Update gitlab configuration and readme

README.md

@@ -24,4 +24,11 @@ Links:
 Additional issues that helped to resolve the configuration:
 - https://gitlab.com/gitlab-org/gitlab-ce/issues/3262
 - https://gitlab.com/gitlab-org/gitlab-ce/issues/3262
-- https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache
\ No newline at end of file
+- https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache
+
+Prepareing target hosts:
+- Copy pdevop:/home/gitlab-runner/.ssh/id_rsa.pub to authenticated keys on target host
+- ssh-keygen on target and paste the public key into deployment keys on gitlab
+
+Preparing gitlab-runner:
+- Configure Ansible with vault and password

templates/default-ssl

-NameVirtualHost *:443
-
 <VirtualHost _default_:443>
-    ServerName gitlab.paragon-es.de
-    ServerAdmin admin@paragon-es.de
-    ServerSignature Off
-    DocumentRoot /var/opt/gitlab
+  SSLEngine on
+  #strong encryption ciphers only
+  #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
+  SSLProtocol all -SSLv2
+  SSLHonorCipherOrder on
+  SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+  Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+  SSLCompression Off
+  SSLCertificateChainFile /etc/ssl/private/Intermediate_CA_Bundle.crt
+  SSLCertificateFile /etc/ssl/private/paragon-es.de.crt
+  SSLCertificateKeyFile /etc/ssl/private/paragon-es.de.key
 
-    ProxyPreserveHost On
-    AllowEncodedSlashes NoDecode
-    RequestHeader set X_FORWARDED_PROTO 'https'
+  ServerName {{ gitlab_domain }}
+  ServerSignature Off
 
-    ProxyPass / http://127.0.0.1:8888/
-    ProxyPassReverse / http://127.0.0.1:8888/
+  ProxyPreserveHost On
 
-    ErrorLog ${APACHE_LOG_DIR}/gitlab-error.log
-    LogLevel warn
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
-    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-    CustomLog ${APACHE_LOG_DIR}/gitlab_ssl_access.log combined env=!forwarded
-    CustomLog ${APACHE_LOG_DIR}/gitlab_ssl_access.log proxy env=forwarded
+  # Ensure that encoded slashes are not decoded but left in their encoded state.
+  # http://doc.gitlab.com/ce/api/projects.html#get-single-project
+  AllowEncodedSlashes NoDecode
 
-    SSLEngine on
-    SSLCertificateChainFile /etc/ssl/private/Intermediate_CA_Bundle.crt
-    SSLCertificateFile /etc/ssl/private/paragon-es.de.crt
-    SSLCertificateKeyFile /etc/ssl/private/paragon-es.de.key
+  <Location />
+      Order deny,allow
+      Allow from all
 
-    <FilesMatch "\.(cgi|shtml|phtml|php)$">
-        SSLOptions +StdEnvVars
-    </FilesMatch>
-    <Directory /usr/lib/cgi-bin>
-        SSLOptions +StdEnvVars
-    </Directory>
-    BrowserMatch "MSIE [2-6]" \
-        nokeepalive ssl-unclean-shutdown \
-        downgrade-1.0 force-response-1.0
-    # MSIE 7 and newer should be able to use keepalive
-    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
-</VirtualHost>
+      #Allow forwarding to gitlab-git-http-server
+      ProxyPassReverse http://127.0.0.1:8181
+      #Allow forwarding to GitLab Rails app (Unicorn)
+      ProxyPassReverse http://127.0.0.1:8080
+      ProxyPassReverse http://{{ gitlab_domain }}/
+  </Location>
 
-<VirtualHost _default_:443>
-    ServerName youtrack.paragon-es.de
-    ServerAdmin admin@paragon-es.de
-    ServerSignature Off
+  # Apache equivalent of nginx try files
+  # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
+  # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
+  RewriteEngine on
 
-    ProxyPreserveHost On
-    AllowEncodedSlashes NoDecode
-    RequestHeader set X_FORWARDED_PROTO 'https'
+  #Forward these requests to gitlab-git-http-server
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
+  RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
 
-    ProxyRequests Off
-    <Proxy *:80>
-      Order deny,allow
-      Allow from all
-    </Proxy>
-    ProxyPass /~socket.io/1/websocket ws://127.0.0.1:8085/~socket.io/1/websocket
-    ProxyPass / http://127.0.0.1:8085/
-    ProxyPassReverse / http://127.0.0.1:8085/
+  #Forward any other requests to GitLab Rails app (Unicorn)
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
+  RewriteCond %{REQUEST_URI} ^/uploads
+  RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
+  RequestHeader set X_FORWARDED_PROTO 'https'
+  RequestHeader set X-Forwarded-Ssl on
 
-    ErrorLog ${APACHE_LOG_DIR}/youtrack-error.log
-    LogLevel warn
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
-    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-    CustomLog ${APACHE_LOG_DIR}/youtrack_ssl_access.log combined env=!forwarded
-    CustomLog ${APACHE_LOG_DIR}/youtrack_ssl_access.log proxy env=forwarded
+  # needed for downloading attachments
+  DocumentRoot /var/opt/gitlab
 
-    SSLEngine on
-    SSLCertificateChainFile /etc/ssl/private/Intermediate_CA_Bundle.crt
-    SSLCertificateFile /etc/ssl/private/paragon-es.de.crt
-    SSLCertificateKeyFile /etc/ssl/private/paragon-es.de.key
+  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
+  ErrorDocument 404 /404.html
+  ErrorDocument 422 /422.html
+  ErrorDocument 500 /500.html
+  ErrorDocument 503 /deploy.html
 
-    <FilesMatch "\.(cgi|shtml|phtml|php)$">
-        SSLOptions +StdEnvVars
-    </FilesMatch>
-    <Directory /usr/lib/cgi-bin>
-        SSLOptions +StdEnvVars
-    </Directory>
-    BrowserMatch "MSIE [2-6]" \
-        nokeepalive ssl-unclean-shutdown \
-        downgrade-1.0 force-response-1.0
-    # MSIE 7 and newer should be able to use keepalive
-    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+  # It is assumed that the log directory is in /var/log/httpd.
+  # For Debian distributions you might want to change this to
+  # /var/log/apache2.
+  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
+  ErrorLog ${APACHE_LOG_DIR}/gitlab_ssl_error.log
+  CustomLog ${APACHE_LOG_DIR}/gitlab_ssl_forwarded.log common_forwarded
+  CustomLog ${APACHE_LOG_DIR}/gitlab_ssl_access.log combined env=!dontlog
+  CustomLog ${APACHE_LOG_DIR}/gitlab_ssl.log combined
 </VirtualHost>
-