diff options
| author | Tuomo Ala-Vannesluoma <tuomoav@gmail.com> | 2018-04-06 18:23:58 +0300 |
|---|---|---|
| committer | Tuomo Ala-Vannesluoma <tuomoav@gmail.com> | 2018-06-30 22:50:19 +0300 |
| commit | 9cf40354085f4b4446f06d4d03926dcaa6ab9565 (patch) | |
| tree | eb6ade3a82feec5f9b258417f41a8fecd3e9aec9 /README.md | |
| parent | c4a419ed595281f62977fd47aa30d225c4eddb5d (diff) | |
Add support for private projects and authentication with GitLab API
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 23 |
1 files changed, 23 insertions, 0 deletions
@@ -160,6 +160,29 @@ $ ./gitlab-pages -listen-http "10.0.0.1:8080" -listen-https "[fd00::1]:8080" -pa This is most useful in dual-stack environments (IPv4+IPv6) where both Gitlab Pages and another HTTP server have to co-exist on the same server. +### GitLab access control + +GitLab access control is configured with properties `auth-client-id`, `auth-client-secret`, `auth-redirect-uri`, `auth-server` and `auth-secret`. Client ID, secret and redirect uri are configured in the GitLab and should match. `auth-server` points to a GitLab instance used for authentication. `auth-redirect-uri` should be `http(s)://pages-domain/auth`. Using HTTPS is _strongly_ encouraged. `auth-secret` is used to encrypt the session cookie, and it should be strong enough. + +Example: +``` +$ make +$ ./gitlab-pages -listen-http "10.0.0.1:8080" -listen-https "[fd00::1]:8080" -pages-root path/to/gitlab/shared/pages -pages-domain example.com -auth-client-id <id> -auth-client-secret <secret> -auth-redirect-uri https://example.com/auth -auth-secret something-very-secret -auth-server https://gitlab.com +``` + +#### How it works + +1. GitLab pages looks for `access_control`, `private` and `id` fields in `config.json` files + in `pages-root/group/project` directories. +2. For projects that have `access_control` and `private` set to `true` pages will require user to authenticate. +3. When user accesses a project that requires authentication, user will be redirected + to GitLab to log in and grant access for GitLab pages. +4. When user grant's access to GitLab pages, pages will use the OAuth2 `code` to get an access + token which is stored in the user session cookie. +5. Pages will now check user's access to a project with a access token stored in the user + session cookie. This is done via a request to GitLab API with the user's access token. +6. If token is invalidated, user will be redirected again to GitLab to authorize pages again. + ### Enable Prometheus Metrics For monitoring purposes, you can pass the `-metrics-address` flag when starting. |