Download as
Browse Code »

Commit bdd23b71d58b06bfe675ff3d3b9fc0365b8780c9

Authored by Jacob Vosmaer
2 parents 26092512 b4ab3e51
Exists in master and in 2 other branches 7-2-stable, 7-2-stable-ee

Merge branch 'nginx_ssl_tweaks' into 'master' 

NGINX SSL tweaks

See merge request !145
Showing 2 changed files with 6 additions and 0 deletions   Show diff stats
files/gitlab-cookbooks/gitlab/attributes/default.rb
  Diff comments   View file @bdd23b7
@@ -258,6 +258,9 @@ default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']} @@ -258,6 +258,9 @@ default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}
258 default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" 258 default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
259 default['gitlab']['nginx']['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4" 259 default['gitlab']['nginx']['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4"
260 default['gitlab']['nginx']['ssl_prefer_server_ciphers'] = "on" 260 default['gitlab']['nginx']['ssl_prefer_server_ciphers'] = "on"
  261 +default['gitlab']['nginx']['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  262 +default['gitlab']['nginx']['ssl_session_cache'] = "shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
  263 +default['gitlab']['nginx']['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
261 default['gitlab']['nginx']['listen_address'] = '*' 264 default['gitlab']['nginx']['listen_address'] = '*'
262 265
263 ### 266 ###
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
  Diff comments   View file @bdd23b7
@@ -46,6 +46,9 @@ server { @@ -46,6 +46,9 @@ server {
46 ssl_certificate_key <%= @ssl_certificate_key %>; 46 ssl_certificate_key <%= @ssl_certificate_key %>;
47 ssl_ciphers '<%= @ssl_ciphers %>'; 47 ssl_ciphers '<%= @ssl_ciphers %>';
48 ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>; 48 ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
  49 + ssl_protocols <%= @ssl_protocols %>;
  50 + ssl_session_cache <%= @ssl_session_cache %>;
  51 + ssl_session_timeout <%= @ssl_session_timeout %>;
49 <% end %> 52 <% end %>
50 53
51 # Increase this if you want to upload large attachments 54 # Increase this if you want to upload large attachments