Merge branch 'nginx_cipher_and_dhparams' into 'master'
Add configuration option to provide path to dhparams. Also updated the documentation and ciphers list. Fixes #578 See merge request !354
This commit is contained in:
commit
7b0c80ed9c
|
@ -166,6 +166,36 @@ information, see:
|
|||
http://stackoverflow.com/questions/16042647/whats-the-de-facto-standard-for-a-reverse-proxy-to-tell-the-backend-ssl-is-used
|
||||
https://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy
|
||||
|
||||
## Using custom ssl ciphers
|
||||
|
||||
By default GitLab is using SSL ciphers that are combination of testing on gitlab.com and various best practices contributed by the GitLab community.
|
||||
|
||||
However, you can change the ssl ciphers by adding to `gitlab.rb`:
|
||||
|
||||
```ruby
|
||||
nginx['ssl_ciphers'] = "CIPHER:CIPHER1"
|
||||
```
|
||||
|
||||
and running reconfigure. Similar, for GitLab CI:
|
||||
|
||||
```ruby
|
||||
ci_nginx['ssl_ciphers'] = "CIPHER:CIPHER1"
|
||||
```
|
||||
|
||||
You can also enable `ssl_dhparam` directive.
|
||||
|
||||
First, generate `dhparams.pem` with `openssl dhparam -out dhparams.pem 2048`. Then, in `gitlab.rb` add a path to the generated file, for example:
|
||||
|
||||
```ruby
|
||||
nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"
|
||||
```
|
||||
|
||||
After the change run `sudo gitlab-ctl reconfigure`. Similar, for GitLab CI:
|
||||
|
||||
```ruby
|
||||
ci_nginx['ssl_dhparam'] = "/etc/gitlab/ssl/ci_dhparams.pem"
|
||||
```
|
||||
|
||||
## Inserting custom NGINX settings into the GitLab server block
|
||||
|
||||
If you need to add custom settings into the NGINX `server` block for GitLab for
|
||||
|
@ -267,4 +297,4 @@ Other than the Passenger configuration in place of Unicorn and the lack of HTTPS
|
|||
[bundled Nginx configuration](files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb).
|
||||
|
||||
Don't forget to restart Nginx to load the new configuration (on Debian-based
|
||||
systems `sudo service nginx restart`).
|
||||
systems `sudo service nginx restart`).
|
||||
|
|
|
@ -345,6 +345,7 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
|
||||
# nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
# nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem
|
||||
# nginx['listen_addresses'] = ['*']
|
||||
# nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
|
||||
# nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
|
||||
|
@ -530,6 +531,7 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# ci_nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
|
||||
# ci_nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
# ci_nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
# ci_nginx['ssl_dhparam'] = nil # Path to ci_dhparams.pem, eg. /etc/gitlab/ssl/ci_dhparams.pem
|
||||
# ci_nginx['listen_addresses'] = ['*']
|
||||
# ci_nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
|
||||
# ci_nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
|
||||
|
|
|
@ -317,6 +317,7 @@ default['gitlab']['nginx']['ssl_prefer_server_ciphers'] = "on"
|
|||
default['gitlab']['nginx']['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
|
||||
default['gitlab']['nginx']['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
default['gitlab']['nginx']['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
default['gitlab']['nginx']['ssl_dhparam'] = nil # Path to dhparam.pem
|
||||
default['gitlab']['nginx']['listen_addresses'] = ['*']
|
||||
default['gitlab']['nginx']['listen_port'] = nil # override only if you have a reverse proxy
|
||||
default['gitlab']['nginx']['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP
|
||||
|
|
|
@ -39,6 +39,9 @@ server {
|
|||
ssl_protocols <%= @ssl_protocols %>;
|
||||
ssl_session_cache <%= @ssl_session_cache %>;
|
||||
ssl_session_timeout <%= @ssl_session_timeout %>;
|
||||
<% if @ssl_dhparam %>
|
||||
ssl_dhparam <%= @ssl_dhparam %>;
|
||||
<% end %>
|
||||
add_header Strict-Transport-Security max-age=63072000;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
|
|
@ -75,6 +75,10 @@ server {
|
|||
ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
|
||||
ssl_session_cache <%= @ssl_session_cache %>;
|
||||
ssl_session_timeout <%= @ssl_session_timeout %>;
|
||||
|
||||
<% if @ssl_dhparam %>
|
||||
ssl_dhparam <%= @ssl_dhparam %>;
|
||||
<% end %>
|
||||
<% end %>
|
||||
|
||||
## Individual nginx logs for this GitLab vhost
|
||||
|
|
Loading…
Reference in New Issue