Ok,
returned this:
Try:
/opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx -T
We're getting closer.
The whole point of this exercise is to locate the vhost config and find the proper document root to match the --webroot parameter to.
Ok, returned this:
nginx: the configuration file /var/opt/gitlab/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /var/opt/gitlab/nginx/conf/nginx.conf test is successful
# configuration file /var/opt/gitlab/nginx/conf/nginx.conf:
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
user gitlab-www gitlab-www;
worker_processes 2;
error_log stderr;
pid nginx.pid;
daemon off;
events {
worker_connections 10240;
}
http {
log_format gitlab_access '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $sta tus $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio';
log_format gitlab_mattermost_access '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_pro tocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio';
server_names_hash_bucket_size 64;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_proxied no-cache no-store private expired auth;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/ json;
include /opt/gitlab/embedded/conf/mime.types;
proxy_cache_path proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2;
proxy_cache gitlab;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Remove private_token from the request URI
# In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
map $request_uri $temp_request_uri_1 {
default $request_uri;
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# Remove authenticity_token from the request URI
# In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
map $temp_request_uri_1 $temp_request_uri_2 {
default $temp_request_uri_1;
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# Remove rss_token from the request URI
# In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...
map $temp_request_uri_2 $filtered_request_uri {
default $temp_request_uri_2;
~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# A version of the referer without the query string
map $http_referer $filtered_http_referer {
default $http_referer;
~^(?<temp>.*)\? $temp;
}
# Enable vts status module.
vhost_traffic_status_zone;
upstream gitlab-workhorse {
server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket;
}
include /var/opt/gitlab/nginx/conf/gitlab-http.conf;
include /var/opt/gitlab/nginx/conf/nginx-status.conf;
}
# configuration file /opt/gitlab/embedded/conf/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /var/opt/gitlab/nginx/conf/gitlab-http.conf:
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
## GitLab
## Modified from https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/support/nginx/gitlab-ssl & https://gitlab.com/gitlab-org /gitlab-foss/blob/master/lib/support/nginx/gitlab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
## CHUNKED TRANSFER ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
## At the time of writing we do not know if either of these theoretical solutions works.
## As a workaround users can use Git over SSH to push large files.
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module
##
###################################
## configuration ##
###################################
server {
listen *:80;
server_name git-01.antares3000.com;
server_tokens off; ## Don't show the nginx version number, a security best practice
## Increase this if you want to upload large attachments
## Or if you want to accept large git objects over http
client_max_body_size 0;
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
## HSTS Config
## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=31536000";
# Rails sets a default policy of strict-origin-when-cross-origin, so
# hide that and just send the one we've configured for nginx
proxy_hide_header Referrer-Policy;
add_header Referrer-Policy strict-origin-when-cross-origin;
## Individual nginx logs for this GitLab vhost
access_log /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_error.log;
if ($http_host = "") {
set $http_host_with_default "git-01.antares3000.com";
}
if ($http_host != "") {
set $http_host_with_default $http_host;
}
gzip on;
gzip_static on;
gzip_comp_level 2;
gzip_http_version 1.1;
gzip_vary on;
gzip_disable "msie6";
gzip_min_length 250;
gzip_proxied no-cache no-store private expired auth;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/ json;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 3600;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host_with_default;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
location ~ (/api/v\d/jobs/\d+/artifacts$|\.git/git-receive-pack$|\.git/gitlab-lfs/objects|\.git/info/lfs/objects/batch$) {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
proxy_request_buffering off;
}
location /-/grafana/ {
proxy_pass http://localhost:3000/;
}
# health checks configuration
include /var/opt/gitlab/nginx/conf/gitlab-health.conf;
location / {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
}
location /assets {
add_header X-Content-Type-Options nosniff;
proxy_cache gitlab;
proxy_pass http://gitlab-workhorse;
}
error_page 404 /404.html;
error_page 500 /500.html;
error_page 502 /502.html;
location ~ ^/(404|500|502)(-custom)?\.html$ {
root /opt/gitlab/embedded/service/gitlab-rails/public;
internal;
}
location ^~ /.well-known { root /var/www/letsencrypt; }
}
# configuration file /var/opt/gitlab/nginx/conf/gitlab-health.conf:
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
location /error.txt {
# return code here is ignored by the error_page directive
return 500 'nginx returned $status when communicating with gitlab-workhorse\n';
}
location /error.json {
# return code here is ignored by the error_page directive
return 500 '{"error":"nginx returned $status when communicating with gitlab-workhorse","status":$status}\n';
}
location = /-/health {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
error_page 404 500 502 /error.txt;
}
location = /-/readiness {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
error_page 404 500 502 /error.json;
}
location = /-/liveness {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
error_page 404 500 502 /error.json;
}
# configuration file /var/opt/gitlab/nginx/conf/nginx-status.conf:
server {
listen *:8060;
server_name localhost;
location /nginx_status {
stub_status;
server_tokens off;
access_log off;
allow 127.0.0.1;
deny all;
}
location /metrics {
vhost_traffic_status_display;
vhost_traffic_status_display_format prometheus;
server_tokens off;
access_log off;
allow 127.0.0.1;
deny all;
}
location /rails-metrics {
proxy_cache off;
proxy_pass http://gitlab-workhorse/-/metrics;
server_tokens off;
access_log off;
allow 127.0.0.1;
deny all;
}
}
I cannot doing the screenshot because was too long 
This seems to be trying to do what is expected:
Let's test that with:
echo "test file 1234" > /var/www/letsencrypt/test-file-1234
then
http://git-01.antares3000.com/.well-known/test-file-1234
[sorry wasn't finished typing]
OK , no problem.
Returns 'no such file or directory' after the echo
But in FileZilla the file 'test-file-1234' exist
Updated/corrected:
Let's test that with:
echo "test file 1234" > /var/www/letsencrypt/test-file-1234
then
http://git-01.antares3000.com/.well-known/test-file-1234
Again the same.
The ls -l /var/www/ returned this:
I had two ">>" and it should have been only one ">".
Yes i do with only one, and return 'no such file or directory', but in FileZilla client the file exist
Show:
ls -l /var/www/letsencrypt/
cat /var/www/letsencrypt/test-file-1234
Here:
Well the test failed:
curl -Iki http://git-01.antares3000.com/.well-known/test-file-1234
HTTP/1.1 404 Not Found
Server: nginx
That isn't the directory serving requests to the /.well-known folder.
Please show:
cat /var/log/gitlab/nginx/gitlab_error.log | grep well-known
Here:
That error log shows that nginx doesn't see the file. ("No such file...")
But I notice the paths aren't what I would have expected.
We placed the file in the folder:
/var/www/letsencrypt/
But nginx is looking for it in the folder:
/var/www/letsencrypt/.well-known
So let's put a test file there:
mkdir /var/www/letsencrypt/.well-known
echo "test file 2345" > /var/www/letsencrypt/.well-known/test-file-2345
then we test again...
I've dome the echo, in FileZilla client, the file exist, but http://git-01.antares3000.com/.well-known/test-file-2345 return: no such file or directory
It works for me:
curl http://git-01.antares3000.com/.well-known/test-file-2345
test file 2345
Now we go one further (closer to a real challenge file request):
mkdir /var/www/letsencrypt/.well-known/acme-challenge
echo "test file 3456" > /var/www/letsencrypt/.well-known/acme-challenge/test-file-3456
That was fast:
curl http://git-01.antares3000.com/.well-known/acme-challenge/test-file-3456
test file 3456
Ok, the files in FileZilla exist
Now we have to launch the bot?
Please don't delete any of the test files (yet).