Add namespace_in_path parameter in GitLab.rb for GitLab Pages

Related to: https://gitlab.com/gitlab-org/gitlab/-/issues/17584
Adds the 'namespace_in_path' parameter in gitlab.rb for GitLab Pages.
This parameter is used to rewrite Pages URLs, allowing users to access
Pages using the namespace in the path instead of the host.
This modification will enable GitLab Pages to work without requiring
a DNS wildcard. More context:
https://gitlab.com/gitlab-org/gitlab/-/issues/211677#note_1646965167

Changelog: added

Author: Naman Jagdish Gala

files/gitlab-config-template/gitlab.rb.template

@@ -2007,6 +2007,9 @@ external_url 'GENERATED_EXTERNAL_URL'
 #   'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/"
 # }
 
+# Experimental - Enable namespace in path
+# gitlab_pages['namespace_in_path'] = false
+
 ################################################################################
 ## GitLab Pages NGINX
 ################################################################################

files/gitlab-cookbooks/gitlab-pages/attributes/default.rb

@@ -82,6 +82,8 @@
 default['gitlab_pages']['redirects_max_path_segments'] = nil
 default['gitlab_pages']['redirects_max_rule_count'] = nil
 default['gitlab_pages']['register_as_oauth_app'] = true
+# Experimental - Enable namespace in path
+default['gitlab_pages']['namespace_in_path'] = false
 
 # Temporarily retain support for `node['gitlab-pages'][*]` usage in
 # `/etc/gitlab/gitlab.rb`

files/gitlab-cookbooks/gitlab-pages/libraries/gitlab_pages.rb

@@ -29,6 +29,7 @@ def parse_variables
       parse_gitlab_pages_daemon
       parse_secrets
       parse_automatic_oauth_registration
+      parse_namespace_in_path
     end
 
     def parse_pages_external_url
@@ -134,5 +135,20 @@ def parse_automatic_oauth_registration
 
       LoggingHelper.warning("Writing secrets to `gitlab-secrets.json` file is disabled. Hence, not automatically registering GitLab Pages as an Oauth App. So, GitLab SSO will not be available as a login option.")
     end
+
+    def parse_namespace_in_path
+      # If GitLab Pages isn't enabled or namespace_in_path is isn't enabled, do nothing.
+      return unless Gitlab['gitlab_pages']['enable'] && Gitlab['gitlab_pages']['namespace_in_path']
+
+      Gitlab['pages_nginx']['namespace_in_path'] = Gitlab['gitlab_pages']['namespace_in_path']
+      url_scheme = Gitlab['gitlab_rails']['pages_https'] ? 'https' : 'http'
+
+      Gitlab['pages_nginx']['proxy_redirect'] = {
+        "~^#{url_scheme}://(projects\\.#{Gitlab['pages_nginx']['fqdn_regex']})/(.*)$" => "#{url_scheme}://$1/$2",
+        "~^#{url_scheme}://(.*)\\.(#{Gitlab['pages_nginx']['fqdn_regex']})/(.*)$" => "#{url_scheme}://$2/$1/$3",
+        "~^//(.*)\\.(#{Gitlab['pages_nginx']['fqdn_regex']})/(.*)$" => "/$1/$3",
+        "~^/(.*)$" => "/$namespace/$1",
+      }
+    end
   end
 end

files/gitlab-cookbooks/gitlab-pages/templates/default/gitlab-pages-config.erb

@@ -191,3 +191,6 @@ redirects-max-rule-count=<%= @redirects_max_rule_count %>
 <%- if @headers -%>
 header=<%= @headers.join(';;') %>
 <%-end -%>
+<%- if @namespace_in_path -%>
+namespace-in-path=<%= @namespace_in_path %>
+<%-end -%>

files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb

@@ -377,6 +377,7 @@
       pages_object_store_enabled: node['gitlab']['gitlab_rails']['pages_object_store_enabled'],
       pages_object_store_remote_directory: node['gitlab']['gitlab_rails']['pages_object_store_remote_directory'],
       pages_object_store_connection: node['gitlab']['gitlab_rails']['pages_object_store_connection'],
+      pages_namespace_in_path: node['gitlab_pages']['namespace_in_path'],
       mattermost_host: mattermost_host,
       mattermost_enabled: node['mattermost']['enable'] || !mattermost_host.nil?,
       sidekiq: node['gitlab']['sidekiq'],

files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb

@@ -436,6 +436,7 @@ production: &base
     local_store:
       enabled: <%= @pages_local_store_enabled %>
       path: <%= @pages_local_store_path %>
+    namespace_in_path: <%= @pages_namespace_in_path %>
 
   ## Gravatar
   ## For Libravatar see: https://docs.gitlab.com/ee/customization/libravatar.html

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-pages-http-common-location.erb

@@ -0,0 +1,20 @@
+    # Prevent NGINX from caching pages in response to the pages `Cache-Control`
+    # header.
+    #
+    # Browsers already respect this directive and Pages can handle the request
+    # volume without help from NGINX.
+    #
+    # If this changes in the future, ensure `proxy_cache_key` is set to a value
+    # like `$scheme$host$request_uri`, as the default value does not take the
+    # Pages hostname into account, leading to incorrect responses being served.
+    #
+    # See https://gitlab.com/gitlab-org/gitlab-pages/issues/73
+    proxy_cache off;
+
+    <% if @proxy_custom_buffer_size -%>
+    proxy_buffers 8 <%= @proxy_custom_buffer_size %>;
+    proxy_buffer_size <%= @proxy_custom_buffer_size %>;
+    <% end -%>
+
+    proxy_http_version 1.1;
+    proxy_pass          http://<%= @pages_listen_proxy %>;

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-pages-http-common-server.erb

@@ -0,0 +1,61 @@
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+
+  ## Disable symlink traversal
+  disable_symlinks on;
+
+  <% if @https %>
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+  ssl_certificate <%= @ssl_certificate %>;
+  ssl_certificate_key <%= @ssl_certificate_key %>;
+  <% if @ssl_client_certificate %>
+  ssl_client_certificate <%= @ssl_client_certificate%>;
+  <% end %>
+  <% if @ssl_verify_client %>
+  ssl_verify_client <%= @ssl_verify_client%>;
+  ssl_verify_depth <%= @ssl_verify_depth%>;
+  <% end %>
+
+  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
+  ssl_ciphers '<%= @ssl_ciphers %>';
+  ssl_protocols  <%= @ssl_protocols %>;
+  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
+  ssl_session_cache  <%= @ssl_session_cache %>;
+  ssl_session_tickets <%= @ssl_session_tickets %>;
+  ssl_session_timeout  <%= @ssl_session_timeout %>;
+
+  <% if @ssl_dhparam %>
+  ssl_dhparam <%= @ssl_dhparam %>;
+  <% end %>
+
+  <% if @ssl_password_file %>
+  ssl_password_file '<%= @ssl_password_file %>';
+  <% end %>
+  <% end %>
+
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  <% if @real_ip_header %>
+  real_ip_header <%= @real_ip_header %>;
+  <% end %>
+  <% if @real_ip_recursive %>
+  real_ip_recursive <%= @real_ip_recursive %>;
+  <% end %>
+  <% @real_ip_trusted_addresses.each do |trusted_address| %>
+  set_real_ip_from <%= trusted_address %>;
+  <% end %>
+
+  ## HSTS Config
+  ## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+  <% unless @hsts_max_age.nil? || @hsts_max_age <= 0 %>
+  add_header Strict-Transport-Security "max-age=<%= @hsts_max_age -%>
+  <% if @hsts_include_subdomains %>; includeSubdomains<% end %>";
+  <% end %>
+
+  ## Individual nginx logs for this GitLab vhost
+  access_log  <%= @log_directory %>/gitlab_pages_access.log gitlab_access;
+  error_log   <%= @log_directory %>/gitlab_pages_error.log <%= @error_log_level%>;
+
+  # Define custom error pages
+  error_page 403 /403.html;
+  error_page 404 /404.html;

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-pages-http.conf.erb

@@ -23,101 +23,63 @@ server {
 }
 <% end %>
 
+<% if @namespace_in_path %>
+## Experimental - Handle requests having namespace in path
+## See https://gitlab.com/gitlab-org/gitlab/-/issues/211677
 server {
 <% @listen_addresses.each do |listen_address| %>
   listen <%= listen_address %>:<%= @listen_port %><% if @proxy_protocol %> proxy_protocol<% end %><% if @https %> ssl<% if @http2_enabled %> http2<% end %><% end %>;
 <% end %>
-  server_name  ~^(?<group>.*)\.<%= @fqdn_regex %>$;
-  server_tokens off; ## Don't show the nginx version number, a security best practice
+  server_name  ~^<%= @fqdn_regex %>$;
 
-  ## Disable symlink traversal
-  disable_symlinks on;
+  <%= render "nginx-gitlab-pages-http-common-server.erb" %>
 
-  <% if @https %>
-  ## Strong SSL Security
-  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
-  ssl_certificate <%= @ssl_certificate %>;
-  ssl_certificate_key <%= @ssl_certificate_key %>;
-  <% if @ssl_client_certificate %>
-  ssl_client_certificate <%= @ssl_client_certificate%>;
-  <% end %>
-  <% if @ssl_verify_client %>
-  ssl_verify_client <%= @ssl_verify_client%>;
-  ssl_verify_depth <%= @ssl_verify_depth%>;
-  <% end %>
+  # Pass when namespace in path to pages daemon after the rewrite
+  location ~ ^/(?<namespace>[^/]+)/(?<project>.*)$ {
+    ## Rewrite remove namespace from path
+    rewrite ^/([^/]+)/(.*)$ /$2 break;
 
-  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
-  ssl_ciphers '<%= @ssl_ciphers %>';
-  ssl_protocols  <%= @ssl_protocols %>;
-  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
-  ssl_session_cache  <%= @ssl_session_cache %>;
-  ssl_session_tickets <%= @ssl_session_tickets %>;
-  ssl_session_timeout  <%= @ssl_session_timeout %>;
+    <% @proxy_set_headers.each do |header| %>
+      <% next if header[1].nil? %>
+      <% if header[0] == "Host" %>
+    ## Put namespace back in host from path
+    proxy_set_header <%= header[0] %> <%= "$1."+header[1] %>;
+      <% else %>
+    proxy_set_header <%= header[0] %> <%= header[1] %>;
+      <% end %>
+    <% end %>
+    proxy_set_header X-Gitlab-Namespace-In-Path $namespace;
 
-  <% if @ssl_dhparam %>
-  ssl_dhparam <%= @ssl_dhparam %>;
-  <% end %>
+    <%= render "nginx-gitlab-pages-http-common-server.erb" %>
 
-  <% if @ssl_password_file %>
-  ssl_password_file '<%= @ssl_password_file %>';
-  <% end %>
+    ## Put namespace in path from host before sending it to the user
+  <% @proxy_redirect.each do |redirect| %>
+    proxy_redirect <%= redirect[0] %> <%= redirect[1] %>;
   <% end %>
+  }
 
-  ## Real IP Module Config
-  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
-  <% if @real_ip_header %>
-  real_ip_header <%= @real_ip_header %>;
-  <% end %>
-  <% if @real_ip_recursive %>
-  real_ip_recursive <%= @real_ip_recursive %>;
-  <% end %>
-  <% @real_ip_trusted_addresses.each do |trusted_address| %>
-  set_real_ip_from <%= trusted_address %>;
-  <% end %>
+  <%= @custom_gitlab_server_config %>
+}
+<% end %>
 
-  ## HSTS Config
-  ## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
-  <% unless @hsts_max_age.nil? || @hsts_max_age <= 0 %>
-  add_header Strict-Transport-Security "max-age=<%= @hsts_max_age -%>
-<% if @hsts_include_subdomains %>; includeSubdomains<% end %>";
-  <% end %>
+server {
+<% @listen_addresses.each do |listen_address| %>
+  listen <%= listen_address %>:<%= @listen_port %><% if @proxy_protocol %> proxy_protocol<% end %><% if @https %> ssl<% if @http2_enabled %> http2<% end %><% end %>;
+<% end %>
+  server_name  ~^(?<group>.*)\.<%= @fqdn_regex %>$;
 
-  ## Individual nginx logs for this GitLab vhost
-  access_log  <%= @log_directory %>/gitlab_pages_access.log gitlab_access;
-  error_log   <%= @log_directory %>/gitlab_pages_error.log <%= @error_log_level%>;
+  <%= render "nginx-gitlab-pages-http-common-server.erb" %>
 
-  # Pass everything to pages daemon
+  # Pass everything to pages daemon when namespace in host
   location / {
     <% @proxy_set_headers.each do |header| %>
     <% next if header[1].nil? %>
     proxy_set_header <%= header[0] %> <%= header[1] %>;
     <% end %>
+    proxy_hide_header X-Gitlab-Namespace-In-Path;
 
-    # Prevent NGINX from caching pages in response to the pages `Cache-Control`
-    # header.
-    #
-    # Browsers already respect this directive and Pages can handle the request
-    # volume without help from NGINX.
-    #
-    # If this changes in the future, ensure `proxy_cache_key` is set to a value
-    # like `$scheme$host$request_uri`, as the default value does not take the
-    # Pages hostname into account, leading to incorrect responses being served.
-    #
-    # See https://gitlab.com/gitlab-org/gitlab-pages/issues/73
-    proxy_cache off;
-
-    <% if @proxy_custom_buffer_size -%>
-      proxy_buffers 8 <%= @proxy_custom_buffer_size %>;
-      proxy_buffer_size <%= @proxy_custom_buffer_size %>;
-    <% end -%>
-
-    proxy_http_version 1.1;
-    proxy_pass          http://<%= @pages_listen_proxy %>;
+    <%= render "nginx-gitlab-pages-http-common-location.erb" %>
   }
 
-  # Define custom error pages
-  error_page 403 /403.html;
-  error_page 404 /404.html;
-
   <%= @custom_gitlab_server_config %>
 }

spec/chef/cookbooks/gitlab-pages/recipes/gitlab-pages_spec.rb

@@ -255,6 +255,7 @@
             redirects_max_path_segments: 50,
             redirects_max_rule_count: 2000,
             enable_disk: true,
+            namespace_in_path: true,
             env: {
               GITLAB_CONTINUOUS_PROFILING: "stackdriver?service=gitlab-pages",
             },
@@ -329,6 +330,7 @@
             redirects-max-path-segments=50
             redirects-max-rule-count=2000
             header=X-XSS-Protection: 1; mode=block;;X-Content-Type-Options: nosniff;;Test: Header
+            namespace-in-path=true
         EOS
 
         expect(chef_run).to render_file("/var/opt/gitlab/pages/gitlab-pages-config").with_content(expected_content)