From 62ddbd4e0e015965bfaa7cf19c62b54fa1954737 Mon Sep 17 00:00:00 2001 From: Dmitry Yu Okunev Date: Thu, 19 Dec 2013 15:36:39 +0400 Subject: [PATCH 1/3] Added nginx config example to cut-off ".git" --- web-server/nginx/gitlab-ssl-limit-cutgit | 62 ++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 web-server/nginx/gitlab-ssl-limit-cutgit diff --git a/web-server/nginx/gitlab-ssl-limit-cutgit b/web-server/nginx/gitlab-ssl-limit-cutgit new file mode 100644 index 0000000..6d33fcf --- /dev/null +++ b/web-server/nginx/gitlab-ssl-limit-cutgit @@ -0,0 +1,62 @@ +# GITLAB with SSL with connection limit with requests limit with ".git" cut-off + +limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; +limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; + +server { + listen 0.0.0.0:443 ssl; + root /home/git/gitlab/public; + + ssl on; + ssl_certificate /etc/nginx/gitlab.crt; + ssl_certificate_key /etc/nginx/gitlab.key; + ssl_protocols SSLv3 TLSv1 TLSv1.2; + ssl_ciphers AES:HIGH:!ADH:!MD5; + ssl_prefer_server_ciphers on; + server_name git.example.com; + + location ~ ^/([^/]*/[^/]*)\.git { + try_files maintenance.html $uri $uri/index.html $uri.htm @gitlab; + } + + location ~ ^/([^/]+/[^/]+)/(.*) { + rewrite ^/([^/]+/[^/]+)/info/(.*) /$1.git/info/$2 last; + rewrite ^/([^/]+/[^/]+)/git-(.*) /$1.git/git-$2 last; + try_files maintenance.html $uri $uri/index.html $uri.htm @gitlab; + } + + location ~ /$ { + limit_req zone=one burst=15 nodelay; + try_files maintenance.html $uri $uri/index.html $uri.htm @gitlab; + } + + location / { + try_files maintenance.html $uri $uri/index.html $uri.htm @gitlab; + } + + location @gitlab { + limit_conn conn_limit_per_ip 20; + proxy_pass http://127.0.0.1:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Referer $scheme://$host$request_uri; + client_max_body_size 256M; + proxy_redirect off; + + proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 + proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 + proxy_redirect off; + + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Ssl on; + } +} + +server { + listen *:80 default; + location / { + rewrite ^ https://gitlab.ut.mephi.ru$request_uri? permanent; + } +} + From 779f63046f4d47f09c3bb05a5a33972ca0fa8971 Mon Sep 17 00:00:00 2001 From: Dmitry Yu Okunev Date: Thu, 19 Dec 2013 15:39:45 +0400 Subject: [PATCH 2/3] Forgot to change hostname in the end of nginx cfg --- web-server/nginx/gitlab-ssl-limit-cutgit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web-server/nginx/gitlab-ssl-limit-cutgit b/web-server/nginx/gitlab-ssl-limit-cutgit index 6d33fcf..1eeca43 100644 --- a/web-server/nginx/gitlab-ssl-limit-cutgit +++ b/web-server/nginx/gitlab-ssl-limit-cutgit @@ -56,7 +56,7 @@ server { server { listen *:80 default; location / { - rewrite ^ https://gitlab.ut.mephi.ru$request_uri? permanent; + rewrite ^ https://git.example.com$request_uri? permanent; } } From 6a98422fc465e6f4af05b12f862186ea86dde85b Mon Sep 17 00:00:00 2001 From: Dmitry Yu Okunev Date: Mon, 13 Jan 2014 17:25:41 +0400 Subject: [PATCH 3/3] nginx: "public/projects" as the startpage Signed-off-by: Dmitry Yu Okunev --- .../gitlab-ssl-limit-cutgit-anotherstartpage | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 web-server/nginx/gitlab-ssl-limit-cutgit-anotherstartpage diff --git a/web-server/nginx/gitlab-ssl-limit-cutgit-anotherstartpage b/web-server/nginx/gitlab-ssl-limit-cutgit-anotherstartpage new file mode 100644 index 0000000..d1413e5 --- /dev/null +++ b/web-server/nginx/gitlab-ssl-limit-cutgit-anotherstartpage @@ -0,0 +1,70 @@ +# GITLAB with SSL with connection limit with requests limit with ".git" cut-off +# and with "public/projects" as the start page + +limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; +limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; + +server { + listen 0.0.0.0:443 ssl; + root /home/git/gitlab/public; + + ssl on; + ssl_certificate /etc/nginx/gitlab.crt; + ssl_certificate_key /etc/nginx/gitlab.key; + ssl_protocols SSLv3 TLSv1 TLSv1.2; + ssl_ciphers AES:HIGH:!ADH:!MD5; + ssl_prefer_server_ciphers on; + server_name git.example.com; + + location = /users/sign_in { + if ($http_referer ~ "^$") { + rewrite ^ https://git.example.com/public/projects redirect; + } + try_files maintenance.html $uri $uri/index.html $uri.htm @gitlab; + } + + location ~ ^/([^/]*/[^/]*)\.git { + try_files maintenance.html $uri $uri/index.html $uri.htm @gitlab; + } + + location ~ ^/([^/]+/[^/]+)/(.*) { + rewrite ^/([^/]+/[^/]+)/info/(.*) /$1.git/info/$2 last; + rewrite ^/([^/]+/[^/]+)/git-(.*) /$1.git/git-$2 last; + try_files maintenance.html $uri $uri/index.html $uri.htm @gitlab; + } + + location ~ /$ { + limit_req zone=one burst=15 nodelay; + try_files maintenance.html $uri $uri/index.html $uri.htm @gitlab; + } + + location / { + try_files maintenance.html $uri $uri/index.html $uri.htm @gitlab; + } + + location @gitlab { + limit_conn conn_limit_per_ip 20; + proxy_pass http://127.0.0.1:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Referer $scheme://$host$request_uri; + client_max_body_size 256M; + proxy_redirect off; + + proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 + proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 + proxy_redirect off; + + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Ssl on; + } +} + +server { + listen *:80 default; + location / { + rewrite ^ https://git.example.com$request_uri? permanent; + } +} +