From 4f30a33f8c2450b9598aff6677f7244dac405f5e Mon Sep 17 00:00:00 2001 From: MirageTurtle <60972592+MirageTurtle@users.noreply.github.com> Date: Thu, 28 Aug 2025 00:37:40 +0800 Subject: [PATCH 1/4] assets: nginx bypass puma when accessing assets. --- Dockerfile | 1 + assets/runtime/config/nginx/gitlab | 103 +++++++++++++++++++++++++++++ assets/runtime/functions | 4 ++ testdrive.sh | 8 ++- 4 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 assets/runtime/config/nginx/gitlab diff --git a/Dockerfile b/Dockerfile index f1811e80d..9cec98474 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,4 +2,5 @@ FROM sameersbn/gitlab:18.1.1 # Override files COPY assets/runtime/config/gitlabhq/gitlab.yml ${GITLAB_RUNTIME_DIR}/config/gitlabhq/gitlab.yml +COPY assets/runtime/config/nginx/gitlab ${GITLAB_RUNTIME_DIR}/config/nginx/gitlab COPY assets/runtime/functions ${GITLAB_RUNTIME_DIR}/functions diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab new file mode 100644 index 000000000..0f31981d2 --- /dev/null +++ b/assets/runtime/config/nginx/gitlab @@ -0,0 +1,103 @@ +## GitLab +## +## Lines starting with two hashes (##) are comments with information. +## Lines starting with one hash (#) are configuration parameters that can be uncommented. +## +################################## +## CONTRIBUTING ## +################################## +## +## If you change this file in a Merge Request, please also create +## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests +## +################################### +## configuration ## +################################### +## +## See installation.md#using-https for additional HTTPS configuration details. + +upstream gitlab-workhorse { + server localhost:8181 fail_timeout=0; +} + +map $http_upgrade $connection_upgrade_gitlab { + default upgrade; + '' close; +} + +## Obfuscate access_token and private_token in access log +map $request_uri $obfuscated_request_uri { + ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4; + default $request_uri; +} +log_format gitlab_access '$remote_addr - $remote_user [$time_local] ' + '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + +## Normal HTTP host +server { + ## Either remove "default_server" from the listen line below, + ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab + ## to be served if you visit any address that your server responds to, eg. + ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server; + listen 0.0.0.0:80 default_server; + listen [::]:80 default_server; + server_name {{GITLAB_HOST}}; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + + ## See app/controllers/application_controller.rb for headers set + + ## Real IP Module Config + ## http://nginx.org/en/docs/http/ngx_http_realip_module.html + real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol + real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}}; ## If you enable 'on' + ## If you have a trusted IP address, uncomment it and set it + set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24 + + add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}}; + add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};"; + + ## Individual nginx logs for this GitLab vhost + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_access; + error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; + + location / { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + proxy_buffering {{NGINX_PROXY_BUFFERING}}; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_gitlab; + + proxy_pass http://gitlab-workhorse; + } + + error_page 404 /404.html; + error_page 422 /422.html; + error_page 500 /500.html; + error_page 502 /502.html; + error_page 503 /503.html; + location /assets/ { + alias {{GITLAB_INSTALL_DIR}}/public/assets/; + expires max; + add_header Cache-Control public; + } + location ~ ^/(404|422|500|502|503)\.html$ { + root {{GITLAB_INSTALL_DIR}}/public; + internal; + } + + {{NGINX_CUSTOM_GITLAB_SERVER_CONFIG}} +} diff --git a/assets/runtime/functions b/assets/runtime/functions index 5343bba52..3db08e885 100755 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -2174,6 +2174,10 @@ configure_nginx() { -e "s|# server_names_hash_bucket_size 64;|server_names_hash_bucket_size ${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE};|" \ /etc/nginx/nginx.conf + # https://github.com/ustclug/docker-gitlab/issues/4 + echo "Adding nginx to ${GITLAB_USER} group..." + usermod -a -G ${GITLAB_USER} nginx + nginx_configure_gitlab nginx_configure_gitlab_ci nginx_configure_gitlab_registry diff --git a/testdrive.sh b/testdrive.sh index e8562ac14..6812321d3 100755 --- a/testdrive.sh +++ b/testdrive.sh @@ -51,6 +51,12 @@ check() { echo "Error: Failed to find 'example oauth' in gitlab.yml" return 1 fi + assets_location="/assets/locale/zh_CN/app-45e4963f833169170e6fd77b78bb1758d413a6a676d484235818594551d2e018.js" + assets_code=$(curl --write-out '%{http_code}' --silent --output /dev/null "$url$assets_location") + if [[ $assets_code -lt 200 || $assets_code -gt 399 ]]; then + echo "Error: Failed to access $url$assets_location (status code: $assets_code)" + return 1 + fi return 0 } @@ -58,6 +64,6 @@ RETRIES="48" RETRIED=0 WAIT_TIME="5s" -until check || { [[ "$((RETRIED++))" == "${RETRIES}" ]] && exit 1; } ; do +until check || { [[ "$((RETRIED++))" == "${RETRIES}" ]] && exit 1; }; do sleep "${WAIT_TIME}" done From 04934dad0b7925f47cb568f43e41b20d0e5ea4b3 Mon Sep 17 00:00:00 2001 From: MirageTurtle <60972592+MirageTurtle@users.noreply.github.com> Date: Thu, 28 Aug 2025 10:55:01 +0800 Subject: [PATCH 2/4] testdrive: make asset check dynamic by finding actual asset files. --- testdrive.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/testdrive.sh b/testdrive.sh index 6812321d3..001ea3e0d 100755 --- a/testdrive.sh +++ b/testdrive.sh @@ -51,7 +51,8 @@ check() { echo "Error: Failed to find 'example oauth' in gitlab.yml" return 1 fi - assets_location="/assets/locale/zh_CN/app-45e4963f833169170e6fd77b78bb1758d413a6a676d484235818594551d2e018.js" + first_asset=$(docker exec "gitlab-${SUFFIX}" bash -c 'ls /home/git/gitlab/public/assets/*.js 2>/dev/null | head -n 1 | basename') + assets_location="/assets/$first_asset" assets_code=$(curl --write-out '%{http_code}' --silent --output /dev/null "$url$assets_location") if [[ $assets_code -lt 200 || $assets_code -gt 399 ]]; then echo "Error: Failed to access $url$assets_location (status code: $assets_code)" From 6135e15f6934ab094937e18e84e57f72c25106a0 Mon Sep 17 00:00:00 2001 From: MirageTurtle <60972592+MirageTurtle@users.noreply.github.com> Date: Thu, 28 Aug 2025 11:04:33 +0800 Subject: [PATCH 3/4] fix: Add xargs to properly handle asset file basename extraction. --- testdrive.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testdrive.sh b/testdrive.sh index 001ea3e0d..06cca83f0 100755 --- a/testdrive.sh +++ b/testdrive.sh @@ -51,7 +51,7 @@ check() { echo "Error: Failed to find 'example oauth' in gitlab.yml" return 1 fi - first_asset=$(docker exec "gitlab-${SUFFIX}" bash -c 'ls /home/git/gitlab/public/assets/*.js 2>/dev/null | head -n 1 | basename') + first_asset=$(docker exec "gitlab-${SUFFIX}" bash -c 'ls /home/git/gitlab/public/assets/*.js 2>/dev/null | head -n 1 | xargs -n 1 basename') assets_location="/assets/$first_asset" assets_code=$(curl --write-out '%{http_code}' --silent --output /dev/null "$url$assets_location") if [[ $assets_code -lt 200 || $assets_code -gt 399 ]]; then From eb046ae6932eb8fc994c3875a01d6962deccc5c4 Mon Sep 17 00:00:00 2001 From: MirageTurtle <60972592+MirageTurtle@users.noreply.github.com> Date: Tue, 9 Sep 2025 00:55:50 +0800 Subject: [PATCH 4/4] change GITLAB_HOME mode for access, instead of using user group. --- assets/runtime/functions | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/assets/runtime/functions b/assets/runtime/functions index 3db08e885..377e4f7f4 100755 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -1958,6 +1958,11 @@ install_configuration_templates() { install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG} } +gitlab_configure_assets_access() { + # https://github.com/ustclug/docker-gitlab/issues/4 + chmod 755 ${GITLAB_HOME} +} + configure_gitlab() { echo "Configuring gitlab..." update_template ${GITLAB_CONFIG} \ @@ -2018,6 +2023,7 @@ configure_gitlab() { gitlab_configure_sentry generate_healthcheck_script gitlab_configure_content_security_policy + gitlab_configure_assets_access # remove stale gitlab.socket rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket @@ -2174,10 +2180,6 @@ configure_nginx() { -e "s|# server_names_hash_bucket_size 64;|server_names_hash_bucket_size ${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE};|" \ /etc/nginx/nginx.conf - # https://github.com/ustclug/docker-gitlab/issues/4 - echo "Adding nginx to ${GITLAB_USER} group..." - usermod -a -G ${GITLAB_USER} nginx - nginx_configure_gitlab nginx_configure_gitlab_ci nginx_configure_gitlab_registry