Merge branch 'master' into 'master'

Added nginx config property 'ssl_client_certificate' to be changed

#### Description

Added the `ssl_client_certificate` nginx property to gitlab omnibus config file. You should now be able to do

``` ruby
nginx['ssl_client_certificate'] = '/path/to/ca.crt'
```

to add the root client certificate to the nginx configuration.

#### Why?
When trying to add a certificate for a not yet trusted vendor, you get back this error when trying to fetch over https:

```
fatal: unable to access '<snipped website>': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
```
It also adds more configuration possibilities to omnibus.

See merge request !413

files/gitlab-config-template/gitlab.rb.template

@@ -356,6 +356,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # nginx['client_max_body_size'] = '250m'
 # nginx['redirect_http_to_https'] = false
 # nginx['redirect_http_to_https_port'] = 80
+# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
 # nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
 # nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
 # nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -346,6 +346,7 @@ default['gitlab']['nginx']['client_max_body_size'] = '250m'
 default['gitlab']['nginx']['cache_max_size'] = '5000m'
 default['gitlab']['nginx']['redirect_http_to_https'] = false
 default['gitlab']['nginx']['redirect_http_to_https_port'] = 80
+default['gitlab']['nginx']['ssl_client_certificate'] = nil # Most root CA's will be included by default
 default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
 default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
 default['gitlab']['nginx']['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-ci-http.conf.erb

@@ -33,6 +33,9 @@ server {
   ssl on;
   ssl_certificate <%= @ssl_certificate %>;
   ssl_certificate_key <%= @ssl_certificate_key %>;
+  <% if @ssl_client_certificate %>
+  ssl_client_certificate <%= @ssl_client_certificate%>;
+   <% end %>
   ssl_ciphers '<%= @ssl_ciphers %>';
   ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
   ssl_protocols  <%= @ssl_protocols %>;

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb

@@ -72,6 +72,9 @@ server {
   ssl on;
   ssl_certificate <%= @ssl_certificate %>;
   ssl_certificate_key <%= @ssl_certificate_key %>;
+  <% if @ssl_client_certificate %>
+  ssl_client_certificate <%= @ssl_client_certificate%>;
+ 	<% end %>
 
   # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
   ssl_ciphers '<%= @ssl_ciphers %>';