Skip to content

Add namespace_in_path parameter in GitLab.rb for GitLab Pages

Naman Jagdish Gala requested to merge naman/17584-pages-nginx-namespace-in-path into master

What does this MR do?

Add namespace_in_path parameter in GitLab.rb for GitLab Pages

Adds the 'namespace_in_path' parameter in gitlab.rb for GitLab Pages. This parameter is used to rewrite Pages URLs using NGINX config, allowing users to access Pages using the namespace in the path instead of the host. This modification will enable GitLab Pages to work without requiring a DNS wildcard.

This will add Pages NGINX config (Click to expand) 
## Experimental - Handle requests having namespace in path
## See https://gitlab.com/gitlab-org/gitlab/-/issues/211677
server {
  listen *:443 ssl http2;
  server_name  ~^pages\.localhost$;
  server_tokens off; ## Don't show the nginx version number, a security best practice

  ## Disable symlink traversal
  disable_symlinks on;

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl_certificate /etc/gitlab/ssl/pages.localhost.crt;
  ssl_certificate_key /etc/gitlab/ssl/pages.localhost.key;

  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
  ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
  ssl_protocols  TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;
  ssl_session_cache  shared:SSL:10m;
  ssl_session_tickets off;
  ssl_session_timeout  1d;

  ## Real IP Module Config
  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html

  ## HSTS Config
  ## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
  add_header Strict-Transport-Security "max-age=63072000";

  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/gitlab/nginx/gitlab_pages_access.log gitlab_access;
  error_log   /var/log/gitlab/nginx/gitlab_pages_error.log error;

  # Pass when namespace in path to pages daemon after the rewrite
  location ~ ^/(?<namespace>[^/]+)/(?<project>.*)$ {
    ## Rewrite remove namespace from path
    rewrite ^/([^/]+)/(.*)$ /$2 break;

    ## Put namespace back in host from path
    proxy_set_header Host $1.$http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Gitlab-Namespace-In-Path $namespace;

    # Prevent NGINX from caching pages in response to the pages `Cache-Control`
    # header.
    #
    # Browsers already respect this directive and Pages can handle the request
    # volume without help from NGINX.
    #
    # If this changes in the future, ensure `proxy_cache_key` is set to a value
    # like `$scheme$host$request_uri`, as the default value does not take the
    # Pages hostname into account, leading to incorrect responses being served.
    #
    # See https://gitlab.com/gitlab-org/gitlab-pages/issues/73
    proxy_cache off;


    proxy_http_version 1.1;
    proxy_pass          http://localhost:8090;

    ## Put namespace in path from host before sending it to the user
    proxy_redirect ~^https://(projects\.pages\.localhost)/(.*)$ https://$1/$2;
    proxy_redirect ~^https://(.*)\.(pages\.localhost)/(.*)$ https://$2/$1/$3;
    proxy_redirect ~^//(.*)\.(pages\.localhost)/(.*)$ /$1/$3;
    proxy_redirect ~^/(.*)$ /$namespace/$1;
  }

  # Define custom error pages
  error_page 403 /403.html;
  error_page 404 /404.html;
}

This is an experimental change. 'namespace-in-path' will not be enabled on GitLab.com, so we will ask some users upvoted the issue to try this feature.

Changelog: added

Related issues

GitLab Pages without DNS wildcard - MVC (gitlab#17584 - closed)
More context: gitlab#211677 (comment 1646965167)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • MR title and description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • Latest Merge Result pipeline is green.
  • When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow.

For GitLab team members

If you don't have access to this, the reviewer should trigger these jobs for you during the review process.

  • The manual Trigger:ee-package jobs have a green pipeline running against latest commit.
  • If config/software or config/patches directories are changed, make sure the build-package-on-all-os job within the Trigger:ee-package downstream pipeline succeeded.
  • If you are changing anything SSL related, then the Trigger:package:fips manual job within the Trigger:ee-package downstream pipeline must succeed.
  • If CI configuration is changed, the branch must be pushed to dev.gitlab.org to confirm regular branch builds aren't broken.

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes.
  • Documentation created/updated.
  • Tests added.
  • Integration tests added to GitLab QA.
  • Equivalent MR/issue for the GitLab Chart opened.
  • Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by Ryan Egesdahl

Merge request reports