Disabling http2 protocol for the users that require it.
This commit is contained in:
parent
dce77dcdf2
commit
bcaa9e9eec
|
@ -114,6 +114,35 @@ for the changes to take effect.
|
|||
|
||||
This way you can specify any header supported by NGINX you require.
|
||||
|
||||
## Configuring HTTP2 protocol
|
||||
|
||||
By default, when you specify that your Gitlab instance should be reachable
|
||||
through HTTPS by specifying `external_url "https://gitlab.example.com"`,
|
||||
[http2 protocol] is also enabled.
|
||||
|
||||
The omnibus-gitlab package sets required ssl_ciphers that are compatible with
|
||||
http2 protocol.
|
||||
|
||||
If you are specifying custom ssl_ciphers in your configuration and a cipher is
|
||||
in [http2 cipher blacklist], once you try to reach your GitLab instance you will
|
||||
be presented with `INADEQUATE_SECURITY` error in your browser.
|
||||
|
||||
Consider removing the offending ciphers from the cipher list. Changing ciphers
|
||||
is only necessary if you have a very specific custom setup.
|
||||
|
||||
For more info on why you would want to have http2 protocol enabled, check out
|
||||
the [http2 whitepaper].
|
||||
|
||||
If changing the ciphers is not an option you can disable http2 support by
|
||||
specifying in `/etc/gitlab/gitlab.rb`:
|
||||
|
||||
```ruby
|
||||
nginx['http2_enabled'] = false
|
||||
```
|
||||
|
||||
Save the file and [reconfigure GitLab](http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure)
|
||||
for the changes to take effect.
|
||||
|
||||
## Using a non-bundled web-server
|
||||
|
||||
By default, omnibus-gitlab installs GitLab with bundled Nginx.
|
||||
|
@ -430,3 +459,6 @@ systems `sudo service nginx restart`).
|
|||
|
||||
[recipes-web]: https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server
|
||||
[selinuxmod]: https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache#selinux-modifications
|
||||
[http2 protocol]: https://tools.ietf.org/html/rfc7540
|
||||
[http2 whitepaper]: https://assets.wp.nginx.com/wp-content/uploads/2015/09/NGINX_HTTP2_White_Paper_v4.pdf?_ga=1.127086286.212780517.1454411744
|
||||
[http2 cipher blacklist]: https://tools.ietf.org/html/rfc7540#appendix-A
|
||||
|
|
|
@ -482,6 +482,7 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# }
|
||||
# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
|
||||
# nginx['proxy_cache'] = 'gitlab'
|
||||
# nginx['http2_enabled'] = true
|
||||
|
||||
## Advanced settings
|
||||
# nginx['dir'] = "/var/opt/gitlab/nginx"
|
||||
|
|
|
@ -455,7 +455,7 @@ default['gitlab']['nginx']['proxy_set_headers'] = {
|
|||
"X-Real-IP" => "$remote_addr",
|
||||
"X-Forwarded-For" => "$proxy_add_x_forwarded_for"
|
||||
}
|
||||
|
||||
default['gitlab']['nginx']['http2_enabled'] = true
|
||||
# Cache up to 1GB of HTTP responses from GitLab on disk
|
||||
default['gitlab']['nginx']['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
|
||||
# Set to 'off' to disable proxy caching.
|
||||
|
|
|
@ -50,7 +50,7 @@ server {
|
|||
|
||||
server {
|
||||
<% @listen_addresses.each do |listen_address| %>
|
||||
listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl http2<% end %>;
|
||||
listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl<% if @http2_enabled %> http2<% end %><% end %>;
|
||||
|
||||
<% if @kerberos_enabled && @kerberos_use_dedicated_port %>
|
||||
listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
|
||||
|
|
|
@ -28,7 +28,7 @@ server {
|
|||
|
||||
server {
|
||||
<% @listen_addresses.each do |listen_address| %>
|
||||
listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl<% end %>;
|
||||
listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl<% if @http2_enabled %> http2<% end %><% end %>;
|
||||
<% end %>
|
||||
server_name <%= @fqdn %>;
|
||||
server_tokens off; # don't show the version number, a security best practice
|
||||
|
|
Loading…
Reference in New Issue