git.lirion.de

Of git, get, and gud

aboutsummaryrefslogtreecommitdiffstats
path: root/gitlab-ssl.conf
blob: 6e69f5a55022ca52f809ec47d35db56fc5f262e0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# This is a sub configuration file that integrates into a running apache. In our case,
# the machine is TLS only, has secure cipher suites and supports HSTS.

# Don't do this if mod_ssl is not available.
<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName		gitlab.lirion.de
	ServerSignature		Off

	ProxyPreserveHost	On
	#eserdeniz.fr
	ProxyRequests		Off
	AllowEncodedSlashes	NoDecode
	# here we don't want to proxify the requests for the existing assets in gitlab's public directory
	ProxyPassMatch ^(/[^/]+\.(html|png|ico|css|txt))$ !
	ProxyPass /assets !
	ProxyPass / http://127.0.0.1:8080/
	RequestHeader set X_FORWARDED_PROTO 'https'

	# necessary for downloading attachments
	DocumentRoot		/opt/gitlab/embedded/service/gitlab-rails/public

	<Location />
		Order			deny,allow
		Allow from		all
		ProxyPassReverse	http://127.0.0.1:8080
		# Leave this at http. For whatever reason.
		ProxyPassReverse	http://gitlab.lirion.de
	</Location>
	<Directory /opt/gitlab/embedded/service/gitlab-rails/public>
		Require all granted
	</Directory>
	<IfModule rewrite.c>
		RewriteEngine		On
		RewriteCond		%{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
		RewriteRule		.* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
	</IfModule>

	# Basic stuff
	ErrorLog		${APACHE_LOG_DIR}/error.log
	LogLevel		warn
	CustomLog		${APACHE_LOG_DIR}/ssl_access.log combined
	SSLEngine		on
	SSLCertificateKeyFile	/path/to/some/certificates/private/key
	# x509v3 certificate, chain included (latter: recommendation or duty anyway with apache2.4)
	SSLCertificateFile	/path/to/some/certificates/public-cert-chain
	# People still use flawed and f'ed up technology. 'Ere we go.
	BrowserMatch "MSIE [2-6]" \
		nokeepalive ssl-unclean-shutdown \
		downgrade-1.0 force-response-1.0
	BrowserMatch "MSIE [17-9]" \
		ssl-unclean-shutdown
</VirtualHost>
</IfModule>