Remove secondary IP requirement from Pages setup
Per https://docs.gitlab.com/ee/administration/pages/index.html#custom-domains
To support custom domains, we currently require customers to set up Pages on a secondary IP, where it listens directly on ports 80/433.
I believe that it's possible to configure nginx to make this unnecessary.
To do this for HTTP (unencrypted) traffic, we just set the Pages daemon to be the default recipient for any HTTP requests that don't match a more-specific server
block.
To do this for HTTPS (encrypted) traffic, we do the same with SNI, rather than Host:
headers. Here, we need to tell NGINX "If it's a HTTPS connection and the SNI information doesn't match a known server block for HTTPS, then perform TCP connection proxying to pages". I haven't absolutely verified that this is possible in NGINX, but I'd be surprised if it were not.
The downside is that any clients that don't send SNI or Host:
headers would find themselves unconditionally going to Pages, rather than to GitLab. The list of clients this applies to is quite short - Java 6 and Windows XP being the main culprits.
This probably wasn't an option when Pages was first written, but perhaps it's acceptable now due to the lower deployment of those platforms?
The upside is a much simplified configuration and set of requirements on single-host GitLab installations. We'd be able to support Pages custom domains and HTTPS out of the box.