G2A Many GEOs
SHARE
TWEET

git.conf

Manu_H Oct 3rd, 2016 267 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ## GitLab
  2. ##
  3. ## Modified from nginx http version
  4. ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
  5. ## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  6. ##
  7. ## Lines starting with two hashes (##) are comments with information.
  8. ## Lines starting with one hash (#) are configuration parameters that can be uncommented.
  9. ##
  10. ##################################
  11. ##        CONTRIBUTING          ##
  12. ##################################
  13. ##
  14. ## If you change this file in a Merge Request, please also create
  15. ## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
  16. ##
  17. ###################################
  18. ##         configuration         ##
  19. ###################################
  20. ##
  21. ## See installation.md#using-https for additional HTTPS configuration details.
  22.  
  23. upstream gitlab-workhorse {
  24.   server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
  25. }
  26.  
  27. ## Redirects all HTTP traffic to the HTTPS host
  28. server {
  29.   ## Either remove "default_server" from the listen line below,
  30.   ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
  31.   ## to be served if you visit any address that your server responds to, eg.
  32.   ## the ip address of the server (http://x.x.x.x/)
  33.   listen IP.Adress.of.Server:80;
  34. #  listen [::]:80 ipv6only=on default_server;
  35.   server_name git.domain.tld; ## Replace this with something like gitlab.example.com
  36.   server_tokens off; ## Don't show the nginx version number, a security best practice
  37.   return 301 https://$http_host$request_uri;
  38.   access_log  /var/log/nginx/gitlab_access.log;
  39.   error_log   /var/log/nginx/gitlab_error.log;
  40. }
  41.  
  42. ## HTTPS host
  43. server {
  44.   listen IP.Adress.of.Server:443 ssl;
  45. #  listen [::]:443 ipv6only=on ssl default_server;
  46.   server_name git.domain.tld; ## Replace this with something like gitlab.example.com
  47.   server_tokens off; ## Don't show the nginx version number, a security best practice
  48.  
  49.   ## Strong SSL Security
  50.   ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  51.   ssl on;
  52.   ssl_certificate /etc/letsencrypt/live/git.domain.tld/fullchain.pem;
  53.   ssl_certificate_key /etc/letsencrypt/live/git.domain.tld/privkey.pem;
  54.  
  55.   # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
  56.   ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  57.   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  58.   ssl_prefer_server_ciphers on;
  59.   ssl_session_cache shared:SSL:10m;
  60.   ssl_session_timeout 5m;
  61.  
  62.   ## See app/controllers/application_controller.rb for headers set
  63.  
  64.   ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  65.   ## Replace with your ssl_trusted_certificate. For more info see:
  66.   ## - https://medium.com/devops-programming/4445f4862461
  67.   ## - https://www.ruby-forum.com/topic/4419319
  68.   ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  69.   # ssl_stapling on;
  70.   # ssl_stapling_verify on;
  71.   # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  72.   # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  73.   # resolver_timeout 5s;
  74.  
  75.   ## [Optional] Generate a stronger DHE parameter:
  76.   ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
  77.   ##
  78. ssl_dhparam /etc/letsencrypt/dhparam.pem;
  79.  
  80.   ## Individual nginx logs for this GitLab vhost
  81.   access_log  /var/log/nginx/gitlab_access.log;
  82.   error_log   /var/log/nginx/gitlab_error.log;
  83.  
  84.   location / {
  85.     client_max_body_size 0;
  86.     gzip off;
  87.  
  88.     ## https://github.com/gitlabhq/gitlabhq/issues/694
  89.     ## Some requests take more than 30 seconds.
  90.     proxy_read_timeout      300;
  91.     proxy_connect_timeout   300;
  92.     proxy_redirect          off;
  93.  
  94.     proxy_http_version 1.1;
  95.  
  96.     proxy_set_header    Host                $http_host;
  97.     proxy_set_header    X-Real-IP           $remote_addr;
  98.     proxy_set_header    X-Forwarded-Ssl     on;
  99.     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
  100.     proxy_set_header    X-Forwarded-Proto   $scheme;
  101.     proxy_pass http://gitlab-workhorse;
  102.   }
  103.  
  104.   error_page 404 /404.html;
  105.   error_page 422 /422.html;
  106.   error_page 500 /500.html;
  107.   error_page 502 /502.html;
  108.   error_page 503 /503.html;
  109.   location ~ ^/(404|422|500|502|503)\.html$ {
  110.     root /home/git/gitlab/public;
  111.     internal;
  112.   }
  113. }
RAW Paste Data
Ledger Nano X - The secure hardware wallet
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top