user of the web server (often www-data
) cannot access files in /var/opt/gitlab/gitlab-rails/uploads
.
Proposed solution to be implemented in the internal Chef cookbook:
- create a
gitlab-www
user and group; - make the NGINX workers run as
gitlab-www
instead ofgit
; - open up permissions for
/var/opt/gitlab/gitlab-rails
from 0700 to 0755; - change permissions of
/var/opt/gitlab/gitlab-rails/uploads
to 0750; - change group ownership of
/var/opt/gitlab/gitlab-rails/uploads
fromroot
togitlab-www
; - create
/var/opt/gitlab/gitlab-rails/sockets
with ownershipgit:gitlab-www
and permissions 0770.
Then on installations with an non-bundled web server, one could add the www-data
user to the gitlab-www
group to give read access the user uploads.
A custom NGINX installation could then also reach the GitLab socket.