assets: nginx bypass puma when accessing assets. (#5)

* assets: nginx bypass puma when accessing assets.

* testdrive: make asset check dynamic by finding actual asset files.

* fix: Add xargs to properly handle asset file basename extraction.

* change GITLAB_HOME mode for access, instead of using user group.

Author: MirageTurtle

Dockerfile

@@ -2,4 +2,5 @@ FROM sameersbn/gitlab:18.1.1
 
 # Override files
 COPY assets/runtime/config/gitlabhq/gitlab.yml ${GITLAB_RUNTIME_DIR}/config/gitlabhq/gitlab.yml
+COPY assets/runtime/config/nginx/gitlab ${GITLAB_RUNTIME_DIR}/config/nginx/gitlab
 COPY assets/runtime/functions ${GITLAB_RUNTIME_DIR}/functions

assets/runtime/config/nginx/gitlab

@@ -0,0 +1,103 @@
+## GitLab
+##
+## Lines starting with two hashes (##) are comments with information.
+## Lines starting with one hash (#) are configuration parameters that can be uncommented.
+##
+##################################
+##        CONTRIBUTING          ##
+##################################
+##
+## If you change this file in a Merge Request, please also create
+## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
+##
+###################################
+##         configuration         ##
+###################################
+##
+## See installation.md#using-https for additional HTTPS configuration details.
+
+upstream gitlab-workhorse {
+  server localhost:8181 fail_timeout=0;
+}
+
+map $http_upgrade $connection_upgrade_gitlab {
+    default upgrade;
+    ''      close;
+}
+
+## Obfuscate access_token and private_token in access log
+map $request_uri $obfuscated_request_uri {
+    ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4;
+    default $request_uri;
+}
+log_format gitlab_access '$remote_addr - $remote_user [$time_local] '
+                  '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent '
+                  '"$http_referer" "$http_user_agent"';
+
+## Normal HTTP host
+server {
+  ## Either remove "default_server" from the listen line below,
+  ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
+  ## to be served if you visit any address that your server responds to, eg.
+  ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
+  listen 0.0.0.0:80 default_server;
+  listen [::]:80 default_server;
+  server_name {{GITLAB_HOST}}; ## Replace this with something like gitlab.example.com
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+
+  ## See app/controllers/application_controller.rb for headers set
+
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
+  real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}};    ## If you enable 'on'
+  ## If you have a trusted IP address, uncomment it and set it
+  set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24
+
+  add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}};
+  add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};";
+
+  ## Individual nginx logs for this GitLab vhost
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_access;
+  error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;
+
+  location / {
+    client_max_body_size 0;
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+    proxy_buffering         {{NGINX_PROXY_BUFFERING}};
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
+    proxy_set_header    Upgrade             $http_upgrade;
+    proxy_set_header    Connection          $connection_upgrade_gitlab;
+
+    proxy_pass http://gitlab-workhorse;
+  }
+
+  error_page 404 /404.html;
+  error_page 422 /422.html;
+  error_page 500 /500.html;
+  error_page 502 /502.html;
+  error_page 503 /503.html;
+  location /assets/ {
+      alias {{GITLAB_INSTALL_DIR}}/public/assets/;
+      expires max;
+      add_header Cache-Control public;
+  }
+  location ~ ^/(404|422|500|502|503)\.html$ {
+    root {{GITLAB_INSTALL_DIR}}/public;
+    internal;
+  }
+
+  {{NGINX_CUSTOM_GITLAB_SERVER_CONFIG}}
+}

assets/runtime/functions

@@ -1958,6 +1958,11 @@ install_configuration_templates() {
   install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG}
 }
 
+gitlab_configure_assets_access() {
+  # https://github.com/ustclug/docker-gitlab/issues/4
+  chmod 755 ${GITLAB_HOME}
+}
+
 configure_gitlab() {
   echo "Configuring gitlab..."
   update_template ${GITLAB_CONFIG} \
@@ -2018,6 +2023,7 @@ configure_gitlab() {
   gitlab_configure_sentry
   generate_healthcheck_script
   gitlab_configure_content_security_policy
+  gitlab_configure_assets_access
 
   # remove stale gitlab.socket
   rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket

testdrive.sh

@@ -51,13 +51,20 @@ check() {
         echo "Error: Failed to find 'example oauth' in gitlab.yml"
         return 1
     fi
+    first_asset=$(docker exec "gitlab-${SUFFIX}" bash -c 'ls /home/git/gitlab/public/assets/*.js 2>/dev/null | head -n 1 | xargs -n 1 basename')
+    assets_location="/assets/$first_asset"
+    assets_code=$(curl --write-out '%{http_code}' --silent --output /dev/null "$url$assets_location")
+    if [[ $assets_code -lt 200 || $assets_code -gt 399 ]]; then
+        echo "Error: Failed to access $url$assets_location (status code: $assets_code)"
+        return 1
+    fi
     return 0
 }
 
 RETRIES="48"
 RETRIED=0
 WAIT_TIME="5s"
 
-until check || { [[ "$((RETRIED++))" == "${RETRIES}" ]] && exit 1; } ; do
+until check || { [[ "$((RETRIED++))" == "${RETRIES}" ]] && exit 1; }; do
     sleep "${WAIT_TIME}"
 done