From ce1e7c03994295c72307f8bbd4d799fde9e9701b Mon Sep 17 00:00:00 2001
From: Jacob Vosmaer <contact@jacobvosmaer.nl>
Date: Thu, 19 Jun 2014 19:02:42 +0200
Subject: [PATCH] Set Nginx ssl_protocols and ssl_session_cache

---
 files/gitlab-cookbooks/gitlab/attributes/default.rb                        | 2 ++
 files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb | 2 ++
 2 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb
index 914f21e..70a031c 100644
--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -248,6 +248,8 @@ default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}
 default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
 default['gitlab']['nginx']['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4"
 default['gitlab']['nginx']['ssl_prefer_server_ciphers'] = "on"
+default['gitlab']['nginx']['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+default['gitlab']['nginx']['ssl_session_cache'] = "shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
 default['gitlab']['nginx']['listen_address'] = '*'
 
 ###
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
index 3f8cc83..0ac4cca 100644
--- a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
@@ -46,6 +46,8 @@ server {
   ssl_certificate_key <%= @ssl_certificate_key %>;
   ssl_ciphers '<%= @ssl_ciphers %>';
   ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
+  ssl_protocols  <%= @ssl_protocols %>;
+  ssl_session_cache  <%= @ssl_session_cache %>;
   <% end %>
 
   # Increase this if you want to upload large attachments
--
libgit2 0.21.2