# This file is managed by gitlab-ctl. Manual changes will be # erased! To change the contents below, edit /etc/gitlab/gitlab.rb # and run `sudo gitlab-ctl reconfigure`. user gitlab-www gitlab-www; worker_processes 12; error_log stderr; pid nginx.pid; daemon off; events { worker_connections 10240; } http { log_format gitlab_access '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio'; log_format gitlab_mattermost_access '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio'; hide_server_tokens off; server_names_hash_bucket_size 64; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; keepalive_time 1h; gzip on; gzip_http_version 1.1; gzip_comp_level 2; gzip_proxied no-cache no-store private expired auth; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json; include /opt/gitlab/embedded/conf/mime.types; proxy_cache_path proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2; proxy_cache gitlab; map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Remove private_token from the request URI # In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&... map $request_uri $temp_request_uri_1 { default $request_uri; ~(?i)^(?.*)(?[\?&]private[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; } # Remove authenticity_token from the request URI # In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&... map $temp_request_uri_1 $temp_request_uri_2 { default $temp_request_uri_1; ~(?i)^(?.*)(?[\?&]authenticity[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; } # Remove rss_token from the request URI # In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&... # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&... map $temp_request_uri_2 $filtered_request_uri { default $temp_request_uri_2; ~(?i)^(?.*)(?[\?&]rss[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; } # A version of the referer without the query string map $http_referer $filtered_http_referer { default $http_referer; ~^(?.*)\? $temp; } # Enable vts status module. vhost_traffic_status_zone; upstream gitlab-workhorse { server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket; } include /var/opt/gitlab/nginx/conf/gitlab-http.conf; include /var/opt/gitlab/nginx/conf/nginx-status.conf; }