From f4af3f26367453522d5cd50dc78265b802057ae1 Mon Sep 17 00:00:00 2001 From: Stardrad Yin Date: Thu, 17 Jan 2013 16:05:33 +0800 Subject: [PATCH 01/10] Add nginx https support nginx/gitlab-https --- nginx/gitlab-https | 55 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 nginx/gitlab-https diff --git a/nginx/gitlab-https b/nginx/gitlab-https new file mode 100644 index 0000000..acb107e --- /dev/null +++ b/nginx/gitlab-https @@ -0,0 +1,55 @@ +# Modified from nginx http version +# Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ + +# You need from run openssl to generate the ssl certificate. +# $ sudo openssl req -new -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key +# $ sudo chmod o-r gitlab.key + +upstream gitlab { + server unix:/home/gitlab/gitlab/tmp/sockets/gitlab.socket; +} + +# This is a normal HTTP host which redirects all traffic to the HTTPS host. +server { + listen 80; + server_name Domain_NAME; + root /nowhere; + rewrite ^ https://gitlab.stardrad.com$request_uri permanent; +} +server { + listen 443; + server_name Domain_NAME; + root /home/gitlab/gitlab/public; + + ssl on; + ssl_certificate gitlab.crt; + ssl_certificate_key gitlab.key; + ssl_protocols SSLv3 TLSv1 TLSv2; + ssl_ciphers AES:HIGH:!ADH:!MD5; + ssl_prefer_server_ciphers on; + + # individual nginx logs for this gitlab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + # serve static files from defined root folder;. + # @gitlab is a named location for the upstream fallback, see below + try_files $uri $uri/index.html $uri.html @gitlab; + } + + # if a file, which is not found in the root folder is requested, + # then the proxy pass the request to the upsteam (gitlab unicorn) + location @gitlab { + proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 + proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 + proxy_redirect off; + + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_pass http://gitlab; + } +} \ No newline at end of file From a6cf0f99259fdb6d26c74e75874470be88b3bf56 Mon Sep 17 00:00:00 2001 From: Stardrad Yin Date: Wed, 23 Jan 2013 22:17:26 +0800 Subject: [PATCH 02/10] Add maintainer header --- nginx/gitlab-https | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nginx/gitlab-https b/nginx/gitlab-https index acb107e..e58525e 100644 --- a/nginx/gitlab-https +++ b/nginx/gitlab-https @@ -1,3 +1,7 @@ +# GITLAB +# Maintainer: @yin8086 +# App Version: 4.1 + # Modified from nginx http version # Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ From 0a9afffbffbf791409bbfc758979703230bb3589 Mon Sep 17 00:00:00 2001 From: Geoff Davis Date: Fri, 22 Feb 2013 10:06:37 +0100 Subject: [PATCH 03/10] Add https only request header option Adds optional RequestHeader X-Forwarded-Proto "https" for SSL only vhosts to prevent redirects to http:// urls --- apache/gitlab | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apache/gitlab b/apache/gitlab index b785186..cd760b0 100644 --- a/apache/gitlab +++ b/apache/gitlab @@ -24,6 +24,9 @@ SSLCertificateKeyFile /etc/apache2/ssl/server.key #SSLCertificateChainFile /etc/apache2/ssl/cacert.pem + # Uncomment the following line to prevent redirects to http on https only vhosts + #RequestHeader set X-Forwarded-Proto "https" + ProxyPass / http://127.0.0.1:3000/ ProxyPassReverse / http://127.0.0.1:3000/ ProxyPreserveHost On From d745bf9b6b9163f1ba7843693f81d185862aa9ff Mon Sep 17 00:00:00 2001 From: Geoff Davis Date: Fri, 22 Feb 2013 10:27:23 +0100 Subject: [PATCH 04/10] Fix whitespace --- apache/gitlab | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/gitlab b/apache/gitlab index cd760b0..3e4bbe3 100644 --- a/apache/gitlab +++ b/apache/gitlab @@ -25,7 +25,7 @@ #SSLCertificateChainFile /etc/apache2/ssl/cacert.pem # Uncomment the following line to prevent redirects to http on https only vhosts - #RequestHeader set X-Forwarded-Proto "https" + #RequestHeader set X-Forwarded-Proto "https" ProxyPass / http://127.0.0.1:3000/ ProxyPassReverse / http://127.0.0.1:3000/ From 3ad4984e75ef245d15b1fa2867cb9d5639e65150 Mon Sep 17 00:00:00 2001 From: foyo23 Date: Sun, 31 Mar 2013 16:10:06 +0800 Subject: [PATCH 05/10] change gitlab to fit centos 6.x --- init.d/gitlab-centos | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/init.d/gitlab-centos b/init.d/gitlab-centos index bdab1c6..84ed71c 100644 --- a/init.d/gitlab-centos +++ b/init.d/gitlab-centos @@ -1,8 +1,8 @@ #!/bin/bash # # GitLab -# Maintainer: @elvanja, @troyanov, @eiyaya -# App Version: 4.1 +# Maintainer: @elvanja, @troyanov, @eiyaya, @foyo23 +# App Version: 5.0.0 # chkconfig: 2345 82 55 # processname: unicorn @@ -17,7 +17,7 @@ . /etc/rc.d/init.d/functions # The name of the service -NAME=gitlab +NAME=git # The username and path to the gitlab source USER=$NAME @@ -33,7 +33,7 @@ SLOCK=/var/lock/subsys/sidekiq OPTS="-c $APP_PATH/config/unicorn.rb -E production -D" # Ruby related path update -RUBY_PATH_PATCH="PATH=$PATH:/usr/local/bin:/usr/local/lib:/home/gitlab/bin && export PATH && " +RUBY_PATH_PATCH="PATH=$PATH:/usr/local/bin:/usr/local/lib:/home/git/bin && export PATH && " start() { cd $APP_PATH @@ -113,4 +113,4 @@ case "$1" in ;; esac -exit 0 \ No newline at end of file +exit 0 From e8133eba7afd22e89616b81db5483a1ce2ebb0df Mon Sep 17 00:00:00 2001 From: jesseward Date: Tue, 2 Apr 2013 22:38:01 -0400 Subject: [PATCH 06/10] - swapping uid=git as per 5.0 install doc. --- init.d/gitlab-centos | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/init.d/gitlab-centos b/init.d/gitlab-centos index bdab1c6..b317969 100644 --- a/init.d/gitlab-centos +++ b/init.d/gitlab-centos @@ -20,7 +20,7 @@ NAME=gitlab # The username and path to the gitlab source -USER=$NAME +USER=git APP_PATH=/home/$USER/gitlab # The PID and LOCK files used by unicorn and sidekiq @@ -113,4 +113,4 @@ case "$1" in ;; esac -exit 0 \ No newline at end of file +exit 0 From 33433b655fd4de92ada68db41dbb6dd29de68160 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Fri, 5 Apr 2013 17:39:22 +0300 Subject: [PATCH 07/10] Use puma instead of unicorn --- init.d/gitlab | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/init.d/gitlab b/init.d/gitlab index 5b9910e..e0bc0c6 100644 --- a/init.d/gitlab +++ b/init.d/gitlab @@ -2,7 +2,7 @@ # GITLAB # Maintainer: @randx -# App Version: 5.0 +# App Version: 5.1 ### BEGIN INIT INFO # Provides: gitlab @@ -16,18 +16,18 @@ APP_ROOT="/home/git/gitlab" -DAEMON_OPTS="-c $APP_ROOT/config/unicorn.rb -E production" +DAEMON_OPTS="-C $APP_ROOT/config/puma.rb -E production" PID_PATH="$APP_ROOT/tmp/pids" -UNICORN_PID="$PID_PATH/unicorn.pid" +WEB_SERVER_PID="$PID_PATH/puma.pid" SIDEKIQ_PID="$PID_PATH/sidekiq.pid" STOP_SIDEKIQ="RAILS_ENV=production bundle exec rake sidekiq:stop" START_SIDEKIQ="RAILS_ENV=production bundle exec rake sidekiq:start" -NAME="unicorn" +NAME="gitlab" DESC="Gitlab service" check_pid(){ - if [ -f $UNICORN_PID ]; then - PID=`cat $UNICORN_PID` + if [ -f $WEB_SERVER_PID ]; then + PID=`cat $WEB_SERVER_PID` SPID=`cat $SIDEKIQ_PID` STATUS=`ps aux | grep $PID | grep -v grep | wc -l` else @@ -45,7 +45,7 @@ start() { exit 1 else if [ `whoami` = root ]; then - sudo -u git -H bash -l -c "nohup bundle exec unicorn_rails $DAEMON_OPTS > /dev/null 2>&1 &" + sudo -u git -H bash -l -c "RAILS_ENV=production bundle exec puma $DAEMON_OPTS" sudo -u git -H bash -l -c "mkdir -p $PID_PATH && $START_SIDEKIQ > /dev/null 2>&1 &" echo "$DESC started" fi @@ -57,9 +57,9 @@ stop() { check_pid if [ "$PID" -ne 0 -a "$STATUS" -ne 0 ]; then ## Program is running, stop it. - kill -QUIT `cat $UNICORN_PID` + kill -QUIT `cat $WEB_SERVER_PID` sudo -u git -H bash -l -c "mkdir -p $PID_PATH && $STOP_SIDEKIQ > /dev/null 2>&1 &" - rm "$UNICORN_PID" >> /dev/null + rm "$WEB_SERVER_PID" >> /dev/null echo "$DESC stopped" else ## Program is not running, exit with error. @@ -73,7 +73,7 @@ restart() { check_pid if [ "$PID" -ne 0 -a "$STATUS" -ne 0 ]; then echo "Restarting $DESC..." - kill -USR2 `cat $UNICORN_PID` + kill -USR2 `cat $WEB_SERVER_PID` sudo -u git -H bash -l -c "mkdir -p $PID_PATH && $STOP_SIDEKIQ > /dev/null 2>&1 &" if [ `whoami` = root ]; then sudo -u git -H bash -l -c "mkdir -p $PID_PATH && $START_SIDEKIQ > /dev/null 2>&1 &" From 6f6e0117c1e11a9e64e6ca51fc5a243c499c6007 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Fri, 5 Apr 2013 19:55:32 +0300 Subject: [PATCH 08/10] Fixed -e for puma --- init.d/gitlab | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init.d/gitlab b/init.d/gitlab index e0bc0c6..93321d6 100644 --- a/init.d/gitlab +++ b/init.d/gitlab @@ -16,7 +16,7 @@ APP_ROOT="/home/git/gitlab" -DAEMON_OPTS="-C $APP_ROOT/config/puma.rb -E production" +DAEMON_OPTS="-C $APP_ROOT/config/puma.rb -e production" PID_PATH="$APP_ROOT/tmp/pids" WEB_SERVER_PID="$PID_PATH/puma.pid" SIDEKIQ_PID="$PID_PATH/sidekiq.pid" From 76ba45246e93e9c764580fe54ccfe38da751afbe Mon Sep 17 00:00:00 2001 From: Sytse Sijbrandij Date: Fri, 12 Apr 2013 16:36:52 +0200 Subject: [PATCH 09/10] Remove nginx version number as a security best practice. Hat tip to Remy van Elst. --- nginx/gitlab | 1 + nginx/gitlab-https | 24 +++++++++++++----------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/nginx/gitlab b/nginx/gitlab index 7428393..14070f2 100644 --- a/nginx/gitlab +++ b/nginx/gitlab @@ -9,6 +9,7 @@ upstream gitlab { server { listen YOUR_SERVER_IP:80 default_server; # e.g., listen 192.168.1.1:80; server_name YOUR_SERVER_FQDN; # e.g., server_name source.example.com; + server_tokens off; root /home/git/gitlab/public; # individual nginx logs for this gitlab vhost diff --git a/nginx/gitlab-https b/nginx/gitlab-https index e58525e..b2b1cd1 100644 --- a/nginx/gitlab-https +++ b/nginx/gitlab-https @@ -8,7 +8,7 @@ # You need from run openssl to generate the ssl certificate. # $ sudo openssl req -new -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key # $ sudo chmod o-r gitlab.key - + upstream gitlab { server unix:/home/gitlab/gitlab/tmp/sockets/gitlab.socket; } @@ -17,43 +17,45 @@ upstream gitlab { server { listen 80; server_name Domain_NAME; + server_tokens off; root /nowhere; rewrite ^ https://gitlab.stardrad.com$request_uri permanent; } server { listen 443; server_name Domain_NAME; + server_tokens off; root /home/gitlab/gitlab/public; - + ssl on; ssl_certificate gitlab.crt; - ssl_certificate_key gitlab.key; - ssl_protocols SSLv3 TLSv1 TLSv2; - ssl_ciphers AES:HIGH:!ADH:!MD5; - ssl_prefer_server_ciphers on; - + ssl_certificate_key gitlab.key; + ssl_protocols SSLv3 TLSv1 TLSv2; + ssl_ciphers AES:HIGH:!ADH:!MD5; + ssl_prefer_server_ciphers on; + # individual nginx logs for this gitlab vhost access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; - + location / { # serve static files from defined root folder;. # @gitlab is a named location for the upstream fallback, see below try_files $uri $uri/index.html $uri.html @gitlab; } - + # if a file, which is not found in the root folder is requested, # then the proxy pass the request to the upsteam (gitlab unicorn) location @gitlab { proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 proxy_redirect off; - + proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Ssl on; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; - + proxy_pass http://gitlab; } } \ No newline at end of file From 94f0f8e7f5e4f999530dcd4904e4fe666bc31efd Mon Sep 17 00:00:00 2001 From: sagikazarmark Date: Mon, 22 Apr 2013 23:20:25 +0300 Subject: [PATCH 10/10] Update init script status from Unicorn to Puma --- init.d/gitlab | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init.d/gitlab b/init.d/gitlab index 93321d6..6e83647 100644 --- a/init.d/gitlab +++ b/init.d/gitlab @@ -89,7 +89,7 @@ status() { cd $APP_ROOT check_pid if [ "$PID" -ne 0 -a "$STATUS" -ne 0 ]; then - echo "$DESC / Unicorn with PID $PID is running." + echo "$DESC / Puma with PID $PID is running." echo "$DESC / Sidekiq with PID $SPID is running." else echo "$DESC is not running."