diff options
author | Evan Read <eread@gitlab.com> | 2019-01-08 05:09:56 +0000 |
---|---|---|
committer | Evan Read <eread@gitlab.com> | 2019-01-08 05:09:56 +0000 |
commit | 9c8c9ab14507d45e9c8f5541055cc1c45617caea (patch) | |
tree | 9f0bc7ac65e193fb5162251c0edfd9d902391258 /doc/administration | |
parent | 710f2ec50c49d1e773acc20058ed584f1402de33 (diff) | |
parent | 5265f69b3a3476a44ef5652a4dbe5b9d76ec0c83 (diff) | |
download | gitlab-ce-9c8c9ab14507d45e9c8f5541055cc1c45617caea.tar.gz |
Merge branch 'docs/52681-add-documentation-about-how-web-terminals-are-secured' into 'master'
Add docs on how web terminals are secured
Closes #52681
See merge request gitlab-org/gitlab-ce!24099
Diffstat (limited to 'doc/administration')
-rw-r--r-- | doc/administration/integration/terminal.md | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/administration/integration/terminal.md b/doc/administration/integration/terminal.md index fa58d0ef15f..a04458f2019 100644 --- a/doc/administration/integration/terminal.md +++ b/doc/administration/integration/terminal.md @@ -28,6 +28,19 @@ In brief: user no longer has permission to access the terminal, or if the connection details have changed. +## Security + +GitLab and [GitLab Runner](https://docs.gitlab.com/runner/) take some +precautions to keep interactive web terminal data encrypted between them, and +everything protected with authorization guards. This is described in more +detail below. + +- Interactive web terminals are completely disabled unless [`[session_server]`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-session_server-section) is configured. +- Every time the runner starts, it will generate an `x509` certificate that will be used for a `wss` (Web Socket Secure) connection. +- For every created job, a random URL is generated which is discarded at the end of the job. This URL is used to establish a web socket connection. The URL for the session is in the format `(IP|HOST):PORT/session/$SOME_HASH`, where the `IP/HOST` and `PORT` are the configured [`listen_address`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-session_server-section). +- Every session URL that is created has an authorization header that needs to be sent, to establish a `wss` connection. +- The session URL is not exposed to the users in any way. GitLab holds all the state internally and proxies accordingly. + ## Enabling and disabling terminal support As web terminals use WebSockets, every HTTP/HTTPS reverse proxy in front of |