diff --git a/Dockerfile b/Dockerfile index d9d2ee771..98dc8d680 100644 --- a/Dockerfile +++ b/Dockerfile @@ -40,6 +40,9 @@ RUN set -ex && \ && echo 'deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main' > /etc/apt/sources.list.d/nodesource.list \ && wget --quiet -O - https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor -o /etc/apt/keyrings/yarn.gpg \ && echo 'deb [signed-by=/etc/apt/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main' > /etc/apt/sources.list.d/yarn.list \ + && wget --quiet -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor -o /etc/apt/keyrings/nginx-archive-keyring.gpg \ + && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu jammy nginx" >> /etc/apt/sources.list.d/nginx.list \ + && printf "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" >> /etc/apt/preferences.d/99nginx \ && set -ex \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ @@ -55,7 +58,7 @@ RUN set -ex && \ && update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \ && locale-gen en_US.UTF-8 \ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales \ - && rm -rf /var/lib/apt/lists/* + && rm -rf /var/lib/apt/lists/* /etc/nginx/conf.d/default.conf COPY assets/build/ ${GITLAB_BUILD_DIR}/ RUN bash ${GITLAB_BUILD_DIR}/install.sh diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab index c2e22a297..75001235e 100644 --- a/assets/runtime/config/nginx/gitlab +++ b/assets/runtime/config/nginx/gitlab @@ -30,7 +30,7 @@ map $request_uri $obfuscated_request_uri { ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4; default $request_uri; } -log_format main '$remote_addr - $remote_user [$time_local] ' +log_format gitlab_access '$remote_addr - $remote_user [$time_local] ' '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; @@ -58,7 +58,7 @@ server { add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};"; ## Individual nginx logs for this GitLab vhost - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; location / { diff --git a/assets/runtime/config/nginx/gitlab-registry b/assets/runtime/config/nginx/gitlab-registry index 280436561..b37aac542 100644 --- a/assets/runtime/config/nginx/gitlab-registry +++ b/assets/runtime/config/nginx/gitlab-registry @@ -11,7 +11,7 @@ server { server_name {{GITLAB_REGISTRY_HOST}}; server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://$http_host:$request_uri; - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log gitlab_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log; } @@ -36,7 +36,7 @@ server { ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 5m; - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log gitlab_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log; location / { diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl index 893232b72..df349ec9b 100644 --- a/assets/runtime/config/nginx/gitlab-ssl +++ b/assets/runtime/config/nginx/gitlab-ssl @@ -34,7 +34,7 @@ map $request_uri $obfuscated_request_uri { ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4; default $request_uri; } -log_format main '$remote_addr - $remote_user [$time_local] ' +log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] ' '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; @@ -49,7 +49,7 @@ server { server_name _; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://$host:{{GITLAB_PORT}}$request_uri; - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_ssl_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; } @@ -103,7 +103,7 @@ server { ssl_dhparam {{SSL_DHPARAM_PATH}}; ## Individual nginx logs for this GitLab vhost - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_ssl_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; location / { diff --git a/assets/runtime/functions b/assets/runtime/functions index 9bf91bbb1..b32048fb8 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -23,10 +23,10 @@ GITLAB_ACTIONCABLE_CONFIG="${GITLAB_INSTALL_DIR}/config/cable.yml" GITLAB_SECRETS_CONFIG="${GITLAB_INSTALL_DIR}/config/secrets.yml" GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt" GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml" -GITLAB_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab" -GITLAB_CI_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab_ci" -GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-registry" -GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-pages" +GITLAB_NGINX_CONFIG="/etc/nginx/conf.d/gitlab.conf" +GITLAB_CI_NGINX_CONFIG="/etc/nginx/conf.d/gitlab_ci.conf" +GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-registry.conf" +GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-pages.conf" GITLAB_PAGES_CONFIG="${GITLAB_INSTALL_DIR}/gitlab-pages-config" GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml"