Merge branch 'nginx_cipher_and_dhparams' into 'master'

Add configuration option to provide path to dhparams.

Also updated the documentation and ciphers list.

Fixes #578

See merge request !354

doc/settings/nginx.md

@@ -166,6 +166,36 @@ information, see:
 http://stackoverflow.com/questions/16042647/whats-the-de-facto-standard-for-a-reverse-proxy-to-tell-the-backend-ssl-is-used
 https://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy
 
+## Using custom ssl ciphers
+
+By default GitLab is using SSL ciphers that are combination of testing on gitlab.com and various best practices contributed by the GitLab community.
+
+However, you can change the ssl ciphers by adding to `gitlab.rb`:
+
+```ruby
+  nginx['ssl_ciphers'] = "CIPHER:CIPHER1"
+```
+
+and running reconfigure. Similar, for GitLab CI:
+
+```ruby
+  ci_nginx['ssl_ciphers'] = "CIPHER:CIPHER1"
+```
+
+You can also enable `ssl_dhparam` directive.
+
+First, generate `dhparams.pem` with `openssl dhparam -out dhparams.pem 2048`. Then, in `gitlab.rb` add a path to the generated file, for example:
+
+```ruby
+  nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"
+```
+
+After the change run `sudo gitlab-ctl reconfigure`. Similar, for GitLab CI:
+
+```ruby
+  ci_nginx['ssl_dhparam'] = "/etc/gitlab/ssl/ci_dhparams.pem"
+```
+
 ## Inserting custom NGINX settings into the GitLab server block
 
 If you need to add custom settings into the NGINX `server` block for GitLab for
@@ -267,4 +297,4 @@ Other than the Passenger configuration in place of Unicorn and the lack of HTTPS
 [bundled Nginx configuration](files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb).
 
 Don't forget to restart Nginx to load the new configuration (on Debian-based
-systems `sudo service nginx restart`).
+systems `sudo service nginx restart`).

files/gitlab-config-template/gitlab.rb.template

@@ -345,6 +345,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
 # nginx['ssl_session_cache'] = "builtin:1000  shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
 # nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem
 # nginx['listen_addresses'] = ['*']
 # nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
 # nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
@@ -530,6 +531,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # ci_nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
 # ci_nginx['ssl_session_cache'] = "builtin:1000  shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
 # ci_nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+# ci_nginx['ssl_dhparam'] = nil # Path to ci_dhparams.pem, eg. /etc/gitlab/ssl/ci_dhparams.pem
 # ci_nginx['listen_addresses'] = ['*']
 # ci_nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
 # ci_nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -317,6 +317,7 @@ default['gitlab']['nginx']['ssl_prefer_server_ciphers'] = "on"
 default['gitlab']['nginx']['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
 default['gitlab']['nginx']['ssl_session_cache'] = "builtin:1000  shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
 default['gitlab']['nginx']['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+default['gitlab']['nginx']['ssl_dhparam'] = nil # Path to dhparam.pem
 default['gitlab']['nginx']['listen_addresses'] = ['*']
 default['gitlab']['nginx']['listen_port'] = nil # override only if you have a reverse proxy
 default['gitlab']['nginx']['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-ci-http.conf.erb

@@ -39,6 +39,9 @@ server {
   ssl_protocols  <%= @ssl_protocols %>;
   ssl_session_cache  <%= @ssl_session_cache %>;
   ssl_session_timeout  <%= @ssl_session_timeout %>;
+  <% if @ssl_dhparam %>
+  ssl_dhparam <%= @ssl_dhparam %>;
+  <% end %>
   add_header Strict-Transport-Security max-age=63072000;
   add_header X-Frame-Options SAMEORIGIN;
   add_header X-Content-Type-Options nosniff;

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb

@@ -75,6 +75,10 @@ server {
   ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
   ssl_session_cache  <%= @ssl_session_cache %>;
   ssl_session_timeout  <%= @ssl_session_timeout %>;
+
+  <% if @ssl_dhparam %>
+  ssl_dhparam <%= @ssl_dhparam %>;
+  <% end %>
   <% end %>
 
   ## Individual nginx logs for this GitLab vhost