Download as
Browse Code »

Commit c04a54f90b2c6eec2e6eaa1b80bd42c10989ad9f

Authored by Jacob Vosmaer
1 parent 7c187a23
Exists in master and in 11 other branches 6-9-stable, 6-9-stable-ee, 7-0-stable, 7-0-stable-ee, 7-0-stable-spb, 7-1-stable, 7-1-stable-ee, 7-2-stable, 7-2-stable-ee, branch_test, nginx_ssl_tweaks

Use more fancy SSL ciphers in Nginx 

Source:
https://gitlab.com/gitlab-org/cookbook-gitlab/blob/83bbd287b77322f7cec2c9a6ff12f19506ea53e4/templates/default/nginx.erb
Showing 3 changed files with 5 additions and 2 deletions   Show diff stats
@@ -8,6 +8,7 @@ @@ -8,6 +8,7 @@
8 - Fix name clash between release.sh and `make release` 8 - Fix name clash between release.sh and `make release`
9 - Fix Git CRLF bug 9 - Fix Git CRLF bug
10 - Enable the 'sign_in_text' field in gitlab.yml (Mike Nestor) 10 - Enable the 'sign_in_text' field in gitlab.yml (Mike Nestor)
  11 +- Use more fancy SSL ciphers for Nginx
11 12
12 6.8.1 13 6.8.1
13 - Use gitlab-rails 6.8.1 14 - Use gitlab-rails 6.8.1
files/gitlab-cookbooks/gitlab/attributes/default.rb
  Diff comments   View file @c04a54f
@@ -220,4 +220,6 @@ default['gitlab']['nginx']['redirect_http_to_https'] = false @@ -220,4 +220,6 @@ default['gitlab']['nginx']['redirect_http_to_https'] = false
220 default['gitlab']['nginx']['redirect_http_to_https_port'] = 80 220 default['gitlab']['nginx']['redirect_http_to_https_port'] = 80
221 default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" 221 default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
222 default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" 222 default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
  223 +default['gitlab']['nginx']['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4"
  224 +default['gitlab']['nginx']['ssl_prefer_server_ciphers'] = "on"
223 default['gitlab']['nginx']['listen_address'] = '*' 225 default['gitlab']['nginx']['listen_address'] = '*'
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
  Diff comments   View file @c04a54f
@@ -42,8 +42,8 @@ server { @@ -42,8 +42,8 @@ server {
42 ssl on; 42 ssl on;
43 ssl_certificate <%= @ssl_certificate %>; 43 ssl_certificate <%= @ssl_certificate %>;
44 ssl_certificate_key <%= @ssl_certificate_key %>; 44 ssl_certificate_key <%= @ssl_certificate_key %>;
45 - ssl_ciphers RC4:HIGH:!aNULL:!MD5;  
46 - ssl_prefer_server_ciphers on; 45 + ssl_ciphers '<%= @ssl_ciphers %>';
  46 + ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
47 <% end %> 47 <% end %>
48 48
49 # Increase this if you want to upload large attachments 49 # Increase this if you want to upload large attachments