diff --git a/Dockerfile b/Dockerfile index 0fe94c8d0..5264a3ed3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,6 +6,7 @@ ENV GITLAB_VERSION=8.17.0 \ GOLANG_VERSION=1.6.3 \ GITLAB_SHELL_VERSION=4.1.1 \ GITLAB_WORKHORSE_VERSION=1.3.0 \ + GITLAB_PAGES_VERSION=0.3.2 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ @@ -15,6 +16,7 @@ ENV GITLAB_VERSION=8.17.0 \ ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \ GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \ GITLAB_WORKHORSE_INSTALL_DIR="${GITLAB_HOME}/gitlab-workhorse" \ + GITLAB_PAGES_INSTALL_DIR="${GITLAB_HOME}/gitlab-pages" \ GITLAB_DATA_DIR="${GITLAB_HOME}/data" \ GITLAB_BUILD_DIR="${GITLAB_CACHE_DIR}/build" \ GITLAB_RUNTIME_DIR="${GITLAB_CACHE_DIR}/runtime" diff --git a/assets/build/install.sh b/assets/build/install.sh index c8379e471..7914e808f 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -4,6 +4,7 @@ set -e GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-ce.git GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/repository/archive.tar.gz GITLAB_WORKHORSE_URL=https://gitlab.com/gitlab-org/gitlab-workhorse/repository/archive.tar.gz +GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages/repository/archive.tar.gz GEM_CACHE_DIR="${GITLAB_BUILD_DIR}/cache" @@ -60,6 +61,7 @@ exec_as_git ./bin/install # remove unused repositories directory created by gitlab-shell install exec_as_git rm -rf ${GITLAB_HOME}/repositories +# download gitlab-workhose echo "Downloading gitlab-workhorse v.${GITLAB_WORKHORSE_VERSION}..." mkdir -p ${GITLAB_WORKHORSE_INSTALL_DIR} wget -cq ${GITLAB_WORKHORSE_URL}?ref=v${GITLAB_WORKHORSE_VERSION} -O ${GITLAB_BUILD_DIR}/gitlab-workhorse-${GITLAB_WORKHORSE_VERSION}.tar.gz @@ -67,13 +69,32 @@ tar xf ${GITLAB_BUILD_DIR}/gitlab-workhorse-${GITLAB_WORKHORSE_VERSION}.tar.gz - rm -rf ${GITLAB_BUILD_DIR}/gitlab-workhorse-${GITLAB_WORKHORSE_VERSION}.tar.gz chown -R ${GITLAB_USER}: ${GITLAB_WORKHORSE_INSTALL_DIR} +#download golang echo "Downloading Go ${GOLANG_VERSION}..." wget -cnv https://storage.googleapis.com/golang/go${GOLANG_VERSION}.linux-amd64.tar.gz -P ${GITLAB_BUILD_DIR}/ tar -xf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz -C /tmp/ +#install gitlab-workhorse cd ${GITLAB_WORKHORSE_INSTALL_DIR} PATH=/tmp/go/bin:$PATH GOROOT=/tmp/go make install +#download pages +echo "Downloading gitlab-pages v.${GITLAB_PAGES_VERSION}..." +mkdir -p ${GITLAB_PAGES_INSTALL_DIR} +wget -cq ${GITLAB_PAGES_URL}?ref=v${GITLAB_PAGES_VERSION} -O ${GITLAB_BUILD_DIR}/gitlab-pages-${GITLAB_PAGES_VERSION}.tar.gz +tar xf ${GITLAB_BUILD_DIR}/gitlab-pages-${GITLAB_PAGES_VERSION}.tar.gz --strip 1 -C ${GITLAB_PAGES_INSTALL_DIR} +rm -rf ${GITLAB_BUILD_DIR}/gitlab-pages-${GITLAB_PAGES_VERSION}.tar.gz +chown -R ${GITLAB_USER}: ${GITLAB_PAGES_INSTALL_DIR} + +#install gitlab-pages +cd ${GITLAB_PAGES_INSTALL_DIR} +GODIR=/tmp/go/src/gitlab.com/gitlab-org/gitlab-pages +mkdir -p "$(dirname "$GODIR")" +ln -sfv "$(pwd -P)" "$GODIR" +cd "$GODIR" +PATH=/tmp/go/bin:$PATH GOROOT=/tmp/go make gitlab-pages +mv gitlab-pages /usr/local/bin/ + # remove go rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz /tmp/go diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index ffb438d24..a7732a1b1 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -155,6 +155,21 @@ production: &base # The location where LFS objects are stored (default: shared/lfs-objects). storage_path: {{GITLAB_LFS_OBJECTS_DIR}} + ## GitLab Pages + pages: + enabled: {{GITLAB_PAGES_ENABLED}} + # The location where pages are stored (default: shared/pages). + # path: shared/pages + # The domain under which the pages are served: + # http://group.example.com/project + # or project path can be a group page: group.example.com + host: {{GITLAB_PAGES_DOMAIN}} + port: {{GITLAB_PAGES_PORT}} # Set to 443 if you serve the pages with HTTPS + https: {{GITLAB_PAGES_HTTPS}} # Set to true if you serve the pages with HTTPS + external_http: {{GITLAB_PAGES_EXTERNAL_HTTP}} # If defined, enables custom domain support in GitLab Pages + external_https: {{GITLAB_PAGES_EXTERNAL_HTTPS}} # If defined, enables custom domain and certificate support in GitLab Pages + + ## Mattermost ## For enabling Add to Mattermost button mattermost: diff --git a/assets/runtime/config/nginx/gitlab-pages b/assets/runtime/config/nginx/gitlab-pages new file mode 100644 index 000000000..8a11ca2fc --- /dev/null +++ b/assets/runtime/config/nginx/gitlab-pages @@ -0,0 +1,23 @@ +## GitLab +## +## Pages serving host +server { + listen 0.0.0.0:80; + listen [::]:80 ipv6only=on; + ## Replace this with something like pages.gitlab.com + server_name ~^.*{{GITLAB_PAGES_DOMAIN}}; + ## Individual nginx logs for GitLab pages + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log; + error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log; + location / { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + # The same address as passed to GitLab Pages: `-listen-proxy` + proxy_pass http://localhost:8090/; + } + # Define custom error pages + error_page 403 /403.html; + error_page 404 /404.html; +} \ No newline at end of file diff --git a/assets/runtime/config/nginx/gitlab-pages-ssl b/assets/runtime/config/nginx/gitlab-pages-ssl new file mode 100644 index 000000000..494144920 --- /dev/null +++ b/assets/runtime/config/nginx/gitlab-pages-ssl @@ -0,0 +1,77 @@ +## GitLab +## + +## Redirects all HTTP traffic to the HTTPS host +server { + ## Either remove "default_server" from the listen line below, + ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab + ## to be served if you visit any address that your server responds to, eg. + ## the ip address of the server (http://x.x.x.x/) + listen 0.0.0.0:80; + listen [::]:80 ipv6only=on; + + ## Replace this with something like pages.gitlab.com + server_name ~^.*{{GITLAB_PAGES_DOMAIN}}; + server_tokens off; ## Don't show the nginx version number, a security best practice + + return 301 https://$host:{{GITLAB_PORT}}$request_uri; + + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log; + error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log; +} + +## Pages serving host +server { + listen 0.0.0.0:443 ssl; + listen [::]:443 ipv6only=on ssl http2; + + ## Replace this with something like pages.gitlab.com + server_name ~^.*{{GITLAB_PAGES_DOMAIN}}; + server_tokens off; ## Don't show the nginx version number, a security best practice + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ + ssl on; + ssl_certificate {{SSL_CERTIFICATE_PATH}}; + ssl_certificate_key {{SSL_KEY_PATH}}; + + # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + + ## See app/controllers/application_controller.rb for headers set + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + + ## [Optional] Generate a stronger DHE parameter: + ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 + ## + ssl_dhparam {{SSL_DHPARAM_PATH}}; + + ## Individual nginx logs for this GitLab vhost + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log; + error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log; + + location / { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + # The same address as passed to GitLab Pages: `-listen-proxy` + proxy_pass http://localhost:8090/; + } + + # Define custom error pages + error_page 403 /403.html; + error_page 404 /404.html; +} \ No newline at end of file diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 8b9f2dfce..9c5328426 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -137,6 +137,9 @@ SSL_CIPHERS=${SSL_CIPHERS:-'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/registry.key} SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/registry.crt} +SSL_PAGES_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/pages.key} +SSL_PAGES_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/pages.crt} + SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$CA_CERTIFICATES_PATH} # backward compatibility SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$GITLAB_DATA_DIR/certs/ca.crt} @@ -349,3 +352,13 @@ RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST:-"127.0.0.1"} RACK_ATTACK_MAXRETRY=${RACK_ATTACK_MAXRETRY:-10} RACK_ATTACK_FINDTIME=${RACK_ATTACK_FINDTIME:-60} RACK_ATTACK_BANTIME=${RACK_ATTACK_BANTIME:-3600} + + +## GitLab Pages +GITLAB_PAGES_ENABLED=${GITLAB_PAGES_ENABLED:-false} +GITLAB_PAGES_DOMAIN=${GITLAB_PAGES_DOMAIN:-"example.com"} +GITLAB_PAGES_DIR="${GITLAB_PAGES_DIR:-$GITLAB_SHARED_DIR/pages}" +GITLAB_PAGES_PORT=${GITLAB_PAGES_PORT:-80} +GITLAB_PAGES_HTTPS=${GITLAB_PAGES_HTTPS:-false} +GITLAB_PAGES_EXTERNAL_HTTP=${GITLAB_PAGES_EXTERNAL_HTTP:-} +GITLAB_PAGES_EXTERNAL_HTTPS=${GITLAB_PAGES_EXTERNAL_HTTPS:-} \ No newline at end of file diff --git a/assets/runtime/functions b/assets/runtime/functions index 4b9727246..b9bb92661 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -18,6 +18,7 @@ GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml" GITLAB_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab" GITLAB_CI_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab_ci" GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-registry" +GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-pages" # Compares two version strings `a` and `b` # Returns @@ -911,6 +912,30 @@ gitlab_configure_registry(){ GITLAB_REGISTRY_ISSUER } +gitlab_configure_pages(){ + echo "Configuring gitlab::pages..." + update_template ${GITLAB_CONFIG} \ + GITLAB_PAGES_ENABLED \ + GITLAB_PAGES_DOMAIN \ + GITLAB_PAGES_PORT \ + GITLAB_PAGES_HTTPS + + if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then + update_template ${GITLAB_CONFIG} \ + GITLAB_PAGES_EXTERNAL_HTTP + else + exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTP}}/d" ${GITLAB_CONFIG} + fi + + if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then + update_template ${GITLAB_CONFIG} \ + GITLAB_PAGES_EXTERNAL_HTTPS + else + exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTPS}}/d" ${GITLAB_CONFIG} + fi +} + + nginx_configure_gitlab_ssl() { if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then echo "Configuring nginx::gitlab::ssl..." @@ -991,6 +1016,28 @@ nginx_configure_gitlab_registry() { fi } +nginx_configure_pages(){ + local GITLAB_PAGES_DOMAIN=$(echo $GITLAB_PAGES_DOMAIN | sed 's/\./\\\\./g') + + if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then + echo "Configuring nginx::gitlab-pages..." + update_template ${GITLAB_PAGES_NGINX_CONFIG} \ + GITLAB_PAGES_DOMAIN \ + GITLAB_PAGES_PORT \ + GITLAB_LOG_DIR \ + GITLAB_PAGES_DOMAIN \ + SSL_PAGES_CERT_PATH \ + SSL_PAGES_KEY_PATH \ + SSL_DHPARAM_PATH \ + GITLAB_LOG_DIR + else + echo "Configuring nginx::gitlab-pages..." + update_template ${GITLAB_PAGES_NGINX_CONFIG} \ + GITLAB_PAGES_DOMAIN \ + GITLAB_LOG_DIR + fi +} + # _|_|_| _| _| _| # _| _| _| _| _|_|_| _| _|_|_| @@ -1079,6 +1126,11 @@ initialize_datadir() { chmod u+rwX ${GITLAB_ARTIFACTS_DIR} chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR} + # create pages dir + mkdir -p ${GITLAB_PAGES_DIR} + chmod u+rwX ${GITLAB_PAGES_DIR} + chown ${GITLAB_USER}: ${GITLAB_PAGES_DIR} + # symlink ${GITLAB_INSTALL_DIR}/shared -> ${GITLAB_DATA_DIR}/shared rm -rf ${GITLAB_INSTALL_DIR}/shared ln -sf ${GITLAB_SHARED_DIR} ${GITLAB_INSTALL_DIR}/shared @@ -1153,6 +1205,9 @@ sanitize_datadir() { chmod -R u+rwX ${GITLAB_ARTIFACTS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR} + chmod -R u+rwX ${GITLAB_PAGES_DIR} + chown -R ${GITLAB_USER}: ${GITLAB_PAGES_DIR} + chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR} @@ -1238,6 +1293,22 @@ install_configuration_templates() { install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG} fi + + ## ${GITLAB_PAGES_NGINX_CONFIG} + if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then + if [[ -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then + install_template root: nginx/gitlab-pages-ssl ${GITLAB_PAGES_NGINX_CONFIG} + else + echo "SSL Key, SSL Certificate were not found." + echo "Assuming that the container is running behind a HTTPS enabled load balancer." + install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG} + fi + else + install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG} + fi + + + if [[ -n $GITLAB_CI_HOST ]]; then install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG} fi @@ -1297,6 +1368,7 @@ configure_gitlab() { gitlab_configure_analytics gitlab_configure_backups gitlab_configure_registry + gitlab_configure_pages # remove stale gitlab.socket rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket @@ -1315,6 +1387,44 @@ configure_gitlab_shell() { REDIS_DB_NUMBER } + +configure_gitlab_pages() { + echo "Configuring gitlab-pages..." +cat > /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <