Add missing omnibus configs for Apache and update instructions

2026-01-10 15:08:19 -05:00 · 2015-11-15 11:35:08 +02:00
parent d3eae4c01c
commit 2a11c67460
7 changed files with 383 additions and 15 deletions
--- a/web-server/apache/README.md
+++ b/web-server/apache/README.md
@@ -3,14 +3,37 @@
 The configuration files in this directory were tested with GitLab 8.1. For
 versions of GitLab older than 8.0, check the `apache-old` branch.

+## Installations from source
+
 If you are using Apache version 2.4 or above, please use files
 [gitlab-apache24.conf](gitlab-apache24.conf) or [gitlab-ssl-apache24.conf](gitlab-ssl-apache24.conf)
 for the HTTP and HTTPS versions of the vhost repectively.

-If you are using Apache version 2.2 or above, please use files
+If you are using Apache version 2.2, please use files
 [gitlab-apache22.conf](gitlab-apache22.conf) or [gitlab-ssl-apache22.conf](gitlab-ssl-apache22.conf)
 for the HTTP and HTTPS versions of the vhost repectively.

+To allow `gitlab-workhorse` to listen on port 8181, edit or create
+`/etc/default/gitlab` and change or add the following:
+
+```
+gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr http://127.0.01:8181 -authBackend http://127.0.0.1:8080"
+```
+
+## Installations unsing the Omnibus packages
+
+[Omnibus packages][] use their own bundled nginx server. If you want to use your
+own external Nginx server, follow the 4 steps to
+[configure GitLab][omnibuswebext] and then download the appropriate config file
+from this directory which has `omnibus` in its name.
+
+Usually the location where Apache reads its configs from, is either
+`/etc/apache2/sites-enabled/` (Debian/Ubuntu) or `/etc/httpd/conf.d/` (RHEL/CentOS).
+
+If you are using Debian, the de facto way is to store the configs in
+`/etc/apache2/sites-available/` and then make a symlink to
+`/etc/apache2/sites-enabled/` using the `a2ensite` command.
+
 # RHEL6/CentOS6 recommendations

 Most of the settings below were tested on CentOS 6, but are probably applicable
@@ -214,3 +237,5 @@ to better understand it.
 [sock]: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
 [reports]: https://github.com/gitlabhq/gitlabhq/issues/5139
 [digiocean]: https://www.digitalocean.com/community/tutorials/how-to-get-started-with-mod_pagespeed-with-apache-on-an-ubuntu-and-debian-cloud-server
+[Omnibus packages]: https://about.gitlab.com/downloads/
+[omnibuswebext]: http://doc.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server
--- a/web-server/apache/gitlab-apache22.conf
+++ b/web-server/apache/gitlab-apache22.conf
@@ -1,7 +1,7 @@
 # This configuration has been tested on GitLab 8.1
-# Note this config assumes unicorn is listening on default port 8080 and gitlab-git-http-server is listening on port 8181.
-# To allow gitlab-git-http-server to listen on port 8181, edit or create /etc/default/gitlab and change or add the following:
-# gitlab_git_http_server_options="-listenUmask 0 -listenNetwork tcp -listenAddr localhost:8181 -authBackend http://127.0.0.1:8080"
+# Note this config assumes unicorn is listening on default port 8080 and gitlab-workhorse is listening on port 8181.
+# To allow gitlab-workhorse to listen on port 8181, edit or create /etc/default/gitlab and change or add the following:
+# gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr http://127.0.0.1:8181 -authBackend http://127.0.0.1:8080"

 #Module dependencies
 #  mod_rewrite
@@ -9,7 +9,7 @@
 #  mod_proxy_http
 # HTTP Configuration
 <VirtualHost *:80>
-  ServerName gitlab.example.com
+  ServerName YOUR_SERVER_FQDN
  ServerSignature Off

  ProxyPreserveHost On
@@ -22,18 +22,18 @@
      Order deny,allow
      Allow from all

-      #Allow forwarding to gitlab-git-http-server
+      #Allow forwarding to gitlab-workhorse
      ProxyPassReverse http://127.0.0.1:8181
      #Allow forwarding to GitLab Rails app (Unicorn)
      ProxyPassReverse http://127.0.0.1:8080
-      ProxyPassReverse http://gitlab.example.com/
+      ProxyPassReverse http://YOUR_SERVER_FQDN/
  </Location>

  #apache equivalent of nginx try files
  # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
  # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
  RewriteEngine on
-  #Forward these requests to gitlab-git-http-server
+  #Forward these requests to gitlab-workhorse
  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
  RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
@@ -45,7 +45,7 @@
  RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]

  # needed for downloading attachments
-  DocumentRoot /home/git/gitlab/public
+  DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public

  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
  ErrorDocument 404 /404.html
@@ -57,9 +57,9 @@
  # For Debian distributions you might want to change this to
  # /var/log/apache2.
  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
-  ErrorLog  /var/log/httpd/logs/gitlab.example.com_error.log
-  CustomLog /var/log/httpd/logs/gitlab.example.com_forwarded.log common_forwarded
-  CustomLog /var/log/httpd/logs/gitlab.example.com_access.log combined env=!dontlog
-  CustomLog /var/log/httpd/logs/gitlab.example.com.log combined
+  ErrorLog  /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined

 </VirtualHost>
--- a/web-server/apache/gitlab-omnibus-apache22.conf
+++ b/web-server/apache/gitlab-omnibus-apache22.conf
@@ -0,0 +1,68 @@
+# This configuration has been tested on GitLab 8.1
+# Note this config assumes unicorn is listening on default port 8080 and
+# gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to
+# listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following:
+#
+# gitlab_workhorse['listen_network'] = "tcp"
+# gitlab_workhorse['listen_addr'] = "http://127.0.0.1:8181"
+#
+#Module dependencies
+#  mod_rewrite
+#  mod_proxy
+#  mod_proxy_http
+# HTTP Configuration
+<VirtualHost *:80>
+  ServerName YOUR_SERVER_FQDN
+  ServerSignature Off
+
+  ProxyPreserveHost On
+
+  # Ensure that encoded slashes are not decoded but left in their encoded state.
+  # http://doc.gitlab.com/ce/api/projects.html#get-single-project
+  AllowEncodedSlashes NoDecode
+
+  <Location />
+      Order deny,allow
+      Allow from all
+
+      #Allow forwarding to gitlab-workhorse
+      ProxyPassReverse http://127.0.0.1:8181
+      #Allow forwarding to GitLab Rails app (Unicorn)
+      ProxyPassReverse http://127.0.0.1:8080
+      ProxyPassReverse http://YOUR_SERVER_FQDN/
+  </Location>
+
+  #apache equivalent of nginx try files
+  # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
+  # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
+  RewriteEngine on
+  #Forward these requests to gitlab-workhorse
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
+  RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
+
+  #Forward any other requests to GitLab Rails app (Unicorn)
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
+  RewriteCond %{REQUEST_URI} ^/uploads
+  RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
+
+  # needed for downloading attachments
+  DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
+
+  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
+  ErrorDocument 404 /404.html
+  ErrorDocument 422 /422.html
+  ErrorDocument 500 /500.html
+  ErrorDocument 503 /deploy.html
+
+  # It is assumed that the log directory is in /var/log/httpd.
+  # For Debian distributions you might want to change this to
+  # /var/log/apache2.
+  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
+  ErrorLog  /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined
+
+</VirtualHost>
--- a/web-server/apache/gitlab-omnibus-apache24.conf
+++ b/web-server/apache/gitlab-omnibus-apache24.conf
@@ -0,0 +1,68 @@
+# This configuration has been tested on GitLab 8.1
+# Note this config assumes unicorn is listening on default port 8080 and
+# gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to
+# listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following:
+#
+# gitlab_workhorse['listen_network'] = "tcp"
+# gitlab_workhorse['listen_addr'] = "http://127.0.0.1:8181"
+#
+#Module dependencies
+#  mod_rewrite
+#  mod_proxy
+#  mod_proxy_http
+<VirtualHost *:80>
+  ServerName YOUR_SERVER_FQDN
+  ServerSignature Off
+
+  ProxyPreserveHost On
+
+  # Ensure that encoded slashes are not decoded but left in their encoded state.
+  # http://doc.gitlab.com/ce/api/projects.html#get-single-project
+  AllowEncodedSlashes NoDecode
+
+  <Location />
+    # New authorization commands for apache 2.4 and up
+    # http://httpd.apache.org/docs/2.4/upgrading.html#access
+    Require all granted
+
+    #Allow forwarding to gitlab-workhorse
+    ProxyPassReverse http://127.0.0.1:8181
+    #Allow forwarding to GitLab Rails app (Unicorn)
+    ProxyPassReverse http://127.0.0.1:8080
+    ProxyPassReverse http://YOUR_SERVER_FQDN/
+  </Location>
+
+  #apache equivalent of nginx try files
+  # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
+  # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
+  RewriteEngine on
+  #Forward these requests to gitlab-workhorse
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
+  RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
+
+  #Forward any other requests to GitLab Rails app (Unicorn)
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
+  RewriteCond %{REQUEST_URI} ^/uploads
+  RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
+
+  # needed for downloading attachments
+  DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
+
+  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
+  ErrorDocument 404 /404.html
+  ErrorDocument 422 /422.html
+  ErrorDocument 500 /500.html
+  ErrorDocument 503 /deploy.html
+
+  # It is assumed that the log directory is in /var/log/httpd.
+  # For Debian distributions you might want to change this to
+  # /var/log/apache2.
+  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
+  ErrorLog  /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined
+
+</VirtualHost>
--- a/web-server/apache/gitlab-ssl-omnibus-apache22.conf
+++ b/web-server/apache/gitlab-ssl-omnibus-apache22.conf
@@ -0,0 +1,96 @@
+# This configuration has been tested on GitLab 8.1
+# Note this config assumes unicorn is listening on default port 8080 and
+# gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to
+# listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following:
+#
+# gitlab_workhorse['listen_network'] = "tcp"
+# gitlab_workhorse['listen_addr'] = "http://127.0.0.1:8181"
+#
+#Module dependencies
+# mod_rewrite
+# mod_ssl
+# mod_proxy
+# mod_proxy_http
+# mod_headers
+
+# This section is only needed if you want to redirect http traffic to https.
+# You can live without it but clients will have to type in https:// to reach gitlab.
+<VirtualHost *:80>
+  ServerName YOUR_SERVER_FQDN
+  ServerSignature Off
+
+  RewriteEngine on
+  RewriteCond %{HTTPS} !=on
+  RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+  SSLEngine on
+  #strong encryption ciphers only
+  #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
+  SSLProtocol all -SSLv2
+  SSLHonorCipherOrder on
+  SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+  Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+  SSLCompression Off
+  SSLCertificateFile    /etc/pki/tls/certs/YOUR_SERVER_FQDN.crt
+  SSLCertificateKeyFile /etc/pki/tls/private/YOUR_SERVER_FQDN.key
+  SSLCACertificateFile  /etc/pki/tls/certs/YOUR_SERVER_FQDN.ca-bundle.crt
+
+  ServerName YOUR_SERVER_FQDN
+  ServerSignature Off
+
+  ProxyPreserveHost On
+
+  # Ensure that encoded slashes are not decoded but left in their encoded state.
+  # http://doc.gitlab.com/ce/api/projects.html#get-single-project
+  AllowEncodedSlashes NoDecode
+
+  <Location />
+      Order deny,allow
+      Allow from all
+
+      #Allow forwarding to gitlab-workhorse
+      ProxyPassReverse http://127.0.0.1:8181
+      #Allow forwarding to GitLab Rails app (Unicorn)
+      ProxyPassReverse http://127.0.0.1:8080
+      ProxyPassReverse http://YOUR_SERVER_FQDN/
+  </Location>
+
+  # Apache equivalent of nginx try files
+  # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
+  # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
+  RewriteEngine on
+
+  #Forward these requests to gitlab-workhorse
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
+  RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
+
+  #Forward any other requests to GitLab Rails app (Unicorn)
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
+  RewriteCond %{REQUEST_URI} ^/uploads
+  RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
+  RequestHeader set X_FORWARDED_PROTO 'https'
+  RequestHeader set X-Forwarded-Ssl on
+
+  # needed for downloading attachments
+  DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
+
+  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
+  ErrorDocument 404 /404.html
+  ErrorDocument 422 /422.html
+  ErrorDocument 500 /500.html
+  ErrorDocument 503 /deploy.html
+
+  # It is assumed that the log directory is in /var/log/httpd.
+  # For Debian distributions you might want to change this to
+  # /var/log/apache2.
+  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
+  ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined
+
+</VirtualHost>
--- a/web-server/apache/gitlab-ssl-omnibus-apache24.conf
+++ b/web-server/apache/gitlab-ssl-omnibus-apache24.conf
@@ -0,0 +1,97 @@
+# This configuration has been tested on GitLab 8.1
+# Note this config assumes unicorn is listening on default port 8080 and
+# gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to
+# listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following:
+#
+# gitlab_workhorse['listen_network'] = "tcp"
+# gitlab_workhorse['listen_addr'] = "http://127.0.0.1:8181"
+#
+#Module dependencies
+# mod_rewrite
+# mod_ssl
+# mod_proxy
+# mod_proxy_http
+# mod_headers
+
+# This section is only needed if you want to redirect http traffic to https.
+# You can live without it but clients will have to type in https:// to reach gitlab.
+<VirtualHost *:80>
+  ServerName YOUR_SERVER_FQDN
+  ServerSignature Off
+
+  RewriteEngine on
+  RewriteCond %{HTTPS} !=on
+  RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+  SSLEngine on
+  #strong encryption ciphers only
+  #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
+  SSLProtocol all -SSLv2
+  SSLHonorCipherOrder on
+  SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+  Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+  SSLCompression Off
+  SSLCertificateFile /etc/httpd/ssl.crt/YOUR_SERVER_FQDN.crt
+  SSLCertificateKeyFile /etc/httpd/ssl.key/YOUR_SERVER_FQDN.key
+  SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt
+
+  ServerName YOUR_SERVER_FQDN
+  ServerSignature Off
+
+  ProxyPreserveHost On
+
+  # Ensure that encoded slashes are not decoded but left in their encoded state.
+  # http://doc.gitlab.com/ce/api/projects.html#get-single-project
+  AllowEncodedSlashes NoDecode
+
+  <Location />
+    # New authorization commands for apache 2.4 and up
+    # http://httpd.apache.org/docs/2.4/upgrading.html#access
+    Require all granted
+
+    #Allow forwarding to gitlab-workhorse
+    ProxyPassReverse http://127.0.0.1:8181
+    #Allow forwarding to GitLab Rails app (Unicorn)
+    ProxyPassReverse http://127.0.0.1:8080
+    ProxyPassReverse http://YOUR_SERVER_FQDN/
+  </Location>
+
+  # Apache equivalent of nginx try files
+  # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
+  # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
+  RewriteEngine on
+
+  #Forward these requests to gitlab-workhorse
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/api/v3/projects/.*/repository/archive.* [OR]
+  RewriteCond %{REQUEST_URI} ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$
+  RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
+
+  #Forward any other requests to GitLab Rails app (Unicorn)
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
+  RewriteCond %{REQUEST_URI} ^/uploads
+  RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA,NE]
+  RequestHeader set X_FORWARDED_PROTO 'https'
+  RequestHeader set X-Forwarded-Ssl on
+
+  # needed for downloading attachments
+  DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
+
+  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
+  ErrorDocument 404 /404.html
+  ErrorDocument 422 /422.html
+  ErrorDocument 500 /500.html
+  ErrorDocument 503 /deploy.html
+
+  # It is assumed that the log directory is in /var/log/httpd.
+  # For Debian distributions you might want to change this to
+  # /var/log/apache2.
+  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
+  ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog
+  CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined
+
+</VirtualHost>
--- a/web-server/nginx/README.md
+++ b/web-server/nginx/README.md
@@ -1,12 +1,24 @@
 ## Nginx config moved to official repository

-You can find the nginx config in [GitLab official repository][gitlab].
+You can find the nginx config in [GitLab official repository][gitlab] which can
+be used for source installations.
+
+## Omnibus configs
+
+[Omnibus packages][] use their own bundled nginx server. If you want to use your
+own external Nginx server, follow the first 3 steps to
+[configure GitLab][omnibusnginxext] and then download the appropriate config
+file (ssl or non-ssl) from this directory.
+
+After placing the configs in their appropriate location
+(read [Different conf directories](#different-conf-directories)), make sure to
+restart Nginx.

 ## CentOS related Nginx notes

 ### Different conf directories

-If nginx is installed through the package manager, adjust sites in `/etc/nginx/conf.d/` 
+If nginx is installed through the package manager, adjust sites in `/etc/nginx/conf.d/`
 instead of `/etc/nginx/sites-available/` or create those directories and tell `nginx`
 to monitor them:

@@ -31,3 +43,5 @@ or replace the default `nginx` user with `git` and group `root` in `/etc/nginx/n
    user              git root;

 [gitlab]: https://gitlab.com/gitlab-org/gitlab-ce/tree/master/lib/support/nginx "Nginx config for GitLab"
+[Omnibus packages]: https://about.gitlab.com/downloads/
+[omnibusnginxext]: http://doc.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server