blob: 86bae89bdd79c56b810c564674ef6908a0fa9078 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
# This configuration has been tested on GitLab 8.13
# Note this config assumes unicorn is listening on default port 8080 and
# gitlab-workhorse is listening on port 8181.
#
# To allow gitlab-workhorse to listen on port 8181,
# edit or create /etc/sysconfig/gitlab-workhorse and change or add the following:
# LISTEN_OPTIONS="-listenNetwork tcp -listenAddr 0.0.0.0:8181"
# Module dependencies
# mod_rewrite
# mod_ssl (https)
# mod_proxy
# mod_proxy_http
# mod_headers (https)
# This section is only needed if you want to redirect http traffic to https.
# You can live without it but clients will have to type in https:// to reach gitlab.
<VirtualHost *:80>
ServerName gitlab.example.org
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName gitlab.example.org
<IfModule mod_ssl.c>
SSLEngine on
# strong encryption ciphers only
# see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt
# When enabling these, ensure 'https' is set to 'true' in /etc/gitlab/gitlab.yml
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
</IfModule>
ProxyPreserveHost On
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
# Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:8080
ProxyPassReverse http://gitlab.example.org/
</Location>
# Apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
# Forward all requests to gitlab-workhorse except existing files like error documents
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
# Needed for downloading attachments
DocumentRoot /usr/lib/gitlab/public
# Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog logs/gitlab_error.log
CustomLog logs/gitlab_forwarded.log common_forwarded
CustomLog logs/gitlab_access.log combined env=!dontlog
CustomLog logs/gitlab.log combined
</VirtualHost>
|
