API tools faq
paste
Advertisement
MoTastischYT

NGINX Server Block Gitlab

MoTastischYT
Apr 4th, 2022
155
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.86 KB | None | 0 0
raw download clone embed print report
  1. ## GitLab
  2. ##
  3. ## Modified from nginx http version
  4. ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
  5. ## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  6. ##
  7. ## Lines starting with two hashes (##) are comments with information.
  8. ## Lines starting with one hash (#) are configuration parameters that can be uncommented.
  9. ##
  10. ##################################
  11. ## CONTRIBUTING ##
  12. ##################################
  13. ##
  14. ## If you change this file in a Merge Request, please also create
  15. ## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
  16. ##
  17. ###################################
  18. ## configuration ##
  19. ###################################
  20. ##
  21. ## See installation.md#using-https for additional HTTPS configuration details.
  22.  
  23. upstream gitlab-workhorse {
  24. # On GitLab versions before 13.5, the location is
  25. # `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
  26. # accordingly.
  27. server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
  28. }
  29.  
  30. ## Redirects all HTTP traffic to the HTTPS host
  31. server {
  32. ## Either remove "default_server" from the listen line below,
  33. ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
  34. ## to be served if you visit any address that your server responds to, eg.
  35. ## the ip address of the server (http://x.x.x.x/)
  36. listen 0.0.0.0:80;
  37. listen [::]:80 ipv6only=on;
  38. server_name git.motastish.ga; ## Replace this with something like gitlab.example.com
  39. server_tokens off; ## Don't show the nginx version number, a security best practice
  40. return 301 https://$http_host$request_uri;
  41. access_log /var/log/nginx/gitlab_access.log;
  42. error_log /var/log/nginx/gitlab_error.log;
  43. }
  44.  
  45. ## HTTPS host
  46. server {
  47. listen 0.0.0.0:443 ssl;
  48. listen [::]:443 ipv6only=on ssl;
  49. server_name git.motastish.ga; ## Replace this with something like gitlab.example.com
  50. server_tokens off; ## Don't show the nginx version number, a security best practice
  51. root /opt/gitlab/embedded/service/gitlab-rails/public;
  52.  
  53. ## Strong SSL Security
  54. ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  55. ssl on;
  56. ssl_certificate /etc/letsencrypt/live/git.motastish.ga/fullchain.pem;
  57. ssl_certificate_key /etc/letsencrypt/live/git.motastish.ga/privkey.pem;
  58.  
  59. # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
  60. ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  61. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  62. ssl_prefer_server_ciphers on;
  63. ssl_session_cache shared:SSL:10m;
  64. ssl_session_timeout 5m;
  65.  
  66. ## See app/controllers/application_controller.rb for headers set
  67.  
  68. ## [Optional] Enable HTTP Strict Transport Security
  69. ## HSTS is a feature improving protection against MITM attacks
  70. ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
  71. # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  72.  
  73. ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  74. ## Replace with your ssl_trusted_certificate. For more info see:
  75. ## - https://medium.com/devops-programming/4445f4862461
  76. ## - https://www.ruby-forum.com/topic/4419319
  77. ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  78. # ssl_stapling on;
  79. # ssl_stapling_verify on;
  80. # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  81. # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  82. # resolver_timeout 5s;
  83.  
  84. ## [Optional] Generate a stronger DHE parameter:
  85. ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
  86. ##
  87. # ssl_dhparam /etc/ssl/certs/dhparam.pem;
  88.  
  89. ## Individual nginx logs for this GitLab vhost
  90. access_log /var/log/nginx/gitlab_access.log;
  91. error_log /var/log/nginx/gitlab_error.log;
  92.  
  93. location / {
  94. client_max_body_size 0;
  95. gzip off;
  96.  
  97. ## https://github.com/gitlabhq/gitlabhq/issues/694
  98. ## Some requests take more than 30 seconds.
  99. proxy_read_timeout 300;
  100. proxy_connect_timeout 300;
  101. proxy_redirect off;
  102.  
  103. proxy_http_version 1.1;
  104.  
  105. proxy_set_header Host $http_host;
  106. proxy_set_header X-Real-IP $remote_addr;
  107. proxy_set_header X-Forwarded-Ssl on;
  108. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  109. proxy_set_header X-Forwarded-Proto $scheme;
  110. proxy_pass http://gitlab-workhorse;
  111. }
  112. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!