# This file is managed by gitlab-ctl. Manual changes will be # erased! To change the contents below, edit /etc/gitlab/gitlab.rb # and run `sudo gitlab-ctl reconfigure`. user <%= node['gitlab']['web_server']['username'] %> <%= node['gitlab']['web_server']['group']%>; worker_processes <%= @worker_processes %>; error_log stderr; pid nginx.pid; daemon off; events { worker_connections <%= @worker_connections %>; } http { log_format gitlab_access '<%= @gitlab_access_log_format %>'; log_format gitlab_mattermost_access '<%= @gitlab_mattermost_access_log_format %>'; hide_server_tokens <%= @hide_server_tokens %>; server_names_hash_bucket_size <%= @server_names_hash_bucket_size %>; sendfile <%= @sendfile %>; tcp_nopush <%= @tcp_nopush %>; tcp_nodelay <%= @tcp_nodelay %>; keepalive_timeout <%= @keepalive_timeout %>; keepalive_time <%= @keepalive_time %>; gzip <%= @gzip %>; <% if @gzip_enabled %> gzip_http_version <%= @gzip_http_version %>; gzip_comp_level <%= @gzip_comp_level %>; gzip_proxied <%= @gzip_proxied %>; gzip_types <%= @gzip_types.join(' ') %>; <% end %> include /opt/gitlab/embedded/conf/mime.types; proxy_cache_path <%= @proxy_cache_path %>; proxy_cache <%= @proxy_cache %>; map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Remove private_token from the request URI # In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&token=glptt-unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&token=glptt-unfiltered... map $request_uri $temp_request_uri_1 { default $request_uri; ~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest"; } # Remove authenticity_token from the request URI # In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&token=glptt-unfiltered&.. # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&token=glptt-unfiltered&.. map $temp_request_uri_1 $temp_request_uri_2 { default $temp_request_uri_1; ~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest"; } # Remove rss_token from the request URI # In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&token=glptt-unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&token=glptt-unfiltered&... map $temp_request_uri_2 $temp_request_uri_3 { default $temp_request_uri_2; ~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest"; } # Remove pipeline trigger token from the request URI # In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&token=glptt-unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&token=[FILTERED]&... map $temp_request_uri_3 $filtered_request_uri { default $temp_request_uri_3; ~(?i)^(?<start>.*)(?<temp>[\?&]token)=glptt-[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest"; } # A version of the referer without the query string map $http_referer $filtered_http_referer { default $http_referer; ~^(?<temp>.*)\? $temp; } <% if @status['vts_enable'] -%> # Enable vts status module. vhost_traffic_status_zone; <% end -%> upstream gitlab-workhorse { server <%= "unix:" if node['gitlab']['gitlab_workhorse']['listen_network'] == "unix" %><%= node['gitlab']['gitlab_workhorse']['listen_addr'] %>; } <% if @gitlab_http_config %> include <%= @gitlab_http_config %>; <% end %> <% if @gitlab_smartcard_http_config %> include <%= @gitlab_smartcard_http_config %>; <% end %> <% if @gitlab_pages_http_config %> include <%= @gitlab_pages_http_config %>; <% end %> <% if @gitlab_mattermost_http_config %> include <%= @gitlab_mattermost_http_config %>; <% end %> <% if @gitlab_registry_http_config %> include <%= @gitlab_registry_http_config %>; <% end %> <% if @gitlab_kas_http_config %> include <%= @gitlab_kas_http_config %>; <% end %> <% if @nginx_status_config %> include <%= @nginx_status_config %>; <% end %> <%= @custom_nginx_config %> }