GitSwarm-EE 2017.1-1 Documentation

• GitSwarm Pages Administration
  • The GitSwarm Pages daemon
    • The GitSwarm Pages daemon and the case of custom domains
    • Install the Pages daemon
  • Configuration
    • Configuration prerequisites
    • Configuration scenarios
    • DNS configuration
  • Setting up GitSwarm Pages
    • Custom domains with HTTPS support
    • Custom domains without HTTPS support
    • Wildcard HTTP domain without custom domains
    • Wildcard HTTPS domain without custom domains
  • NGINX configuration
    • NGINX configuration files
    • NGINX configuration for custom domains
    • NGINX caveats
  • Set maximum pages size
  • Change storage path
  • Backup
  • Security
  • Changelog

GitSwarm Pages Administration

Note: This feature was first introduced in GitSwarm 2016.1. Custom CNAMEs with TLS support were introduced in GitSwarm 2016.2.

This document describes how to set up the latest GitSwarm Pages feature. Make sure to read the changelog if you are upgrading to a new GitSwarm version as it may include new features and changes needed to be made in your configuration.

If you are looking for ways to upload your static content in GitSwarm Pages, you probably want to read the user documentation.

Table of Contents generated with DocToc

• The GitSwarm Pages daemon
  • The GitSwarm Pages daemon and the case of custom domains
  • Install the Pages daemon
• Configuration
  • Configuration prerequisites
  • Configuration scenarios
  • DNS configuration
• Setting up GitSwarm Pages
  • Custom domains with HTTPS support
  • Custom domains without HTTPS support
  • Wildcard HTTP domain without custom domains
  • Wildcard HTTPS domain without custom domains
• NGINX configuration
  • NGINX configuration files
  • NGINX configuration for custom domains
  • NGINX caveats
• Set maximum pages size
• Change storage path
• Backup
• Security
• Changelog

The GitSwarm Pages daemon

Starting from GitSwarm 2016.2, GitSwarm Pages make use of the [GitSwarm Pages daemon], a simple HTTP server written in Go that can listen on an external IP address and provide support for custom domains and custom certificates. The GitSwarm Pages Daemon supports dynamic certificates through SNI and exposes pages using HTTP2 by default.

Here is a brief list with what it is supported when using the pages daemon:

• Multiple domains per-project
• One TLS certificate per-domain
• Validation of certificate
• Validation of certificate chain
• Validation of private key against certificate

You are encouraged to read its README to fully understand how it works.

The GitSwarm Pages daemon and the case of custom domains

In the case of custom domains, the Pages daemon needs to listen on ports 80 and/or 443. For that reason, there is some flexibility in the way which you can set it up, so you basically have three choices:

1. Run the pages daemon in the same server as GitSwarm, listening on a secondary IP
2. Run the pages daemon in a separate server. In that case, the Pages path must also be present in the server that the pages daemon is installed, so you will have to share it via network.
3. Run the pages daemon in the same server as GitSwarm, listening on the same IP but on different ports. In that case, you will have to proxy the traffic with a loadbalancer. If you choose that route note that you should use TCP load balancing for HTTPS. If you use TLS-termination (HTTPS-load balancing) the pages will not be able to be served with user provided certificates. For HTTP it's OK to use HTTP or TCP load balancing.

In this document, we will proceed assuming the first option. Let's begin by installing the pages daemon.

Install the Pages daemon

Source installations

cd /home/git
sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-pages.git
cd gitlab-pages
sudo -u git -H git checkout v0.2.1
sudo -u git -H make

package installations

The gitlab-pages daemon is included in the package installation.

Configuration

There are multiple ways to set up GitSwarm Pages according to what URL scheme you are willing to support.

Configuration prerequisites

In the next section you will find all possible scenarios to choose from.

In either scenario, you will need:

1. To use the GitSwarm Pages daemon
2. A separate domain
3. A separate Nginx configuration file which needs to be explicitly added in the server under which GitSwarm EE runs (Omnibus does that automatically)
4. (Optional) A wildcard certificate for that domain if you decide to serve pages under HTTPS
5. (Optional but recommended) Shared runners so that your users don't have to bring their own

Configuration scenarios

Before proceeding with setting up GitSwarm Pages, you have to decide which route you want to take.

The possible scenarios are depicted in the table below.

As you see from the table above, each URL scheme comes with an option:

1. Pages enabled, daemon is enabled and NGINX will proxy all requests to the daemon. Pages daemon doesn't listen to the outside world.
2. Pages enabled, daemon is enabled AND pages has external IP support enabled. In that case, the pages daemon is running, NGINX still proxies requests to the daemon but the daemon is also able to receive requests from the outside world. Custom domains and TLS are supported.

DNS configuration

GitSwarm Pages expect to run on their own virtual host. In your DNS server/provider you need to add a wildcard DNS A record pointing to the host that GitSwarm runs. For example, an entry would look like this:

*.example.io. 1800 IN A 1.2.3.4

where example.io is the domain under which GitSwarm Pages will be served and 1.2.3.4 is the IP address of your GitSwarm instance.

You should not use the GitSwarm domain to serve user pages. For more information see the security section.

Setting up GitSwarm Pages

Below are the four scenarios that are described in #configuration-scenarios.

Custom domains with HTTPS support

Source installations:

1. Install the pages daemon

2. Edit gitlab.yml to look like the example below. You need to change the host to the FQDN under which GitSwarm Pages will be served. Set external_http and external_https to the secondary IP on which the pages daemon will listen for connections:

   ```yaml ## GitSwarm Pages pages: enabled: true # The location where pages are stored (default: shared/pages). # path: shared/pages

   host: example.io port: 443 https: true

   external_http: 1.1.1.1:80 external_https: 1.1.1.1:443 ```

3. Edit /etc/default/gitlab and set gitlab_pages_enabled to true in order to enable the pages daemon. In gitlab_pages_options the -pages-domain, -listen-http and -listen-https must match the host, external_http and external_https settings that you set above respectively. The -root-cert and -root-key settings are the wildcard TLS certificates of the example.io domain:

   gitlab_pages_enabled=true
   gitlab_pages_options="-pages-domain example.io -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090 -listen-http 1.1.1.1:80 -listen-https 1.1.1.1:443 -root-cert /path/to/example.io.crt -root-key /path/to/example.io.key

4. Make sure to configure NGINX properly.

5. Restart GitSwarm

package installations:

1. Edit /etc/gitswarm/gitswarm.rb:

   pages_external_url "https://example.io"
   nginx['listen_addresses'] = ['1.1.1.1']
   pages_nginx['enable'] = false
   gitlab_pages['cert'] = "/etc/gitswarm/ssl/example.io.crt"
   gitlab_pages['cert_key'] = "/etc/gitswarm/ssl/example.io.key"
   gitlab_pages['external_http'] = '1.1.1.2:80'
   gitlab_pages['external_https'] = '1.1.1.2:443'

   where 1.1.1.1 is the primary IP address that GitSwarm is listening to and 1.1.1.2 the secondary IP where the GitSwarm Pages daemon listens to. Read more at the NGINX configuration for custom domains section.

2. Reconfigure GitSwarm

Custom domains without HTTPS support

Source installations:

1. Install the pages daemon

2. Edit gitlab.yml to look like the example below. You need to change the host to the FQDN under which GitSwarm Pages will be served. Set external_http to the secondary IP on which the pages daemon will listen for connections:

   ```yaml pages: enabled: true # The location where pages are stored (default: shared/pages). # path: shared/pages

   host: example.io port: 80 https: false

   external_http: 1.1.1.1:80 ```

3. Edit /etc/default/gitlab and set gitlab_pages_enabled to true in order to enable the pages daemon. In gitlab_pages_options the -pages-domain and -listen-http must match the host and external_http settings that you set above respectively:

   gitlab_pages_enabled=true
   gitlab_pages_options="-pages-domain example.io -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090 -listen-http 1.1.1.1:80"

4. Make sure to configure NGINX properly.

5. Restart GitSwarm

package installations:

1. Edit /etc/gitswarm/gitswarm.rb:

   pages_external_url "https://example.io"
   nginx['listen_addresses'] = ['1.1.1.1']
   pages_nginx['enable'] = false
   gitlab_pages['external_http'] = '1.1.1.2:80'

   where 1.1.1.1 is the primary IP address that GitSwarm is listening to and 1.1.1.2 the secondary IP where the GitSwarm Pages daemon listens to. Read more at the NGINX configuration for custom domains section.

2. Reconfigure GitSwarm

Wildcard HTTP domain without custom domains

Source installations:

1. Install the pages daemon

2. Go to the GitLab installation directory:

   bash cd /home/git/gitlab

3. Edit gitlab.yml and under the pages setting, set enabled to true and the host to the FQDN under which GitSwarm Pages will be served:

   ```yaml ## GitSwarm Pages pages: enabled: true # The location where pages are stored (default: shared/pages). # path: shared/pages

   host: example.io port: 80 https: false ```

4. Make sure to configure NGINX properly.

5. Restart GitSwarm

package installations:

1. Set the external URL for GitSwarm Pages in /etc/gitswarm/gitswarm.rb:

   pages_external_url 'http://example.io'

2. Reconfigure GitSwarm

Wildcard HTTPS domain without custom domains

Source installations:

1. Install the pages daemon

2. In gitlab.yml, set the port to 443 and https to true:

   ```bash ## GitSwarm Pages pages: enabled: true # The location where pages are stored (default: shared/pages). # path: shared/pages

   host: example.io port: 443 https: true ```

3. Make sure to configure NGINX properly.

package installations:

1. Place the certificate and key inside /etc/gitswarm/ssl

2. In /etc/gitswarm/gitswarm.rb specify the following configuration:

   pages_external_url 'https://example.io'
   
   pages_nginx['redirect_http_to_https'] = true
   pages_nginx['ssl_certificate'] = "/etc/gitswarm/ssl/pages-nginx.crt"
   pages_nginx['ssl_certificate_key'] = "/etc/gitswarm/ssl/pages-nginx.key"

   where pages-nginx.crt and pages-nginx.key are the SSL cert and key, respectively.

3. Reconfigure GitSwarm

NGINX configuration

Depending on your setup, you will need to make some changes to NGINX. Specifically you must change the domain name and the IP address where NGINX listens to. Read the following sections for more details.

NGINX configuration files

Copy the gitlab-pages-ssl Nginx configuration file:

sudo cp lib/support/nginx/gitlab-pages-ssl /etc/nginx/sites-available/gitlab-pages-ssl.conf
sudo ln -sf /etc/nginx/sites-{available,enabled}/gitlab-pages-ssl.conf

Replace gitlab-pages-ssl with gitlab-pages if you are not using SSL.

NGINX configuration for custom domains

If you are not using custom domains ignore this section.

In the case of custom domains, if you have the secondary IP address configured on the same server as GitSwarm, you need to change all NGINX configs to listen on the first IP address.

Source installations:

1. Edit all GitSwarm related configs in /etc/nginx/site-available/ and replace 0.0.0.0 with 1.1.1.1, where 1.1.1.1 the primary IP where GitSwarm listens to.
2. Restart NGINX

package installations:

1. Edit /etc/gitswarm/gilab.rb:

   nginx['listen_addresses'] = ['1.1.1.1']

2. Reconfigure GitSwarm

NGINX caveats

Be extra careful when setting up the domain name in the NGINX config. You must not remove the backslashes.

If your GitSwarm pages domain is example.io, replace:

server_name ~^.*\.YOUR_GITLAB_PAGES\.DOMAIN$;

with:

server_name ~^.*\.example\.io$;

If you are using a subdomain, make sure to escape all dots (.) except from the first one with a backslash (). For example pages.example.io would be:

server_name ~^.*\.pages\.example\.io$;

Set maximum pages size

The maximum size of the unpacked archive per project can be configured in the Admin area under the Application settings in the Maximum size of pages (MB). The default is 100MB.

Change storage path

Source installations:

1. Pages are stored by default in /home/git/gitlab/shared/pages. If you wish to store them in another location you must set it up in gitlab.yml under the pages section:

   yaml pages: enabled: true # The location where pages are stored (default: shared/pages). path: /mnt/storage/pages

2. Restart GitSwarm

package installations:

1. Pages are stored by default in /var/opt/gitswarm/gitlab-rails/shared/pages. If you wish to store them in another location you must set it up in /etc/gitswarm/gitswarm.rb:

   ruby gitlab_rails['pages_path'] = "/mnt/storage/pages"

2. Reconfigure GitSwarm

Backup

Pages are part of the regular backup so there is nothing to configure.

Security

You should strongly consider running GitSwarm pages under a different hostname than GitSwarm to prevent XSS attacks.

Changelog

GitSwarm Pages were first introduced in GitSwarm 2016.1. Since then, many features where added, like custom CNAME and TLS support, and many more are likely to come. Below is a brief changelog. If no changes were introduced or a version is missing from the changelog, assume that the documentation is the same as the latest previous version.

GitSwarm 2016.2 (documentation)

• In GitSwarm 2016.2 we introduced the gitlab-pages daemon which is now the recommended way to set up GitSwarm Pages.
• The NGINX configs have changed to reflect this change. So make sure to update them.
• Custom CNAME and TLS certificates support
• Documentation was moved to one place

GitSwarm 2016.1

No new changes.

GitSwarm 2016.1 (source docs, Omnibus docs)

• GitSwarm Pages feature was introduced.