mirror of
https://github.com/archlinuxarm/PKGBUILDs.git
synced 2024-11-18 22:54:00 +00:00
94 lines
4.2 KiB
Text
94 lines
4.2 KiB
Text
# This configuration has been tested on GitLab 8.2
|
|
# Note this config assumes unicorn is listening on default port 8080 and
|
|
# gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to
|
|
# listen on port 8181, edit or create /etc/default/gitlab and change or add the following:
|
|
#
|
|
# gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr 127.0.0.1:8181 -authBackend http://127.0.0.1:8080"
|
|
#
|
|
#Module dependencies
|
|
# mod_rewrite
|
|
# mod_ssl
|
|
# mod_proxy
|
|
# mod_proxy_http
|
|
# mod_headers
|
|
|
|
# This section is only needed if you want to redirect http traffic to https.
|
|
# You can live without it but clients will have to type in https:// to reach gitlab.
|
|
<VirtualHost *:80>
|
|
ServerName YOUR_SERVER_FQDN
|
|
ServerSignature Off
|
|
|
|
RewriteEngine on
|
|
RewriteCond %{HTTPS} !=on
|
|
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
|
|
</VirtualHost>
|
|
|
|
<VirtualHost *:443>
|
|
SSLEngine on
|
|
#strong encryption ciphers only
|
|
#see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
|
|
SSLProtocol all -SSLv2 -SSLv3
|
|
SSLHonorCipherOrder on
|
|
# SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
|
|
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
|
|
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
|
|
SSLCompression Off
|
|
SSLCertificateFile /etc/httpd/ssl.crt/YOUR_SERVER_FQDN.crt
|
|
SSLCertificateKeyFile /etc/httpd/ssl.key/YOUR_SERVER_FQDN.key
|
|
SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt
|
|
|
|
ServerName YOUR_SERVER_FQDN
|
|
ServerSignature Off
|
|
|
|
ProxyPreserveHost On
|
|
|
|
# Ensure that encoded slashes are not decoded but left in their encoded state.
|
|
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
|
|
AllowEncodedSlashes NoDecode
|
|
|
|
<Location />
|
|
# New authorization commands for apache 2.4 and up
|
|
# http://httpd.apache.org/docs/2.4/upgrading.html#access
|
|
Require all granted
|
|
|
|
#Allow forwarding to gitlab-workhorse
|
|
ProxyPassReverse http://127.0.0.1:8181
|
|
ProxyPassReverse http://YOUR_SERVER_FQDN/
|
|
</Location>
|
|
|
|
# Apache equivalent of nginx try files
|
|
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
|
|
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
|
|
RewriteEngine on
|
|
|
|
#Don't escape encoded characters in api requests
|
|
RewriteCond %{REQUEST_URI} ^/api/v3/.*
|
|
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]
|
|
|
|
#Forward all requests to gitlab-workhorse except existing files like error documents
|
|
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
|
|
RewriteCond %{REQUEST_URI} ^/uploads/.*
|
|
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
|
|
|
|
RequestHeader set X_FORWARDED_PROTO 'https'
|
|
RequestHeader set X-Forwarded-Ssl on
|
|
|
|
# needed for downloading attachments
|
|
DocumentRoot /usr/share/webapps/gitlab/public
|
|
|
|
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
|
|
ErrorDocument 404 /404.html
|
|
ErrorDocument 422 /422.html
|
|
ErrorDocument 500 /500.html
|
|
ErrorDocument 503 /deploy.html
|
|
|
|
# It is assumed that the log directory is in /var/log/httpd.
|
|
# For Debian distributions you might want to change this to
|
|
# /var/log/apache2.
|
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
|
|
ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log
|
|
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded
|
|
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog
|
|
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined
|
|
|
|
</VirtualHost>
|