assets: nginx bypass puma when accessing assets.

MirageTurtle · MirageTurtle · commit 4f30a33f8c24 · 2025-08-28T00:37:40.000+08:00
diff --git a/Dockerfile b/Dockerfile
@@ -2,4 +2,5 @@ FROM sameersbn/gitlab:18.1.1
 
 # Override files
 COPY assets/runtime/config/gitlabhq/gitlab.yml ${GITLAB_RUNTIME_DIR}/config/gitlabhq/gitlab.yml
+COPY assets/runtime/config/nginx/gitlab ${GITLAB_RUNTIME_DIR}/config/nginx/gitlab
 COPY assets/runtime/functions ${GITLAB_RUNTIME_DIR}/functions
diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab
@@ -0,0 +1,103 @@
+## GitLab
+##
+## Lines starting with two hashes (##) are comments with information.
+## Lines starting with one hash (#) are configuration parameters that can be uncommented.
+##
+##################################
+##        CONTRIBUTING          ##
+##################################
+##
+## If you change this file in a Merge Request, please also create
+## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
+##
+###################################
+##         configuration         ##
+###################################
+##
+## See installation.md#using-https for additional HTTPS configuration details.
+
+upstream gitlab-workhorse {
+  server localhost:8181 fail_timeout=0;
+}
+
+map $http_upgrade $connection_upgrade_gitlab {
+    default upgrade;
+    ''      close;
+}
+
+## Obfuscate access_token and private_token in access log
+map $request_uri $obfuscated_request_uri {
+    ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4;
+    default $request_uri;
+}
+log_format gitlab_access '$remote_addr - $remote_user [$time_local] '
+                  '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent '
+                  '"$http_referer" "$http_user_agent"';
+
+## Normal HTTP host
+server {
+  ## Either remove "default_server" from the listen line below,
+  ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
+  ## to be served if you visit any address that your server responds to, eg.
+  ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
+  listen 0.0.0.0:80 default_server;
+  listen [::]:80 default_server;
+  server_name {{GITLAB_HOST}}; ## Replace this with something like gitlab.example.com
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+
+  ## See app/controllers/application_controller.rb for headers set
+
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
+  real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}};    ## If you enable 'on'
+  ## If you have a trusted IP address, uncomment it and set it
+  set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24
+
+  add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}};
+  add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};";
+
+  ## Individual nginx logs for this GitLab vhost
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_access;
+  error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;
+
+  location / {
+    client_max_body_size 0;
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+    proxy_buffering         {{NGINX_PROXY_BUFFERING}};
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
+    proxy_set_header    Upgrade             $http_upgrade;
+    proxy_set_header    Connection          $connection_upgrade_gitlab;
+
+    proxy_pass http://gitlab-workhorse;
+  }
+
+  error_page 404 /404.html;
+  error_page 422 /422.html;
+  error_page 500 /500.html;
+  error_page 502 /502.html;
+  error_page 503 /503.html;
+  location /assets/ {
+      alias {{GITLAB_INSTALL_DIR}}/public/assets/;
+      expires max;
+      add_header Cache-Control public;
+  }
+  location ~ ^/(404|422|500|502|503)\.html$ {
+    root {{GITLAB_INSTALL_DIR}}/public;
+    internal;
+  }
+
+  {{NGINX_CUSTOM_GITLAB_SERVER_CONFIG}}
+}
diff --git a/assets/runtime/functions b/assets/runtime/functions
@@ -2174,6 +2174,10 @@ configure_nginx() {
   -e "s|# server_names_hash_bucket_size 64;|server_names_hash_bucket_size ${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE};|" \
   /etc/nginx/nginx.conf
 
+  # https://github.com/ustclug/docker-gitlab/issues/4
+  echo "Adding nginx to ${GITLAB_USER} group..."
+  usermod -a -G ${GITLAB_USER} nginx
+
   nginx_configure_gitlab
   nginx_configure_gitlab_ci
   nginx_configure_gitlab_registry
diff --git a/testdrive.sh b/testdrive.sh
@@ -51,13 +51,19 @@ check() {
         echo "Error: Failed to find 'example oauth' in gitlab.yml"
         return 1
     fi
+    assets_location="/assets/locale/zh_CN/app-45e4963f833169170e6fd77b78bb1758d413a6a676d484235818594551d2e018.js"
+    assets_code=$(curl --write-out '%{http_code}' --silent --output /dev/null "$url$assets_location")
+    if [[ $assets_code -lt 200 || $assets_code -gt 399 ]]; then
+        echo "Error: Failed to access $url$assets_location (status code: $assets_code)"
+        return 1
+    fi
     return 0
 }
 
 RETRIES="48"
 RETRIED=0
 WAIT_TIME="5s"
 
-until check || { [[ "$((RETRIED++))" == "${RETRIES}" ]] && exit 1; } ; do
+until check || { [[ "$((RETRIED++))" == "${RETRIES}" ]] && exit 1; }; do
     sleep "${WAIT_TIME}"
 done
