Merge branch '2124-fix-hsts' into 'master'
Make HSTS configuration single-level Closes #2124 See merge request !1423
This commit is contained in:
parent
6704452ed3
commit
4ba90ff8ad
|
@ -304,8 +304,8 @@ GitLab instance even once it will remember to no longer attempt insecure connect
|
|||
even when user is explicitly entering `http://` url. Such url will be automatically redirected by the browser to `https://` variant.
|
||||
|
||||
```ruby
|
||||
nginx['hsts']['max_age'] = 31536000
|
||||
nginx['hsts']['include_subdomains'] = false
|
||||
nginx['hsts_max_age'] = 31536000
|
||||
nginx['hsts_include_subdomains'] = false
|
||||
```
|
||||
|
||||
By default `max_age` is set for one year, this is how long browser will remember to only connect through HTTPS.
|
||||
|
|
|
@ -752,8 +752,8 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
|
||||
##! **Defaults to forcing web browsers to always communicate using only HTTPS**
|
||||
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-http-strict-transport-security
|
||||
# nginx['hsts']['max_age'] = 31536000
|
||||
# nginx['hsts']['include_subdomains'] = false
|
||||
# nginx['hsts_max_age'] = 31536000
|
||||
# nginx['hsts_include_subdomains'] = false
|
||||
|
||||
##! **Override only if you use a reverse proxy**
|
||||
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
|
||||
|
|
|
@ -616,8 +616,8 @@ default['gitlab']['nginx']['real_ip_header'] = nil
|
|||
default['gitlab']['nginx']['real_ip_recursive'] = nil
|
||||
default['gitlab']['nginx']['server_names_hash_bucket_size'] = 64
|
||||
# HSTS
|
||||
default['gitlab']['nginx']['hsts']['max_age'] = 31536000
|
||||
default['gitlab']['nginx']['hsts']['include_subdomains'] = false
|
||||
default['gitlab']['nginx']['hsts_max_age'] = 31536000
|
||||
default['gitlab']['nginx']['hsts_include_subdomains'] = false
|
||||
|
||||
###
|
||||
# Nginx status
|
||||
|
|
|
@ -104,9 +104,9 @@ server {
|
|||
|
||||
## HSTS Config
|
||||
## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
||||
<% unless @hsts['max_age'].nil? || @hsts['max_age'] <= 0 %>
|
||||
add_header Strict-Transport-Security "max-age=<%= @hsts['max_age'] -%>
|
||||
<% if @hsts['include_subdomains'] %>; includeSubdomains<% end %>";
|
||||
<% unless @hsts_max_age.nil? || @hsts_max_age <= 0 %>
|
||||
add_header Strict-Transport-Security "max-age=<%= @hsts_max_age -%>
|
||||
<% if @hsts_include_subdomains %>; includeSubdomains<% end %>";
|
||||
<% end %>
|
||||
|
||||
## Individual nginx logs for this GitLab vhost
|
||||
|
|
|
@ -333,7 +333,7 @@ describe 'nginx' do
|
|||
|
||||
context 'when hsts is disabled' do
|
||||
before do
|
||||
stub_gitlab_rb(nginx: { hsts: { max_age: 0 } })
|
||||
stub_gitlab_rb(nginx: { hsts_max_age: 0 })
|
||||
end
|
||||
it { is_expected.not_to render_file(gitlab_http_config).with_content(/add_header Strict-Transport-Security/) }
|
||||
end
|
||||
|
@ -342,7 +342,7 @@ describe 'nginx' do
|
|||
|
||||
context 'when include_subdomains is enabled' do
|
||||
before do
|
||||
stub_gitlab_rb(nginx: { hsts: { include_subdomains: true } })
|
||||
stub_gitlab_rb(nginx: { hsts_include_subdomains: true })
|
||||
end
|
||||
|
||||
it { is_expected.to render_file(gitlab_http_config).with_content(/add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";/) }
|
||||
|
@ -350,7 +350,7 @@ describe 'nginx' do
|
|||
|
||||
context 'when max-age is set to 10' do
|
||||
before do
|
||||
stub_gitlab_rb(nginx: { hsts: { max_age: 10 } })
|
||||
stub_gitlab_rb(nginx: { hsts_max_age: 10 })
|
||||
end
|
||||
|
||||
it { is_expected.to render_file(gitlab_http_config).with_content(/"max-age=10[^"]*"/) }
|
||||
|
|
Loading…
Reference in New Issue