Disabling http2 protocol for the users that require it.

doc/settings/nginx.md

@@ -114,6 +114,35 @@ for the changes to take effect.
 
 This way you can specify any header supported by NGINX you require.
 
+## Configuring HTTP2 protocol
+
+By default, when you specify that your Gitlab instance should be reachable
+through HTTPS by specifying `external_url "https://gitlab.example.com"`,
+[http2 protocol] is also enabled.
+
+The omnibus-gitlab package sets required ssl_ciphers that are compatible with
+http2 protocol.
+
+If you are specifying custom ssl_ciphers in your configuration and a cipher is
+in [http2 cipher blacklist], once you try to reach your GitLab instance you will
+be presented with `INADEQUATE_SECURITY` error in your browser.
+
+Consider removing the offending ciphers from the cipher list. Changing ciphers
+is only necessary if you have a very specific custom setup.
+
+For more info on why you would want to have http2 protocol enabled, check out
+the [http2 whitepaper].
+
+If changing the ciphers is not an option you can disable http2 support by
+specifying in `/etc/gitlab/gitlab.rb`:
+
+```ruby
+nginx['http2_enabled'] = false
+```
+
+Save the file and [reconfigure GitLab](http://doc.gitlab.com/ce/administration/restart_gitlab.html#omnibus-gitlab-reconfigure)
+for the changes to take effect.
+
 ## Using a non-bundled web-server
 
 By default, omnibus-gitlab installs GitLab with bundled Nginx.
@@ -430,3 +459,6 @@ systems `sudo service nginx restart`).
 
 [recipes-web]: https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server
 [selinuxmod]: https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache#selinux-modifications
+[http2 protocol]: https://tools.ietf.org/html/rfc7540
+[http2 whitepaper]: https://assets.wp.nginx.com/wp-content/uploads/2015/09/NGINX_HTTP2_White_Paper_v4.pdf?_ga=1.127086286.212780517.1454411744
+[http2 cipher blacklist]: https://tools.ietf.org/html/rfc7540#appendix-A

files/gitlab-config-template/gitlab.rb.template

@@ -482,6 +482,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # }
 # nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
 # nginx['proxy_cache'] = 'gitlab'
+# nginx['http2_enabled'] = true
 
 ## Advanced settings
 # nginx['dir'] = "/var/opt/gitlab/nginx"

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -455,7 +455,7 @@ default['gitlab']['nginx']['proxy_set_headers'] = {
   "X-Real-IP" => "$remote_addr",
   "X-Forwarded-For" => "$proxy_add_x_forwarded_for"
 }
-
+default['gitlab']['nginx']['http2_enabled'] = true
 # Cache up to 1GB of HTTP responses from GitLab on disk
 default['gitlab']['nginx']['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
 # Set to 'off' to disable proxy caching.

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb

@@ -50,7 +50,7 @@ server {
 
 server {
 <% @listen_addresses.each do |listen_address| %>
-  listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl http2<% end %>;
+  listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl<% if @http2_enabled %> http2<% end %><% end %>;
 
   <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
   listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-mattermost-http.conf.erb

@@ -28,7 +28,7 @@ server {
 
 server {
 <% @listen_addresses.each do |listen_address| %>
-  listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl<% end %>;
+  listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl<% if @http2_enabled %> http2<% end %><% end %>;
 <% end %>
   server_name <%= @fqdn %>;
   server_tokens off;     # don't show the version number, a security best practice