diff options
| -rw-r--r-- | lib/support/nginx/gitlab | 6 | ||||
| -rw-r--r-- | lib/support/nginx/gitlab-ssl | 83 |
2 files changed, 30 insertions, 59 deletions
diff --git a/lib/support/nginx/gitlab b/lib/support/nginx/gitlab index 36306eeb3a6..49306fb63da 100644 --- a/lib/support/nginx/gitlab +++ b/lib/support/nginx/gitlab @@ -20,9 +20,9 @@ upstream gitlab { } server { - listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea - server_name YOUR_SERVER_FQDN; # e.g., server_name source.example.com; - server_tokens off; # don't show the version number, a security best practice + listen *:80 default_server; + server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice root /home/git/gitlab/public; # Increase this if you want to upload large attachments diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl index 22e923b377c..54a4a080a9f 100644 --- a/lib/support/nginx/gitlab-ssl +++ b/lib/support/nginx/gitlab-ssl @@ -3,33 +3,11 @@ ## ## Modified from nginx http version ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ +## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ## -## Lines starting with two hashes (##) are comments containing information -## for configuration. One hash (#) comments are actual configuration parameters -## which you can comment/uncomment to your liking. -## -################################### -## SSL configuration ## -################################### -## -## Optimal configuration is taken from: -## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html -## Make sure to read it and understand what each option does. -## -## [Optional] Generate a self-signed ssl certificate: -## mkdir /etc/nginx/ssl/ -## cd /etc/nginx/ssl/ -## sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key -## sudo chmod o-r gitlab.key -## -## Edit `gitlab-shell/config.yml`: -## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com` -## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt` -## 3) Set "self_signed_cert" to `true` -## Edit `gitlab/config/gitlab.yml`: -## 1) Define port for http "port: 443" -## 2) Enable https "https: true" -## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm" +## Lines starting with two hashes (##) are comments with information. +## Lines starting with one hash (#) are configuration parameters. +## The last category can be commented/uncommented to your liking. ## ################################## ## CHUNKED TRANSFER ## @@ -48,33 +26,41 @@ ## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 ## [1] https://github.com/agentzh/chunkin-nginx-module#status ## [2] https://github.com/agentzh/chunkin-nginx-module - +## +################################### +## SSL file editing ## +################################### +## +## Edit `gitlab-shell/config.yml`: +## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com` +## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt` +## 3) Set "self_signed_cert" to `true` +## Edit `gitlab/config/gitlab.yml`: +## 1) Define port for http "port: 443" +## 2) Enable https "https: true" +## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm" +## +################################### +## SSL configuration ## +################################### +## upstream gitlab { - - ## Uncomment if you have set up unicorn to listen on a unix socket (recommended). server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; - - ## Uncomment if unicorn is configured to listen on a tcp port. - ## Check the port number in /home/git/gitlab/config/unicorn.rb - # server 127.0.0.1:8080; } ## This is a normal HTTP host which redirects all traffic to the HTTPS host. server { - listen *:80; - ## Replace git.example.com with your FQDN. - server_name git.example.com; - server_tokens off; - ## root doesn't have to be a valid path since we are redirecting - root /nowhere; + listen *:80 default_server; + server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + root /nowhere; ## root doesn't have to be a valid path since we are redirecting rewrite ^ https://$server_name$request_uri permanent; } server { listen 443 ssl; - ## Replace git.example.com with your FQDN. - server_name git.example.com; + server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com server_tokens off; root /home/git/gitlab/public; @@ -93,22 +79,7 @@ server { ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache builtin:1000 shared:SSL:10m; - ## Enable OCSP stapling to reduce the overhead and latency of running SSL. - ## Replace with your ssl_trusted_certificate. For more info see: - ## - https://medium.com/devops-programming/4445f4862461 - ## - https://www.ruby-forum.com/topic/4419319 - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; - resolver 208.67.222.222 208.67.222.220 valid=300s; - resolver_timeout 10s; - ssl_prefer_server_ciphers on; - ## [Optional] Generate a stronger DHE parameter (recommended): - ## cd /etc/ssl/certs - ## openssl dhparam -out dhparam.pem 2048 - ## - # ssl_dhparam /etc/ssl/certs/dhparam.pem; add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options DENY; |