From 0d84010d1c374fe3cfdbc3b067e4502e56b6a8b3 Mon Sep 17 00:00:00 2001 From: Reuben Pereira Date: Tue, 16 Jul 2019 19:20:43 +0000 Subject: Don't use transactions and exceptions Instead return error objects. --- config/gitlab.yml.example | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'config/gitlab.yml.example') diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 334c241bcaa..0e78980350f 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -952,6 +952,16 @@ production: &base # address: localhost # port: 3807 + ## Prometheus settings + # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb + # if you installed GitLab via Omnibus. + # If you installed from source, you need to install and configure Prometheus + # yourself, and then update the values here. + # https://docs.gitlab.com/ee/administration/monitoring/prometheus/ + prometheus: + # enable: true + # listen_address: 'localhost:9090' + # # 5. Extra customization # ========================== @@ -1158,6 +1168,9 @@ test: user_filter: '' group_base: 'ou=groups,dc=example,dc=com' admin_group: '' + prometheus: + enable: true + listen_address: 'localhost:9090' staging: <<: *base -- cgit v1.2.1 From 1902d9cc74a1dc2c87fdbb39a6cdbb67092cbb5a Mon Sep 17 00:00:00 2001 From: Valery Sizov Date: Tue, 9 Jul 2019 18:59:52 +0300 Subject: Backport of https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14597 This is the first part of Docker Registry replication for secondary Geo node. --- config/gitlab.yml.example | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'config/gitlab.yml.example') diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 0e78980350f..dd53127ac2c 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -400,6 +400,15 @@ production: &base # path: shared/registry # issuer: gitlab-issuer + # Add notification settings if you plan to use Geo Replication for the registry + # notifications: + # - name: geo_event + # url: https://example.com/api/v4/container_registry_event/events + # timeout: 2s + # threshold: 5 + # backoff: 1s + # headers: + # Authorization: secret_phrase ## Error Reporting and Logging with Sentry sentry: -- cgit v1.2.1 From f519a4b72f81a1e3c81e5e684d236bbe30e0dd2d Mon Sep 17 00:00:00 2001 From: Valery Sizov Date: Thu, 1 Aug 2019 15:03:08 +0300 Subject: Backport of https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3809 Introducing Docker Registry replication --- config/gitlab.yml.example | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'config/gitlab.yml.example') diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index dd53127ac2c..39b719a5978 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -427,6 +427,11 @@ production: &base # If it is blank, it defaults to external_url. node_name: '' + registry_replication: + # enabled: true + # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API + + # # 2. GitLab CI settings # ========================== -- cgit v1.2.1 From 5fbbd3dd6e965f76ecf1767373bddd236a78a4be Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Mon, 5 Aug 2019 23:14:32 -0700 Subject: Add support for Content-Security-Policy A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work. To support this, we need to change all `:javascript` HAML filters to the following form: ``` = javascript_tag nonce: true do :plain ... ``` We use `%script` throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value to be present. --- config/gitlab.yml.example | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'config/gitlab.yml.example') diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 39b719a5978..226f2ec3722 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -47,6 +47,29 @@ production: &base # # relative_url_root: /gitlab + # Content Security Policy + # See https://guides.rubyonrails.org/security.html#content-security-policy + content_security_policy: + enabled: false + report_only: false + directives: + base_uri: + child_src: + connect_src: "'self' http://localhost:3808 ws://localhost:3808 wss://localhost:3000" + default_src: "'self'" + font_src: + form_action: + frame_ancestors: "'self'" + frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" + img_src: "* data: blob" + manifest_src: + media_src: + object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" + script_src: + style_src: "'self' 'unsafe-inline'" + worker_src: "http://localhost:3000 blob:" + report_uri: + # Trusted Proxies # Customize if you have GitLab behind a reverse proxy which is running on a different machine. # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. -- cgit v1.2.1 From 0dcb9d21efc1db97765d82ee39a0f0905ba945ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diego=20Louz=C3=A1n?= Date: Wed, 10 Jul 2019 21:40:28 +0200 Subject: feat: SMIME signed notification emails - Add mail interceptor the signs outgoing email with SMIME - Add lib and helpers to work with SMIME data - New configuration params for setting up SMIME key and cert files --- config/gitlab.yml.example | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'config/gitlab.yml.example') diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 226f2ec3722..2f6658594cc 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -95,6 +95,15 @@ production: &base email_display_name: GitLab email_reply_to: noreply@example.com email_subject_suffix: '' + email_smime: + # Uncomment and set to true if you need to enable email S/MIME signing (default: false) + # enabled: false + # S/MIME private key file in PEM format, unencrypted + # Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app). + # key_file: /home/git/gitlab/.gitlab_smime_key + # S/MIME public certificate key in PEM format, will be attached to signed messages + # Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app). + # cert_file: /home/git/gitlab/.gitlab_smime_cert # Email server smtp settings are in config/initializers/smtp_settings.rb.sample -- cgit v1.2.1 From 47c3abdfd0495a631e2f3f0ec850c6ed634b7fd7 Mon Sep 17 00:00:00 2001 From: J0WI Date: Thu, 22 Aug 2019 14:18:10 +0000 Subject: Fix typo in Content Security Policy example --- config/gitlab.yml.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/gitlab.yml.example') diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 2f6658594cc..efddbfcbb57 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -61,7 +61,7 @@ production: &base form_action: frame_ancestors: "'self'" frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" - img_src: "* data: blob" + img_src: "* data: blob:" manifest_src: media_src: object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" -- cgit v1.2.1 From 92005fb70f38ee49396ae9e8123979f612827ada Mon Sep 17 00:00:00 2001 From: Heinrich Lee Yu Date: Wed, 14 Aug 2019 16:12:05 +0800 Subject: Enable CSP in gitlab.yml.example This enables CSP in dev and CI --- config/gitlab.yml.example | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) (limited to 'config/gitlab.yml.example') diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index efddbfcbb57..973c2747838 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -50,12 +50,12 @@ production: &base # Content Security Policy # See https://guides.rubyonrails.org/security.html#content-security-policy content_security_policy: - enabled: false + enabled: true report_only: false directives: base_uri: child_src: - connect_src: "'self' http://localhost:3808 ws://localhost:3808 wss://localhost:3000" + connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*" default_src: "'self'" font_src: form_action: @@ -64,10 +64,10 @@ production: &base img_src: "* data: blob:" manifest_src: media_src: - object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" - script_src: + object_src: "'none'" + script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" style_src: "'self' 'unsafe-inline'" - worker_src: "http://localhost:3000 blob:" + worker_src: "'self' blob:" report_uri: # Trusted Proxies @@ -1099,6 +1099,27 @@ test: host: localhost port: 80 + content_security_policy: + enabled: true + report_only: false + directives: + base_uri: + child_src: + connect_src: + default_src: "'self'" + font_src: + form_action: + frame_ancestors: "'self'" + frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" + img_src: "* data: blob:" + manifest_src: + media_src: + object_src: "'none'" + script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" + style_src: "'self' 'unsafe-inline'" + worker_src: "'self' blob:" + report_uri: + # When you run tests we clone and set up gitlab-shell # In order to set it up correctly you need to specify # your system username you use to run GitLab -- cgit v1.2.1 From 6e2032f24e0428189f8c9fe9e296a9630277155e Mon Sep 17 00:00:00 2001 From: dodocat Date: Tue, 27 Aug 2019 03:46:32 +0000 Subject: Update docs and comments about saml with allow_bypass_two_factor allow_bypass_two_factor configration dose not work with saml provider --- config/gitlab.yml.example | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'config/gitlab.yml.example') diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 973c2747838..20b1020e025 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -780,6 +780,14 @@ production: &base # (default: []) external_providers: [] + # CAUTION! + # This allows users to login with the specified providers without two factor. Define the allowed providers + # using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none. + # This option should only be configured for providers which already have two factor. + # This configration dose not apply to SAML. + # (default: false) + allow_bypass_two_factor: ["twitter", 'google_oauth2'] + ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use # If your favorite auth provider is not listed you can use others: -- cgit v1.2.1