Use more fancy SSL ciphers in Nginx

Source: https://gitlab.com/gitlab-org/cookbook-gitlab/blob/83bbd287b77322f7cec2c9a6ff12f19506ea53e4/templates/default/nginx.erb

Use more fancy SSL ciphers in Nginx
Source: https://gitlab.com/gitlab-org/cookbook-gitlab/blob/83bbd287b77322f7cec2c9a6ff12f19506ea53e4/templates/default/nginx.erb
Jacob Vosmaer
1 parent 7c187a23
Showing 3 changed files with 5 additions and 2 deletions Show diff stats
CHANGELOG
files/gitlab-cookbooks/gitlab/attributes/default.rb
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
@@ -8,6 +8,7 @@
 - Fix name clash between release.sh and `make release`
 - Fix Git CRLF bug
 - Enable the 'sign_in_text' field in gitlab.yml (Mike Nestor)
+- Use more fancy SSL ciphers for Nginx
  
 6.8.1
 - Use gitlab-rails 6.8.1
@@ -220,4 +220,6 @@ default[&#39;gitlab&#39;][&#39;nginx&#39;][&#39;redirect_http_to_https&#39;] = false
 default['gitlab']['nginx']['redirect_http_to_https_port'] = 80
 default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
 default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
+default['gitlab']['nginx']['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4"
+default['gitlab']['nginx']['ssl_prefer_server_ciphers'] = "on"
 default['gitlab']['nginx']['listen_address'] = '*'
@@ -42,8 +42,8 @@ server {
   ssl on;
   ssl_certificate <%= @ssl_certificate %>;
   ssl_certificate_key <%= @ssl_certificate_key %>;
-  ssl_ciphers RC4:HIGH:!aNULL:!MD5;
-  ssl_prefer_server_ciphers on;
+  ssl_ciphers '<%= @ssl_ciphers %>';
+  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
   <% end %>
  
   # Increase this if you want to upload large attachments
...	...	@@ -8,6 +8,7 @@
8	8	- Fix name clash between release.sh and `make release`
9	9	- Fix Git CRLF bug
10	10	- Enable the 'sign_in_text' field in gitlab.yml (Mike Nestor)
	11	+- Use more fancy SSL ciphers for Nginx
11	12
12	13	6.8.1
13	14	- Use gitlab-rails 6.8.1
...	...
...	...	@@ -220,4 +220,6 @@ default['gitlab']['nginx']['redirect_http_to_https'] = false
220	220	default['gitlab']['nginx']['redirect_http_to_https_port'] = 80
221	221	default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
222	222	default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
	223	+default['gitlab']['nginx']['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4"
	224	+default['gitlab']['nginx']['ssl_prefer_server_ciphers'] = "on"
223	225	default['gitlab']['nginx']['listen_address'] = '*'
...	...
...	...	@@ -42,8 +42,8 @@ server {
42	42	ssl on;
43	43	ssl_certificate <%= @ssl_certificate %>;
44	44	ssl_certificate_key <%= @ssl_certificate_key %>;
45		- ssl_ciphers RC4:HIGH:!aNULL:!MD5;
46		- ssl_prefer_server_ciphers on;
	45	+ ssl_ciphers '<%= @ssl_ciphers %>';
	46	+ ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
47	47	<% end %>
48	48
49	49	# Increase this if you want to upload large attachments
...	...