Commit 2a11c674 authored by Achilleas Pipinellis's avatar Achilleas Pipinellis 🚀

Add missing omnibus configs for Apache and update instructions

parent d3eae4c0
......@@ -3,14 +3,37 @@
The configuration files in this directory were tested with GitLab 8.1. For
versions of GitLab older than 8.0, check the `apache-old` branch.
## Installations from source
If you are using Apache version 2.4 or above, please use files
[gitlab-apache24.conf](gitlab-apache24.conf) or [gitlab-ssl-apache24.conf](gitlab-ssl-apache24.conf)
for the HTTP and HTTPS versions of the vhost repectively.
If you are using Apache version 2.2 or above, please use files
If you are using Apache version 2.2, please use files
[gitlab-apache22.conf](gitlab-apache22.conf) or [gitlab-ssl-apache22.conf](gitlab-ssl-apache22.conf)
for the HTTP and HTTPS versions of the vhost repectively.
To allow `gitlab-workhorse` to listen on port 8181, edit or create
`/etc/default/gitlab` and change or add the following:
```
gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr http://127.0.01:8181 -authBackend http://127.0.0.1:8080"
```
## Installations unsing the Omnibus packages
[Omnibus packages][] use their own bundled nginx server. If you want to use your
own external Nginx server, follow the 4 steps to
[configure GitLab][omnibuswebext] and then download the appropriate config file
from this directory which has `omnibus` in its name.
Usually the location where Apache reads its configs from, is either
`/etc/apache2/sites-enabled/` (Debian/Ubuntu) or `/etc/httpd/conf.d/` (RHEL/CentOS).
If you are using Debian, the de facto way is to store the configs in
`/etc/apache2/sites-available/` and then make a symlink to
`/etc/apache2/sites-enabled/` using the `a2ensite` command.
# RHEL6/CentOS6 recommendations
Most of the settings below were tested on CentOS 6, but are probably applicable
......@@ -214,3 +237,5 @@ to better understand it.
[sock]: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
[reports]: https://github.com/gitlabhq/gitlabhq/issues/5139
[digiocean]: https://www.digitalocean.com/community/tutorials/how-to-get-started-with-mod_pagespeed-with-apache-on-an-ubuntu-and-debian-cloud-server
[Omnibus packages]: https://about.gitlab.com/downloads/
[omnibuswebext]: http://doc.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server
# This configuration has been tested on GitLab 8.1
# Note this config assumes unicorn is listening on default port 8080 and gitlab-git-http-server is listening on port 8181.
# To allow gitlab-git-http-server to listen on port 8181, edit or create /etc/default/gitlab and change or add the following:
# gitlab_git_http_server_options="-listenUmask 0 -listenNetwork tcp -listenAddr localhost:8181 -authBackend http://127.0.0.1:8080"
# Note this config assumes unicorn is listening on default port 8080 and gitlab-workhorse is listening on port 8181.
# To allow gitlab-workhorse to listen on port 8181, edit or create /etc/default/gitlab and change or add the following:
# gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr http://127.0.0.1:8181 -authBackend http://127.0.0.1:8080"
#Module dependencies
# mod_rewrite
......@@ -9,7 +9,7 @@
# mod_proxy_http
# HTTP Configuration
<VirtualHost *:80>
ServerName gitlab.example.com
ServerName YOUR_SERVER_FQDN
ServerSignature Off
ProxyPreserveHost On
......@@ -22,18 +22,18 @@
Order deny,allow
Allow from all
#Allow forwarding to gitlab-git-http-server
#Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:8181
#Allow forwarding to GitLab Rails app (Unicorn)
ProxyPassReverse http://127.0.0.1:8080
ProxyPassReverse http://gitlab.example.com/
ProxyPassReverse http://YOUR_SERVER_FQDN/
</Location>
#apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
#Forward these requests to gitlab-git-http-server
#Forward these requests to gitlab-workhorse
RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
......@@ -45,7 +45,7 @@
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
# needed for downloading attachments
DocumentRoot /home/git/gitlab/public
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
......@@ -57,9 +57,9 @@
# For Debian distributions you might want to change this to
# /var/log/apache2.
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/httpd/logs/gitlab.example.com_error.log
CustomLog /var/log/httpd/logs/gitlab.example.com_forwarded.log common_forwarded
CustomLog /var/log/httpd/logs/gitlab.example.com_access.log combined env=!dontlog
CustomLog /var/log/httpd/logs/gitlab.example.com.log combined
ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined
</VirtualHost>
# This configuration has been tested on GitLab 8.1
# Note this config assumes unicorn is listening on default port 8080 and
# gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to
# listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following:
#
# gitlab_workhorse['listen_network'] = "tcp"
# gitlab_workhorse['listen_addr'] = "http://127.0.0.1:8181"
#
#Module dependencies
# mod_rewrite
# mod_proxy
# mod_proxy_http
# HTTP Configuration
<VirtualHost *:80>
ServerName YOUR_SERVER_FQDN
ServerSignature Off
ProxyPreserveHost On
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
Order deny,allow
Allow from all
#Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:8181
#Allow forwarding to GitLab Rails app (Unicorn)
ProxyPassReverse http://127.0.0.1:8080
ProxyPassReverse http://YOUR_SERVER_FQDN/
</Location>
#apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
#Forward these requests to gitlab-workhorse
RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
#Forward any other requests to GitLab Rails app (Unicorn)
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /deploy.html
# It is assumed that the log directory is in /var/log/httpd.
# For Debian distributions you might want to change this to
# /var/log/apache2.
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined
</VirtualHost>
# This configuration has been tested on GitLab 8.1
# Note this config assumes unicorn is listening on default port 8080 and
# gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to
# listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following:
#
# gitlab_workhorse['listen_network'] = "tcp"
# gitlab_workhorse['listen_addr'] = "http://127.0.0.1:8181"
#
#Module dependencies
# mod_rewrite
# mod_proxy
# mod_proxy_http
<VirtualHost *:80>
ServerName YOUR_SERVER_FQDN
ServerSignature Off
ProxyPreserveHost On
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
#Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:8181
#Allow forwarding to GitLab Rails app (Unicorn)
ProxyPassReverse http://127.0.0.1:8080
ProxyPassReverse http://YOUR_SERVER_FQDN/
</Location>
#apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
#Forward these requests to gitlab-workhorse
RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
#Forward any other requests to GitLab Rails app (Unicorn)
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /deploy.html
# It is assumed that the log directory is in /var/log/httpd.
# For Debian distributions you might want to change this to
# /var/log/apache2.
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined
</VirtualHost>
# This configuration has been tested on GitLab 8.1
# Note this config assumes unicorn is listening on default port 8080 and
# gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to
# listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following:
#
# gitlab_workhorse['listen_network'] = "tcp"
# gitlab_workhorse['listen_addr'] = "http://127.0.0.1:8181"
#
#Module dependencies
# mod_rewrite
# mod_ssl
# mod_proxy
# mod_proxy_http
# mod_headers
# This section is only needed if you want to redirect http traffic to https.
# You can live without it but clients will have to type in https:// to reach gitlab.
<VirtualHost *:80>
ServerName YOUR_SERVER_FQDN
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
#strong encryption ciphers only
#see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off
SSLCertificateFile /etc/pki/tls/certs/YOUR_SERVER_FQDN.crt
SSLCertificateKeyFile /etc/pki/tls/private/YOUR_SERVER_FQDN.key
SSLCACertificateFile /etc/pki/tls/certs/YOUR_SERVER_FQDN.ca-bundle.crt
ServerName YOUR_SERVER_FQDN
ServerSignature Off
ProxyPreserveHost On
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
Order deny,allow
Allow from all
#Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:8181
#Allow forwarding to GitLab Rails app (Unicorn)
ProxyPassReverse http://127.0.0.1:8080
ProxyPassReverse http://YOUR_SERVER_FQDN/
</Location>
# Apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
#Forward these requests to gitlab-workhorse
RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
#Forward any other requests to GitLab Rails app (Unicorn)
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /deploy.html
# It is assumed that the log directory is in /var/log/httpd.
# For Debian distributions you might want to change this to
# /var/log/apache2.
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined
</VirtualHost>
# This configuration has been tested on GitLab 8.1
# Note this config assumes unicorn is listening on default port 8080 and
# gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to
# listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following:
#
# gitlab_workhorse['listen_network'] = "tcp"
# gitlab_workhorse['listen_addr'] = "http://127.0.0.1:8181"
#
#Module dependencies
# mod_rewrite
# mod_ssl
# mod_proxy
# mod_proxy_http
# mod_headers
# This section is only needed if you want to redirect http traffic to https.
# You can live without it but clients will have to type in https:// to reach gitlab.
<VirtualHost *:80>
ServerName YOUR_SERVER_FQDN
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
#strong encryption ciphers only
#see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off
SSLCertificateFile /etc/httpd/ssl.crt/YOUR_SERVER_FQDN.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/YOUR_SERVER_FQDN.key
SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt
ServerName YOUR_SERVER_FQDN
ServerSignature Off
ProxyPreserveHost On
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
#Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:8181
#Allow forwarding to GitLab Rails app (Unicorn)
ProxyPassReverse http://127.0.0.1:8080
ProxyPassReverse http://YOUR_SERVER_FQDN/
</Location>
# Apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
#Forward these requests to gitlab-workhorse
RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
#Forward any other requests to GitLab Rails app (Unicorn)
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /deploy.html
# It is assumed that the log directory is in /var/log/httpd.
# For Debian distributions you might want to change this to
# /var/log/apache2.
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog
CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined
</VirtualHost>
## Nginx config moved to official repository
You can find the nginx config in [GitLab official repository][gitlab].
You can find the nginx config in [GitLab official repository][gitlab] which can
be used for source installations.
## Omnibus configs
[Omnibus packages][] use their own bundled nginx server. If you want to use your
own external Nginx server, follow the first 3 steps to
[configure GitLab][omnibusnginxext] and then download the appropriate config
file (ssl or non-ssl) from this directory.
After placing the configs in their appropriate location
(read [Different conf directories](#different-conf-directories)), make sure to
restart Nginx.
## CentOS related Nginx notes
### Different conf directories
If nginx is installed through the package manager, adjust sites in `/etc/nginx/conf.d/`
If nginx is installed through the package manager, adjust sites in `/etc/nginx/conf.d/`
instead of `/etc/nginx/sites-available/` or create those directories and tell `nginx`
to monitor them:
......@@ -31,3 +43,5 @@ or replace the default `nginx` user with `git` and group `root` in `/etc/nginx/n
user git root;
[gitlab]: https://gitlab.com/gitlab-org/gitlab-ce/tree/master/lib/support/nginx "Nginx config for GitLab"
[Omnibus packages]: https://about.gitlab.com/downloads/
[omnibusnginxext]: http://doc.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment