config: rebase nginx configs from gitlab-ce 7.5.1 templates

assets/config/nginx/gitlab

@@ -1,5 +1,5 @@
 ## GitLab
-## Maintainer: @randx
+## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller
 ##
 ## Lines starting with two hashes (##) are comments with information.
 ## Lines starting with one hash (#) are configuration parameters that can be uncommented.
@@ -15,7 +15,7 @@
 ## - installing an old version of Nginx with the chunkin module [2] compiled in, or
 ## - using a newer version of Nginx.
 ##
-## At the time of writing we do not know if either of these theoretical solutions works. 
+## At the time of writing we do not know if either of these theoretical solutions works.
 ## As a workaround users can use Git over SSH to push large files.
 ##
 ## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
@@ -26,6 +26,7 @@
 ##         configuration         ##
 ###################################
 ##
+## See installation.md#using-https for additional HTTPS configuration details.
 
 upstream gitlab {
   server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket fail_timeout=0;
@@ -33,7 +34,8 @@ upstream gitlab {
 
 ## Normal HTTP host
 server {
-  listen *:80 default_server;
+  listen 0.0.0.0:80 default_server;
+  listen [::]:80 default_server;
   server_name {{YOUR_SERVER_FQDN}}; ## Replace this with something like gitlab.example.com
   server_tokens off; ## Don't show the nginx version number, a security best practice
   root {{GITLAB_INSTALL_DIR}}/public;
@@ -42,6 +44,8 @@ server {
   ## Or if you want to accept large git objects over http
   client_max_body_size {{NGINX_MAX_UPLOAD_SIZE}};
 
+  ## See app/controllers/application_controller.rb for headers set
+
   ## Individual nginx logs for this GitLab vhost
   access_log  /var/log/gitlab/nginx/gitlab_access.log;
   error_log   /var/log/gitlab/nginx/gitlab_error.log;

assets/config/nginx/gitlab-ssl

@@ -1,5 +1,5 @@
 ## GitLab
-## Contributors: randx, yin8086, sashkab, orkoden, axilleas
+## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller
 ##
 ## Modified from nginx http version
 ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
@@ -19,16 +19,15 @@
 ## - installing an old version of Nginx with the chunkin module [2] compiled in, or
 ## - using a newer version of Nginx.
 ##
-## At the time of writing we do not know if either of these theoretical solutions works. 
+## At the time of writing we do not know if either of these theoretical solutions works.
 ## As a workaround users can use Git over SSH to push large files.
 ##
 ## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
 ## [1] https://github.com/agentzh/chunkin-nginx-module#status
 ## [2] https://github.com/agentzh/chunkin-nginx-module
 ##
-##
 ###################################
-##        SSL configuration      ##
+##         configuration         ##
 ###################################
 ##
 ## See installation.md#using-https for additional HTTPS configuration details.
@@ -37,22 +36,24 @@ upstream gitlab {
   server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket fail_timeout=0;
 }
 
-## Normal HTTP host
+## Redirects all HTTP traffic to the HTTPS host
 server {
-  listen *:80 default_server;
+  listen 0.0.0.0:80;
+  listen [::]:80 default_server;
   server_name _; ## Replace this with something like gitlab.example.com
   server_tokens off; ## Don't show the nginx version number, a security best practice
-  
-  ## Redirects all traffic to the HTTPS host
-  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
-  rewrite ^ https://$host:{{GITLAB_PORT}}$request_uri? permanent;
+  return 301 https://$host:{{GITLAB_PORT}}$request_uri;
+  access_log  /var/log/gitlab/nginx/gitlab_access.log;
+  error_log   /var/log/gitlab/nginx/gitlab_error.log;
 }
 
+
 ## HTTPS host
 server {
-  listen 443 ssl spdy;
+  listen 0.0.0.0:443 ssl spdy;
+  listen [::]:443 ssl spdy default_server;
   server_name {{YOUR_SERVER_FQDN}}; ## Replace this with something like gitlab.example.com
-  server_tokens off;
+  server_tokens off; ## Don't show the nginx version number, a security best practice
   root {{GITLAB_INSTALL_DIR}}/public;
 
   ## Increase this if you want to upload large attachments
@@ -67,16 +68,15 @@ server {
   ssl_verify_client {{SSL_VERIFY_CLIENT}};
   ssl_client_certificate {{CA_CERTIFICATES_PATH}};
 
-  ssl_ciphers 'AES256+EECDH:AES256+EDH';
-
-  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
-  ssl_session_cache  builtin:1000  shared:SSL:10m;
-
-  ssl_prefer_server_ciphers   on;
+  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 5m;
 
+  ## See app/controllers/application_controller.rb for headers set
   add_header Strict-Transport-Security max-age={{GITLAB_HTTPS_HSTS_MAXAGE}};
-  # add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff;
 
   ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
   ## Replace with your ssl_trusted_certificate. For more info see:
@@ -87,11 +87,10 @@ server {
   # ssl_stapling_verify on;
   # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
   # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
-  # resolver_timeout 10s;
+  # resolver_timeout 5s;
 
   ## [Optional] Generate a stronger DHE parameter:
-  ##   cd /etc/ssl/certs
-  ##   sudo openssl dhparam -out dhparam.pem 4096
+  ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
   ##
   ssl_dhparam {{SSL_DHPARAM_PATH}};