Merge branch 'master' into 'master'
Added nginx config property 'ssl_client_certificate' to be changed #### Description Added the `ssl_client_certificate` nginx property to gitlab omnibus config file. You should now be able to do ``` ruby nginx['ssl_client_certificate'] = '/path/to/ca.crt' ``` to add the root client certificate to the nginx configuration. #### Why? When trying to add a certificate for a not yet trusted vendor, you get back this error when trying to fetch over https: ``` fatal: unable to access '<snipped website>': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none ``` It also adds more configuration possibilities to omnibus. See merge request !413
This commit is contained in:
commit
fc0f7e9344
|
@ -356,6 +356,7 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# nginx['client_max_body_size'] = '250m'
|
||||
# nginx['redirect_http_to_https'] = false
|
||||
# nginx['redirect_http_to_https_port'] = 80
|
||||
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
|
||||
# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
|
||||
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
|
||||
# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
|
||||
|
|
|
@ -346,6 +346,7 @@ default['gitlab']['nginx']['client_max_body_size'] = '250m'
|
|||
default['gitlab']['nginx']['cache_max_size'] = '5000m'
|
||||
default['gitlab']['nginx']['redirect_http_to_https'] = false
|
||||
default['gitlab']['nginx']['redirect_http_to_https_port'] = 80
|
||||
default['gitlab']['nginx']['ssl_client_certificate'] = nil # Most root CA's will be included by default
|
||||
default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
|
||||
default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
|
||||
default['gitlab']['nginx']['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
|
||||
|
|
|
@ -33,6 +33,9 @@ server {
|
|||
ssl on;
|
||||
ssl_certificate <%= @ssl_certificate %>;
|
||||
ssl_certificate_key <%= @ssl_certificate_key %>;
|
||||
<% if @ssl_client_certificate %>
|
||||
ssl_client_certificate <%= @ssl_client_certificate%>;
|
||||
<% end %>
|
||||
ssl_ciphers '<%= @ssl_ciphers %>';
|
||||
ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
|
||||
ssl_protocols <%= @ssl_protocols %>;
|
||||
|
|
|
@ -72,6 +72,9 @@ server {
|
|||
ssl on;
|
||||
ssl_certificate <%= @ssl_certificate %>;
|
||||
ssl_certificate_key <%= @ssl_certificate_key %>;
|
||||
<% if @ssl_client_certificate %>
|
||||
ssl_client_certificate <%= @ssl_client_certificate%>;
|
||||
<% end %>
|
||||
|
||||
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
|
||||
ssl_ciphers '<%= @ssl_ciphers %>';
|
||||
|
|
Loading…
Reference in New Issue