Advanced deployments

Deploy Tuleap behind a reverse proxy

We strongly recommend to setup the reverse proxy so that it terminates SSL.

Install Nginx

Install nginx from EPEL.

Configure Nginx

# ++ Disable emitting nginx version in response header
server_tokens off;
# -- Disable emitting nginx version in response header

# ++ Cache and compress (not mandatory for reverse proxy)
proxy_cache_path    /tmp/nginx_cache levels=1:2 keys_zone=cache_zone:200m
                    max_size=1g inactive=30m;
proxy_cache_key     "$scheme$request_method$host$request_uri";
gzip            on;
gzip_vary       on;
gzip_proxied    expired no-cache no-store private auth;
gzip_types      text/plain text/css text/xml text/javascript
                application/x-javascript application/xml;
gzip_disable    "MSIE [1-6]\.";
# -- Cache and compress

upstream tuleap {
    server 127.0.0.1:4430;
}

server {
    listen 443 ssl;
    server_name tuleap.example.com;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Path to Diffie-Hellman parameter
    # You can generated the file with openssl dhparam -out /path/to/dhparam.pem 2048
    ssl_dhparam /path/to/dhparam.pem;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # ++ Cache media (not mandatory for reverse proxy)
    location ~* \.(?:js|css|png|gif|eot|woff)$ {
        access_log              off;
        add_header              X-Cache-Status $upstream_cache_status;
        proxy_cache             cache_zone;
        proxy_cache_valid       200 302 1h;
        proxy_ignore_headers    "Set-Cookie";
        proxy_hide_header       "Set-Cookie";
        expires                 1h;

        proxy_pass https://tuleap;
        proxy_ssl_verify off;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host              $host;
    }
    # -- Cache media

    # The 4 proxy_set_header are mandatory
    location / {
        proxy_pass https://tuleap;
        proxy_ssl_verify off;
        proxy_set_header X-Real-IP         $remote_addr;
        # Allow to know what is the original IP address (esp. for logging purpose as well as session management)
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        # Allow to know what is the original protocol (so Tuleap knows if things were in HTTPS)
        proxy_set_header X-Forwarded-Proto $scheme;
        # What is the name of the platform to the end users
        proxy_set_header Host              $host;
        # Write Destination header for Subversion COPY and MOVE operations
        set $fixed_destination $http_destination;
        if ( $http_destination ~* ^https(.*)$ ) {
            set $fixed_destination http$1;
        }
        proxy_set_header Destination $fixed_destination;
    }
}

# Let Nginx manage "force HTTPS itself"
server {
    listen       80;
    server_name  tuleap.example.com;
    return       301 https://$server_name:443$request_uri;
}

Configure Tuleap

You will need to tell Tuleap that the IP of the reverse proxy is trusted, in local.inc:

$sys_trusted_proxies = '127.0.0.1';

Be careful with this value, once you set it, Tuleap will automatically trust some request headers when the request come from this IP address (X_FORWARDED_FOR, X_FORWARDED_PROTO, REMOTE_ADDR). So if your proxy is not properly configured to value those headers, it could be used by an attacker to spoof requests.

Please note that you can also use CIDR notation like 192.168.0.0/24 as well.