Research: charts approach for GitLab Pages without DNS wildcard
This issue is to discuss and find possible approach using charts for GitLab Pages without DNS wildcard
Related
- Issues: GitLab Pages: Add support for namespace-in-path... (gitlab-org/charts/gitlab#5260 - closed)
- MR: Add namespace-in-path parameter for GitLab Pages (gitlab-org/charts/gitlab!3491 - closed)
Things to add in NGINX config:
- First server block:
-
Server block for pages url without namespace (Example:
server_name ~^example\.io$;
). -
location
blocks mentioned in the below example.location ~ ^/(?<namespace>[^/]+)$ { return 301 $scheme://$http_host$request_uri/; } location ~ ^/(?<namespace>[^/]+)/(?<project>.*)$ { ... }
-
rewrite ^/([^/]+)/(.*)$ /$2 break;
-
proxy_set_header Host 1.http_host;
-
proxy_set_header X-Gitlab-Namespace-In-Path $namespace;
-
proxy_redirect in first server block:
proxy_redirect ~^(https://example\.io/projects/auth)(.*)$ $1$2; proxy_redirect ~^https://([^/]*)\.(example\.io)/(.*)$ https://$2/$1/$3; proxy_redirect ~^//([^/]*)\.(example\.io)/(.*)$ https://$2/$1/$3; proxy_redirect ~^/(.*)$ https://example\.io/$namespace/$1;
-
- In second server block:
proxy_hide_header X-Gitlab-Namespace-In-Path;
Sample `/var/opt/gitlab/nginx/conf/gitlab-pages.conf`:
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
###################################
## configuration ##
###################################
## Handle requests having namespace in path
## See https://gitlab.com/gitlab-org/gitlab/-/issues/211677
server {
listen *:443 ssl http2;
server_name ~^example\.io$;
server_tokens off; ## Don't show the nginx version number, a security best practice
## Disable symlink traversal
disable_symlinks on;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl_certificate /etc/gitlab/ssl/pages-nginx.crt;
ssl_certificate_key /etc/gitlab/ssl/pages-nginx.key;
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
ssl_ciphers '<SOME_CIPHER>';
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
## HSTS Config
## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=63072000 ";
## Individual nginx logs for this GitLab vhost
access_log /var/log/gitlab/nginx/gitlab_pages_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_pages_error.log error;
# Define custom error pages
error_page 403 /403.html;
error_page 404 /404.html;
# In case of a unique domain URL, add a trailing '/' if it's missing
location ~ ^/(?<namespace>[^/]+)$ {
return 301 $scheme://$http_host$request_uri/;
}
# Pass when namespace in path to pages daemon after the rewrite
location ~ ^/(?<namespace>[^/]+)/(?<project>.*)$ {
## Rewrite remove namespace from path
rewrite ^/([^/]+)/(.*)$ /$2 break;
## Put namespace back in host from path
proxy_set_header Host $1.$http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Gitlab-Namespace-In-Path $namespace;
# Prevent NGINX from caching pages in response to the pages `Cache-Control`
# header.
#
# Browsers already respect this directive and Pages can handle the request
# volume without help from NGINX.
#
# If this changes in the future, ensure `proxy_cache_key` is set to a value
# like `$scheme$host$request_uri`, as the default value does not take the
# Pages hostname into account, leading to incorrect responses being served.
#
# See https://gitlab.com/gitlab-org/gitlab-pages/issues/73
proxy_cache off;
proxy_http_version 1.1;
proxy_pass http://localhost:8090;
## Put namespace in path from host before sending it to the user
proxy_redirect ~^(https://example\.io/projects/auth)(.*)$ $1$2;
proxy_redirect ~^https://([^/]*)\.(example\.io)/(.*)$ https://$2/$1/$3;
proxy_redirect ~^//([^/]*)\.(example\.io)/(.*)$ https://$2/$1/$3;
proxy_redirect ~^/(.*)$ https://example\.io/$namespace/$1;
}
}
server {
listen *:443 ssl http2;
server_name ~^(?<group>.*)\.example\.io$;
server_tokens off; ## Don't show the nginx version number, a security best practice
## Disable symlink traversal
disable_symlinks on;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl_certificate /etc/gitlab/ssl/pages-nginx.crt;
ssl_certificate_key /etc/gitlab/ssl/pages-nginx.key;
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
ssl_ciphers '<SOME_CIPHER>';
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
## HSTS Config
## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=63072000 ";
## Individual nginx logs for this GitLab vhost
access_log /var/log/gitlab/nginx/gitlab_pages_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_pages_error.log error;
# Define custom error pages
error_page 403 /403.html;
error_page 404 /404.html;
# Pass everything to pages daemon when namespace in host
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_hide_header X-Gitlab-Namespace-In-Path;
# Prevent NGINX from caching pages in response to the pages `Cache-Control`
# header.
#
# Browsers already respect this directive and Pages can handle the request
# volume without help from NGINX.
#
# If this changes in the future, ensure `proxy_cache_key` is set to a value
# like `$scheme$host$request_uri`, as the default value does not take the
# Pages hostname into account, leading to incorrect responses being served.
#
# See https://gitlab.com/gitlab-org/gitlab-pages/issues/73
proxy_cache off;
proxy_http_version 1.1;
proxy_pass http://localhost:8090;
}
}
/cc @vshushlin
Edited by Naman Jagdish Gala