summaryrefslogtreecommitdiff
path: root/doc/administration/integration
diff options
context:
space:
mode:
authorSteve Azzopardi <steveazz@outlook.com>2018-12-31 18:44:15 +0100
committerSteve Azzopardi <steveazz@outlook.com>2019-01-07 18:47:50 +0100
commit5265f69b3a3476a44ef5652a4dbe5b9d76ec0c83 (patch)
tree3b9159c8612b644ff158509cf033247dbaf6d12d /doc/administration/integration
parente216ac2c962ebacec2fa2bdc73f5b53e0068d8c1 (diff)
downloadgitlab-ce-5265f69b3a3476a44ef5652a4dbe5b9d76ec0c83.tar.gz
In the administration page for web terminals add a new `Security` section explaining how the interactive web terminals are secured between GitLab and gitlab-runner. This section is under administration instead of `doc/ci/interactive_web_terminal` because the administrators of the GitLab instance would be mostly interested in this, whilst `doc/ci/interactive_web_terminal` are interested in how the feature works. closes https://gitlab.com/gitlab-org/gitlab-ce/issues/52681
Diffstat (limited to 'doc/administration/integration')
-rw-r--r--doc/administration/integration/terminal.md13
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/administration/integration/terminal.md b/doc/administration/integration/terminal.md
index fa58d0ef15f..a04458f2019 100644
--- a/doc/administration/integration/terminal.md
+++ b/doc/administration/integration/terminal.md
@@ -28,6 +28,19 @@ In brief:
user no longer has permission to access the terminal, or if the connection
details have changed.
+## Security
+
+GitLab and [GitLab Runner](https://docs.gitlab.com/runner/) take some
+precautions to keep interactive web terminal data encrypted between them, and
+everything protected with authorization guards. This is described in more
+detail below.
+
+- Interactive web terminals are completely disabled unless [`[session_server]`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-session_server-section) is configured.
+- Every time the runner starts, it will generate an `x509` certificate that will be used for a `wss` (Web Socket Secure) connection.
+- For every created job, a random URL is generated which is discarded at the end of the job. This URL is used to establish a web socket connection. The URL for the session is in the format `(IP|HOST):PORT/session/$SOME_HASH`, where the `IP/HOST` and `PORT` are the configured [`listen_address`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-session_server-section).
+- Every session URL that is created has an authorization header that needs to be sent, to establish a `wss` connection.
+- The session URL is not exposed to the users in any way. GitLab holds all the state internally and proxies accordingly.
+
## Enabling and disabling terminal support
As web terminals use WebSockets, every HTTP/HTTPS reverse proxy in front of