From 7d012f846803ad90d28d74e34c567c9fcd8b46a3 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sat, 26 Apr 2014 17:38:15 +0530 Subject: [PATCH 01/26] README: document GITLAB_HTTPS setting --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2d91ed6f..1aad8782 100644 --- a/README.md +++ b/README.md @@ -460,6 +460,7 @@ Below is the complete list of available options that can be used to customize yo - **GITLAB_BACKUPS**: Setup cron job to automatic backups. Possible values disable, daily or monthly. Disabled by default - **GITLAB_BACKUP_EXPIRY**: Configure how long to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds). - **GITLAB_SHELL_SSH_PORT**: The ssh port number. Defaults to 22. +- **GITLAB_HTTPS**: Set to true to enable https support, disabled by default. - **REDIS_HOST**: The hostname of the redis server. Defaults to localhost - **REDIS_PORT**: The connection port of the redis server. Defaults to 6379. - **UNICORN_WORKERS**: The number of unicorn workers to start. Defaults to 2. From 5443eb45834339cb5bfd4a8b1dbd2a6cd3de07cf Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sat, 26 Apr 2014 17:40:04 +0530 Subject: [PATCH 02/26] added GITLAB_SSL_SELF_SIGNED configuration option --- Changelog.md | 1 + README.md | 1 + assets/config/gitlab-shell/config.yml | 2 +- assets/init | 2 ++ 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 507dc38c..29e3f3a7 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changelog **latest** +- added GITLAB_SSL_SELF_SIGNED configuration option to specify use of self signed ssl certificates. - fix git over ssh when the default http/https ports are not used. - compile the assets only if it does not exist or if the gitlab version has changed. - upgrade gitlab-shell to version 1.9.4 diff --git a/README.md b/README.md index 1aad8782..d9885e60 100644 --- a/README.md +++ b/README.md @@ -461,6 +461,7 @@ Below is the complete list of available options that can be used to customize yo - **GITLAB_BACKUP_EXPIRY**: Configure how long to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds). - **GITLAB_SHELL_SSH_PORT**: The ssh port number. Defaults to 22. - **GITLAB_HTTPS**: Set to true to enable https support, disabled by default. +- **GITLAB_SSL_SELF_SIGNED**: Set to true when using self signed ssl certificates. false by default. - **REDIS_HOST**: The hostname of the redis server. Defaults to localhost - **REDIS_PORT**: The connection port of the redis server. Defaults to 6379. - **UNICORN_WORKERS**: The number of unicorn workers to start. Defaults to 2. diff --git a/assets/config/gitlab-shell/config.yml b/assets/config/gitlab-shell/config.yml index 905b0bc2..dcff994e 100644 --- a/assets/config/gitlab-shell/config.yml +++ b/assets/config/gitlab-shell/config.yml @@ -9,7 +9,7 @@ http_settings: # password: somepass # ca_file: /etc/ssl/cert.pem # ca_path: /etc/pki/tls/certs - self_signed_cert: false + self_signed_cert: {{GITLAB_SSL_SELF_SIGNED}} # Repositories path # Give the canonicalized absolute pathname, diff --git a/assets/init b/assets/init index 16ed2a50..d7ef83c7 100755 --- a/assets/init +++ b/assets/init @@ -4,6 +4,7 @@ set -e GITLAB_HOST=${GITLAB_HOST:-localhost} GITLAB_PORT=${GITLAB_PORT:-} GITLAB_HTTPS=${GITLAB_HTTPS:-false} +GITLAB_SSL_SELF_SIGNED=${GITLAB_SSL_SELF_SIGNED:-false} GITLAB_EMAIL=${GITLAB_EMAIL:-gitlab@localhost} GITLAB_SUPPORT=${GITLAB_SUPPORT:-support@localhost} GITLAB_SIGNUP=${GITLAB_SIGNUP:-false} @@ -235,6 +236,7 @@ sudo -u git -H sed 's/{{REDIS_PORT}}/'"${REDIS_PORT}"'/' -i /home/git/gitlab/con # configure gitlab-shell sudo -u git -H sed 's,{{GITLAB_URL}},'"${GITLAB_URL}"',' -i /home/git/gitlab-shell/config.yml +sudo -u git -H sed 's/{{GITLAB_SSL_SELF_SIGNED}}/'"${GITLAB_SSL_SELF_SIGNED}"'/' -i /home/git/gitlab-shell/config.yml sudo -u git -H sed 's/{{REDIS_HOST}}/'"${REDIS_HOST}"'/' -i /home/git/gitlab-shell/config.yml sudo -u git -H sed 's/{{REDIS_PORT}}/'"${REDIS_PORT}"'/' -i /home/git/gitlab-shell/config.yml From d389bf1ef3ebb7c2419fa07240cf5fb6ea3c737d Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sat, 26 Apr 2014 22:07:50 +0530 Subject: [PATCH 03/26] added gitlab.https nginx template for ssl support --- assets/config/nginx/gitlab.https | 88 ++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 assets/config/nginx/gitlab.https diff --git a/assets/config/nginx/gitlab.https b/assets/config/nginx/gitlab.https new file mode 100644 index 00000000..5c037d6b --- /dev/null +++ b/assets/config/nginx/gitlab.https @@ -0,0 +1,88 @@ +# GITLAB +# Maintainer: @randx + +# CHUNKED TRANSFER +# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not +# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file) +# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either +# - installing an old version of Nginx with the chunkin module [2] compiled in, or +# - using a newer version of Nginx. +# +# At the time of writing we do not know if either of these theoretical solutions works. As a workaround +# users can use Git over SSH to push large files. +# +# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 +# [1] https://github.com/agentzh/chunkin-nginx-module#status +# [2] https://github.com/agentzh/chunkin-nginx-module + +upstream gitlab { + server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; +} + +server { + listen *:80 default_server; + server_name {{YOUR_SERVER_FQDN}}; + server_tokens off; + rewrite ^ https://$server_name$request_uri? permanent; +} + +server { + listen *:443 default_server ssl; + server_name {{YOUR_SERVER_FQDN}}; + server_tokens off; + root /home/git/gitlab/public; + + ssl on; + ssl_certificate /home/git/data/certs/gitlab.crt; + ssl_certificate_key /home/git/data/certs/gitlab.key; + ssl_protocols SSLv3 TLSv1 TLSv1.2; + + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; + + ssl_prefer_server_ciphers on; + # ssl_session_cache builtin:1000 shared:SSL:10m; + # ssl_dhparam /home/git/data/certs/dhparam.pem; + + # Increase this if you want to upload large attachments + # Or if you want to accept large git objects over http + client_max_body_size 20m; + + # individual nginx logs for this gitlab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + # serve static files from defined root folder;. + # @gitlab is a named location for the upstream fallback, see below + try_files $uri $uri/index.html $uri.html @gitlab; + } + + # if a file, which is not found in the root folder is requested, + # then the proxy pass the request to the upsteam (gitlab unicorn) + location @gitlab { + # If you use https make sure you disable gzip compression + # to be safe against BREACH attack + # gzip off; + + proxy_read_timeout 300; # Some requests take more than 30 seconds. + proxy_connect_timeout 300; # Some requests take more than 30 seconds. + proxy_redirect off; + + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://gitlab; + } + + # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + location ~ ^/(assets)/ { + root /home/git/gitlab/public; + gzip_static on; # to serve pre-gzipped version + expires max; + add_header Cache-Control public; + } + + error_page 502 /502.html; +} \ No newline at end of file From c0f3f298c3911969442c0f265525e017efd7a70e Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sat, 26 Apr 2014 22:48:49 +0530 Subject: [PATCH 04/26] nginx: use the gitlab.https config if https is enabled --- assets/init | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/assets/init b/assets/init index d7ef83c7..5e251af4 100755 --- a/assets/init +++ b/assets/init @@ -116,7 +116,10 @@ echo User: root Password: $ROOT_PASSWORD supervisorctl start sshd # copy configuration templates -cp /app/setup/config/nginx/gitlab /etc/nginx/sites-available/gitlab +case "${GITLAB_HTTPS}" in + true) cp /app/setup/config/nginx/gitlab.https /etc/nginx/sites-available/gitlab ;; + *) cp /app/setup/config/nginx/gitlab /etc/nginx/sites-available/gitlab ;; +esac sudo -u git -H cp -a /app/setup/config/gitlab-shell/config.yml /home/git/gitlab-shell/config.yml sudo -u git -H cp /app/setup/config/gitlabhq/gitlab.yml /home/git/gitlab/config/gitlab.yml sudo -u git -H cp /app/setup/config/gitlabhq/resque.yml /home/git/gitlab/config/resque.yml @@ -130,7 +133,10 @@ sudo -u git -H cp /app/setup/config/gitlabhq/smtp_settings.rb /home/git/gitlab/c if [ -d /home/git/data/config ]; then chown -R git:git /home/git/data/config cd /home/git/data/config - [ -f nginx/gitlab ] && cp nginx/gitlab /etc/nginx/sites-available/gitlab + case "${GITLAB_HTTPS}" in + true) [ -f nginx/gitlab.https ] && cp nginx/gitlab.https /etc/nginx/sites-available/gitlab ;; + *) [ -f nginx/gitlab ] && cp nginx/gitlab /etc/nginx/sites-available/gitlab ;; + esac [ -f gitlab-shell/config.yml ] && sudo -u git -H cp gitlab-shell/config.yml /home/git/gitlab-shell/config.yml [ -f gitlabhq/gitlab.yml ] && sudo -u git -H cp gitlabhq/gitlab.yml /home/git/gitlab/config/gitlab.yml [ -f gitlabhq/resque.yml ] && sudo -u git -H cp gitlabhq/resque.yml /home/git/gitlab/config/resque.yml @@ -141,7 +147,7 @@ if [ -d /home/git/data/config ]; then [ -f gitlabhq/smtp_settings.rb ] && sudo -u git -H cp gitlabhq/smtp_settings.rb /home/git/gitlab/config/initializers/smtp_settings.rb fi -sed 's/{{YOUR_SERVER_FQDN}}/localhost/' -i /etc/nginx/sites-available/gitlab +sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/g' -i /etc/nginx/sites-available/gitlab supervisorctl start nginx # start mysql server if ${DB_HOST} is localhost From ca08c72e19cff686d29868b5cefaf8b48f96603c Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sat, 26 Apr 2014 22:51:32 +0530 Subject: [PATCH 05/26] perform http to https redirection with same hostname as the request --- assets/config/nginx/gitlab.https | 4 ++-- assets/init | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/assets/config/nginx/gitlab.https b/assets/config/nginx/gitlab.https index 5c037d6b..41c98ed2 100644 --- a/assets/config/nginx/gitlab.https +++ b/assets/config/nginx/gitlab.https @@ -21,9 +21,9 @@ upstream gitlab { server { listen *:80 default_server; - server_name {{YOUR_SERVER_FQDN}}; + server_name _; server_tokens off; - rewrite ^ https://$server_name$request_uri? permanent; + rewrite ^ https://$host$request_uri? permanent; } server { diff --git a/assets/init b/assets/init index 5e251af4..f85052c5 100755 --- a/assets/init +++ b/assets/init @@ -147,7 +147,7 @@ if [ -d /home/git/data/config ]; then [ -f gitlabhq/smtp_settings.rb ] && sudo -u git -H cp gitlabhq/smtp_settings.rb /home/git/gitlab/config/initializers/smtp_settings.rb fi -sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/g' -i /etc/nginx/sites-available/gitlab +sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/' -i /etc/nginx/sites-available/gitlab supervisorctl start nginx # start mysql server if ${DB_HOST} is localhost From bfd99291090f6656f8f0b430abb86a22d5007514 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sat, 26 Apr 2014 22:58:42 +0530 Subject: [PATCH 06/26] redirect to the correct port during a http to https redirection Fixes http to https redirection when the default https port is not used got the GITLAB_PORT For example running the container like so: ```bash docker run -i -t --rm \ -p 4443:443 -p 8080:80 -e "GITLAB_HTTPS=true" -e "GITLAB_PORT=4443" \ sameersbn/gitlab:latest ``` Will make sure you are redirected to https://localhost:4443 when you access the application at http://localhost:8080 --- assets/config/nginx/gitlab.https | 2 +- assets/init | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/assets/config/nginx/gitlab.https b/assets/config/nginx/gitlab.https index 41c98ed2..da95a61c 100644 --- a/assets/config/nginx/gitlab.https +++ b/assets/config/nginx/gitlab.https @@ -23,7 +23,7 @@ server { listen *:80 default_server; server_name _; server_tokens off; - rewrite ^ https://$host$request_uri? permanent; + rewrite ^ https://$host:{{GITLAB_PORT}}$request_uri? permanent; } server { diff --git a/assets/init b/assets/init index f85052c5..259a57e8 100755 --- a/assets/init +++ b/assets/init @@ -148,6 +148,7 @@ if [ -d /home/git/data/config ]; then fi sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/' -i /etc/nginx/sites-available/gitlab +sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-available/gitlab supervisorctl start nginx # start mysql server if ${DB_HOST} is localhost From e6d66d608c22a7d949246ce9319d8235c9391b28 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sat, 26 Apr 2014 23:02:47 +0530 Subject: [PATCH 07/26] export port 443 --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 096d4e7d..7e51c776 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,6 +26,7 @@ ADD authorized_keys /root/.ssh/ EXPOSE 22 EXPOSE 80 +EXPOSE 443 VOLUME ["/home/git/data"] From 6b3623fb5d5ce8eff3f4bec9cc147388b568d9b3 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 27 Apr 2014 11:10:28 +0530 Subject: [PATCH 08/26] renamed gitlab.https to gitlab.https.strict --- assets/config/nginx/{gitlab.https => gitlab.https.strict} | 0 assets/init | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename assets/config/nginx/{gitlab.https => gitlab.https.strict} (100%) diff --git a/assets/config/nginx/gitlab.https b/assets/config/nginx/gitlab.https.strict similarity index 100% rename from assets/config/nginx/gitlab.https rename to assets/config/nginx/gitlab.https.strict diff --git a/assets/init b/assets/init index 259a57e8..33e280f9 100755 --- a/assets/init +++ b/assets/init @@ -117,7 +117,7 @@ supervisorctl start sshd # copy configuration templates case "${GITLAB_HTTPS}" in - true) cp /app/setup/config/nginx/gitlab.https /etc/nginx/sites-available/gitlab ;; + true) cp /app/setup/config/nginx/gitlab.https.strict /etc/nginx/sites-available/gitlab ;; *) cp /app/setup/config/nginx/gitlab /etc/nginx/sites-available/gitlab ;; esac sudo -u git -H cp -a /app/setup/config/gitlab-shell/config.yml /home/git/gitlab-shell/config.yml @@ -134,7 +134,7 @@ if [ -d /home/git/data/config ]; then chown -R git:git /home/git/data/config cd /home/git/data/config case "${GITLAB_HTTPS}" in - true) [ -f nginx/gitlab.https ] && cp nginx/gitlab.https /etc/nginx/sites-available/gitlab ;; + true) [ -f nginx/gitlab.https.strict ] && cp nginx/gitlab.https.strict /etc/nginx/sites-available/gitlab ;; *) [ -f nginx/gitlab ] && cp nginx/gitlab /etc/nginx/sites-available/gitlab ;; esac [ -f gitlab-shell/config.yml ] && sudo -u git -H cp gitlab-shell/config.yml /home/git/gitlab-shell/config.yml From 63135215fc0173b302e1cc04660cd19fa2bbce6f Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 27 Apr 2014 11:56:42 +0530 Subject: [PATCH 09/26] added gitlab.https.permissive nginx template that will be used when you want to allow both http and https access --- assets/config/nginx/gitlab.https.permissive | 131 ++++++++++++++++++++ assets/init | 2 +- 2 files changed, 132 insertions(+), 1 deletion(-) create mode 100644 assets/config/nginx/gitlab.https.permissive diff --git a/assets/config/nginx/gitlab.https.permissive b/assets/config/nginx/gitlab.https.permissive new file mode 100644 index 00000000..88ac792f --- /dev/null +++ b/assets/config/nginx/gitlab.https.permissive @@ -0,0 +1,131 @@ +# GITLAB +# Maintainer: @randx + +# CHUNKED TRANSFER +# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not +# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file) +# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either +# - installing an old version of Nginx with the chunkin module [2] compiled in, or +# - using a newer version of Nginx. +# +# At the time of writing we do not know if either of these theoretical solutions works. As a workaround +# users can use Git over SSH to push large files. +# +# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 +# [1] https://github.com/agentzh/chunkin-nginx-module#status +# [2] https://github.com/agentzh/chunkin-nginx-module + +upstream gitlab { + server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; +} + +server { + listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea + server_name {{YOUR_SERVER_FQDN}}; # e.g., server_name source.example.com; + server_tokens off; # don't show the version number, a security best practice + root /home/git/gitlab/public; + + # Increase this if you want to upload large attachments + # Or if you want to accept large git objects over http + client_max_body_size 20m; + + # individual nginx logs for this gitlab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + # serve static files from defined root folder;. + # @gitlab is a named location for the upstream fallback, see below + try_files $uri $uri/index.html $uri.html @gitlab; + } + + # if a file, which is not found in the root folder is requested, + # then the proxy pass the request to the upsteam (gitlab unicorn) + location @gitlab { + # If you use https make sure you disable gzip compression + # to be safe against BREACH attack + # gzip off; + + proxy_read_timeout 300; # Some requests take more than 30 seconds. + proxy_connect_timeout 300; # Some requests take more than 30 seconds. + proxy_redirect off; + + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://gitlab; + } + + # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + location ~ ^/(assets)/ { + root /home/git/gitlab/public; + gzip_static on; # to serve pre-gzipped version + expires max; + add_header Cache-Control public; + } + + error_page 502 /502.html; +} + +server { + listen *:443 default_server ssl; + server_name {{YOUR_SERVER_FQDN}}; + server_tokens off; + root /home/git/gitlab/public; + + ssl on; + ssl_certificate /home/git/data/certs/gitlab.crt; + ssl_certificate_key /home/git/data/certs/gitlab.key; + ssl_protocols SSLv3 TLSv1 TLSv1.2; + + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; + + ssl_prefer_server_ciphers on; + # ssl_session_cache builtin:1000 shared:SSL:10m; + # ssl_dhparam /home/git/data/certs/dhparam.pem; + + # Increase this if you want to upload large attachments + # Or if you want to accept large git objects over http + client_max_body_size 20m; + + # individual nginx logs for this gitlab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + # serve static files from defined root folder;. + # @gitlab is a named location for the upstream fallback, see below + try_files $uri $uri/index.html $uri.html @gitlab; + } + + # if a file, which is not found in the root folder is requested, + # then the proxy pass the request to the upsteam (gitlab unicorn) + location @gitlab { + # If you use https make sure you disable gzip compression + # to be safe against BREACH attack + # gzip off; + + proxy_read_timeout 300; # Some requests take more than 30 seconds. + proxy_connect_timeout 300; # Some requests take more than 30 seconds. + proxy_redirect off; + + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://gitlab; + } + + # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + location ~ ^/(assets)/ { + root /home/git/gitlab/public; + gzip_static on; # to serve pre-gzipped version + expires max; + add_header Cache-Control public; + } + + error_page 502 /502.html; +} \ No newline at end of file diff --git a/assets/init b/assets/init index 33e280f9..aa3a7594 100755 --- a/assets/init +++ b/assets/init @@ -147,7 +147,7 @@ if [ -d /home/git/data/config ]; then [ -f gitlabhq/smtp_settings.rb ] && sudo -u git -H cp gitlabhq/smtp_settings.rb /home/git/gitlab/config/initializers/smtp_settings.rb fi -sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/' -i /etc/nginx/sites-available/gitlab +sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/g' -i /etc/nginx/sites-available/gitlab sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-available/gitlab supervisorctl start nginx From 11729891b9a1592183a470dbc2eb3e7f29189482 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 27 Apr 2014 11:57:32 +0530 Subject: [PATCH 10/26] added GITLAB_HTTPS_ONLY configuration option --- Changelog.md | 1 + README.md | 1 + assets/init | 26 ++++++++++++++++++++++---- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/Changelog.md b/Changelog.md index 29e3f3a7..55fa7807 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changelog **latest** +- added GITLAB_HTTPS_ONLY configuration option to configure strict https only access - added GITLAB_SSL_SELF_SIGNED configuration option to specify use of self signed ssl certificates. - fix git over ssh when the default http/https ports are not used. - compile the assets only if it does not exist or if the gitlab version has changed. diff --git a/README.md b/README.md index d9885e60..ee6143ad 100644 --- a/README.md +++ b/README.md @@ -461,6 +461,7 @@ Below is the complete list of available options that can be used to customize yo - **GITLAB_BACKUP_EXPIRY**: Configure how long to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds). - **GITLAB_SHELL_SSH_PORT**: The ssh port number. Defaults to 22. - **GITLAB_HTTPS**: Set to true to enable https support, disabled by default. +- **GITLAB_HTTPS_ONLY**: Configure access over plain http when GITLAB_HTTPS is enabled. Should be set to false when using a load balancer. Defaults to true. - **GITLAB_SSL_SELF_SIGNED**: Set to true when using self signed ssl certificates. false by default. - **REDIS_HOST**: The hostname of the redis server. Defaults to localhost - **REDIS_PORT**: The connection port of the redis server. Defaults to 6379. diff --git a/assets/init b/assets/init index aa3a7594..c0d82afd 100755 --- a/assets/init +++ b/assets/init @@ -4,6 +4,7 @@ set -e GITLAB_HOST=${GITLAB_HOST:-localhost} GITLAB_PORT=${GITLAB_PORT:-} GITLAB_HTTPS=${GITLAB_HTTPS:-false} +GITLAB_HTTPS_ONLY=${GITLAB_HTTPS_ONLY:-true} GITLAB_SSL_SELF_SIGNED=${GITLAB_SSL_SELF_SIGNED:-false} GITLAB_EMAIL=${GITLAB_EMAIL:-gitlab@localhost} GITLAB_SUPPORT=${GITLAB_SUPPORT:-support@localhost} @@ -117,9 +118,15 @@ supervisorctl start sshd # copy configuration templates case "${GITLAB_HTTPS}" in - true) cp /app/setup/config/nginx/gitlab.https.strict /etc/nginx/sites-available/gitlab ;; - *) cp /app/setup/config/nginx/gitlab /etc/nginx/sites-available/gitlab ;; + true) + case "${GITLAB_HTTPS_ONLY}" in + true) cp /app/setup/config/nginx/gitlab.https.strict /etc/nginx/sites-available/gitlab ;; + *) cp /app/setup/config/nginx/gitlab.https.permissive /etc/nginx/sites-available/gitlab ;; + esac + ;; + *) cp /app/setup/config/nginx/gitlab /etc/nginx/sites-available/gitlab ;; esac + sudo -u git -H cp -a /app/setup/config/gitlab-shell/config.yml /home/git/gitlab-shell/config.yml sudo -u git -H cp /app/setup/config/gitlabhq/gitlab.yml /home/git/gitlab/config/gitlab.yml sudo -u git -H cp /app/setup/config/gitlabhq/resque.yml /home/git/gitlab/config/resque.yml @@ -134,9 +141,15 @@ if [ -d /home/git/data/config ]; then chown -R git:git /home/git/data/config cd /home/git/data/config case "${GITLAB_HTTPS}" in - true) [ -f nginx/gitlab.https.strict ] && cp nginx/gitlab.https.strict /etc/nginx/sites-available/gitlab ;; - *) [ -f nginx/gitlab ] && cp nginx/gitlab /etc/nginx/sites-available/gitlab ;; + true) + case "${GITLAB_HTTPS_ONLY}" in + true) [ -f nginx/gitlab.https.strict ] && cp nginx/gitlab.https.strict /etc/nginx/sites-available/gitlab ;; + *) [ -f nginx/gitlab.https.permissive ] && cp nginx/gitlab.https.permissive /etc/nginx/sites-available/gitlab ;; + esac + ;; + *) [ -f nginx/gitlab ] && cp nginx/gitlab /etc/nginx/sites-available/gitlab ;; esac + [ -f gitlab-shell/config.yml ] && sudo -u git -H cp gitlab-shell/config.yml /home/git/gitlab-shell/config.yml [ -f gitlabhq/gitlab.yml ] && sudo -u git -H cp gitlabhq/gitlab.yml /home/git/gitlab/config/gitlab.yml [ -f gitlabhq/resque.yml ] && sudo -u git -H cp gitlabhq/resque.yml /home/git/gitlab/config/resque.yml @@ -207,6 +220,11 @@ sudo -u git -H sed 's/{{GITLAB_BACKUP_EXPIRY}}/'"${GITLAB_BACKUP_EXPIRY}"'/' -i sudo -u git -H sed 's/{{GITLAB_SHELL_SSH_PORT}}/'"${GITLAB_SHELL_SSH_PORT}"'/' -i /home/git/gitlab/config/gitlab.yml +if [ "${GITLAB_HTTPS}" == "true" -a "${GITLAB_HTTPS_ONLY}" == "false" ]; then + # hack: allow login over plain http when ssl is enabled. required to work with load balancers. + sudo -u git -H sed 's/secure: Gitlab.config.gitlab.https/secure: false/' -i /home/git/gitlab/config/initializers/session_store.rb +fi + # configure gitlab signup configuration sudo -u git -H sed 's/{{GITLAB_SIGNUP}}/'"${GITLAB_SIGNUP}"'/' -i /home/git/gitlab/config/gitlab.yml sudo -u git -H sed 's/{{GITLAB_SIGNIN}}/'"${GITLAB_SIGNIN}"'/' -i /home/git/gitlab/config/gitlab.yml From 4b1769a162a7c0cfa43b102fd21461fd2450fe84 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 27 Apr 2014 15:17:12 +0530 Subject: [PATCH 11/26] gitlab-shell: use http over localhost to talk to gitlab-ce api whenever possible --- assets/init | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/assets/init b/assets/init index c0d82afd..8119f2ee 100755 --- a/assets/init +++ b/assets/init @@ -267,8 +267,24 @@ sudo -u git -H sed 's/{{REDIS_PORT}}/'"${REDIS_PORT}"'/' -i /home/git/gitlab-she # hack: make git over ssh work when the default http/https ports are not used. case "${GITLAB_HTTPS}" in - true) sed -i 's,#{config.gitlab_url}/api/v3/internal,https://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb ;; - *) sed -i 's,#{config.gitlab_url}/api/v3/internal,http://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb ;; + true) + case "${GITLAB_HTTPS_ONLY}" in + true) + # talk to gitlab over https on localhost + # this will make sure the api access works when the default https port is not used. + sed -i 's,#{config.gitlab_url}/api/v3/internal,https://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb + ;; + *) + # we are not using https only mode, talk to gitlab over plain http on localhost + # using http when available will keep things fast. + sed -i 's,#{config.gitlab_url}/api/v3/internal,http://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb + ;; + esac + ;; + *) + # ssl is not being used, talk to gitlab over plain http + sed -i 's,#{config.gitlab_url}/api/v3/internal,http://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb + ;; esac # configure unicorn workers From 552d4ade038e4f0c03cf6d79b36da8879c5ab660 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 27 Apr 2014 15:17:47 +0530 Subject: [PATCH 12/26] gitlab-shell: use default gitlab_url talk to gitlab-ce api when signed ssl certificates are used --- assets/init | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/assets/init b/assets/init index 8119f2ee..ada7566e 100755 --- a/assets/init +++ b/assets/init @@ -270,9 +270,18 @@ case "${GITLAB_HTTPS}" in true) case "${GITLAB_HTTPS_ONLY}" in true) - # talk to gitlab over https on localhost - # this will make sure the api access works when the default https port is not used. - sed -i 's,#{config.gitlab_url}/api/v3/internal,https://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb + case "${GITLAB_SSL_SELF_SIGNED}" in + true) + # we are using self signed certificates, talk to gitlab over https on localhost + # this will make sure the api access works when the default https port is not used. + sed -i 's,#{config.gitlab_url}/api/v3/internal,https://localhost/api/v3/internal,' -i /home/git/gitlab-shell/lib/gitlab_net.rb + ;; + *) + # signed https certificates are in use, talk to gitlab using the default gitlab_url. + # hence we are not editing anything here, just using the default. + # ps. when using signed ssl certificates, you **MUST** use the default https port. + ;; + esac ;; *) # we are not using https only mode, talk to gitlab over plain http on localhost From e989294db8e41ce5361657149a30052552a723a1 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Mon, 28 Apr 2014 09:49:55 +0530 Subject: [PATCH 13/26] renamed config option GITLAB_SSL_SELF_SIGNED to SSL_SELF_SIGNED --- Changelog.md | 2 +- README.md | 2 +- assets/config/gitlab-shell/config.yml | 2 +- assets/init | 7 ++++--- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/Changelog.md b/Changelog.md index 55fa7807..fd6a9d6a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,7 +2,7 @@ **latest** - added GITLAB_HTTPS_ONLY configuration option to configure strict https only access -- added GITLAB_SSL_SELF_SIGNED configuration option to specify use of self signed ssl certificates. +- added SSL_SELF_SIGNED configuration option to specify use of self signed ssl certificates. - fix git over ssh when the default http/https ports are not used. - compile the assets only if it does not exist or if the gitlab version has changed. - upgrade gitlab-shell to version 1.9.4 diff --git a/README.md b/README.md index ee6143ad..9321a025 100644 --- a/README.md +++ b/README.md @@ -462,7 +462,7 @@ Below is the complete list of available options that can be used to customize yo - **GITLAB_SHELL_SSH_PORT**: The ssh port number. Defaults to 22. - **GITLAB_HTTPS**: Set to true to enable https support, disabled by default. - **GITLAB_HTTPS_ONLY**: Configure access over plain http when GITLAB_HTTPS is enabled. Should be set to false when using a load balancer. Defaults to true. -- **GITLAB_SSL_SELF_SIGNED**: Set to true when using self signed ssl certificates. false by default. +- **SSL_SELF_SIGNED**: Set to true when using self signed ssl certificates. false by default. - **REDIS_HOST**: The hostname of the redis server. Defaults to localhost - **REDIS_PORT**: The connection port of the redis server. Defaults to 6379. - **UNICORN_WORKERS**: The number of unicorn workers to start. Defaults to 2. diff --git a/assets/config/gitlab-shell/config.yml b/assets/config/gitlab-shell/config.yml index dcff994e..c1644175 100644 --- a/assets/config/gitlab-shell/config.yml +++ b/assets/config/gitlab-shell/config.yml @@ -9,7 +9,7 @@ http_settings: # password: somepass # ca_file: /etc/ssl/cert.pem # ca_path: /etc/pki/tls/certs - self_signed_cert: {{GITLAB_SSL_SELF_SIGNED}} + self_signed_cert: {{SSL_SELF_SIGNED}} # Repositories path # Give the canonicalized absolute pathname, diff --git a/assets/init b/assets/init index ada7566e..47cbc724 100755 --- a/assets/init +++ b/assets/init @@ -5,13 +5,14 @@ GITLAB_HOST=${GITLAB_HOST:-localhost} GITLAB_PORT=${GITLAB_PORT:-} GITLAB_HTTPS=${GITLAB_HTTPS:-false} GITLAB_HTTPS_ONLY=${GITLAB_HTTPS_ONLY:-true} -GITLAB_SSL_SELF_SIGNED=${GITLAB_SSL_SELF_SIGNED:-false} GITLAB_EMAIL=${GITLAB_EMAIL:-gitlab@localhost} GITLAB_SUPPORT=${GITLAB_SUPPORT:-support@localhost} GITLAB_SIGNUP=${GITLAB_SIGNUP:-false} GITLAB_SIGNIN=${GITLAB_SIGNIN:-true} GITLAB_PROJECTS_LIMIT=${GITLAB_PROJECTS_LIMIT:-10} +SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false} + GITLAB_BACKUPS=${GITLAB_BACKUPS:-disable} GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-} @@ -261,7 +262,7 @@ sudo -u git -H sed 's/{{REDIS_PORT}}/'"${REDIS_PORT}"'/' -i /home/git/gitlab/con # configure gitlab-shell sudo -u git -H sed 's,{{GITLAB_URL}},'"${GITLAB_URL}"',' -i /home/git/gitlab-shell/config.yml -sudo -u git -H sed 's/{{GITLAB_SSL_SELF_SIGNED}}/'"${GITLAB_SSL_SELF_SIGNED}"'/' -i /home/git/gitlab-shell/config.yml +sudo -u git -H sed 's/{{SSL_SELF_SIGNED}}/'"${SSL_SELF_SIGNED}"'/' -i /home/git/gitlab-shell/config.yml sudo -u git -H sed 's/{{REDIS_HOST}}/'"${REDIS_HOST}"'/' -i /home/git/gitlab-shell/config.yml sudo -u git -H sed 's/{{REDIS_PORT}}/'"${REDIS_PORT}"'/' -i /home/git/gitlab-shell/config.yml @@ -270,7 +271,7 @@ case "${GITLAB_HTTPS}" in true) case "${GITLAB_HTTPS_ONLY}" in true) - case "${GITLAB_SSL_SELF_SIGNED}" in + case "${SSL_SELF_SIGNED}" in true) # we are using self signed certificates, talk to gitlab over https on localhost # this will make sure the api access works when the default https port is not used. From dfb5dd1d201414f94812ee4483b047a8162b24ee Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Mon, 28 Apr 2014 10:46:50 +0530 Subject: [PATCH 14/26] added SSL_CERTIFICATE_PATH configuration option to specify path of ssl certificate --- Changelog.md | 2 ++ README.md | 2 ++ assets/config/nginx/gitlab.https.permissive | 4 ++-- assets/config/nginx/gitlab.https.strict | 4 ++-- assets/init | 4 ++++ 5 files changed, 12 insertions(+), 4 deletions(-) diff --git a/Changelog.md b/Changelog.md index fd6a9d6a..39751631 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,8 @@ # Changelog **latest** +- added SSL_KEY_PATH configuration option to specify path of ssl key. +- added SSL_CERTIFICATE_PATH configuration option to specify path of ssl certificate - added GITLAB_HTTPS_ONLY configuration option to configure strict https only access - added SSL_SELF_SIGNED configuration option to specify use of self signed ssl certificates. - fix git over ssh when the default http/https ports are not used. diff --git a/README.md b/README.md index 9321a025..c2b33e92 100644 --- a/README.md +++ b/README.md @@ -463,6 +463,8 @@ Below is the complete list of available options that can be used to customize yo - **GITLAB_HTTPS**: Set to true to enable https support, disabled by default. - **GITLAB_HTTPS_ONLY**: Configure access over plain http when GITLAB_HTTPS is enabled. Should be set to false when using a load balancer. Defaults to true. - **SSL_SELF_SIGNED**: Set to true when using self signed ssl certificates. false by default. +- **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to /home/git/data/certs/gitlab.crt +- **SSL_KEY_PATH**: Location of the ssl key. Defaults to /home/git/data/certs/gitlab.key - **REDIS_HOST**: The hostname of the redis server. Defaults to localhost - **REDIS_PORT**: The connection port of the redis server. Defaults to 6379. - **UNICORN_WORKERS**: The number of unicorn workers to start. Defaults to 2. diff --git a/assets/config/nginx/gitlab.https.permissive b/assets/config/nginx/gitlab.https.permissive index 88ac792f..a03dead1 100644 --- a/assets/config/nginx/gitlab.https.permissive +++ b/assets/config/nginx/gitlab.https.permissive @@ -76,8 +76,8 @@ server { root /home/git/gitlab/public; ssl on; - ssl_certificate /home/git/data/certs/gitlab.crt; - ssl_certificate_key /home/git/data/certs/gitlab.key; + ssl_certificate {{SSL_CERTIFICATE_PATH}}; + ssl_certificate_key {{SSL_KEY_PATH}}; ssl_protocols SSLv3 TLSv1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; diff --git a/assets/config/nginx/gitlab.https.strict b/assets/config/nginx/gitlab.https.strict index da95a61c..f107dd33 100644 --- a/assets/config/nginx/gitlab.https.strict +++ b/assets/config/nginx/gitlab.https.strict @@ -33,8 +33,8 @@ server { root /home/git/gitlab/public; ssl on; - ssl_certificate /home/git/data/certs/gitlab.crt; - ssl_certificate_key /home/git/data/certs/gitlab.key; + ssl_certificate {{SSL_CERTIFICATE_PATH}}; + ssl_certificate_key {{SSL_KEY_PATH}}; ssl_protocols SSLv3 TLSv1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; diff --git a/assets/init b/assets/init index 47cbc724..d2d96be5 100755 --- a/assets/init +++ b/assets/init @@ -12,6 +12,8 @@ GITLAB_SIGNIN=${GITLAB_SIGNIN:-true} GITLAB_PROJECTS_LIMIT=${GITLAB_PROJECTS_LIMIT:-10} SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false} +SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-/home/git/data/certs/gitlab.crt} +SSL_KEY_PATH=${SSL_KEY_PATH:-/home/git/data/certs/gitlab.key} GITLAB_BACKUPS=${GITLAB_BACKUPS:-disable} GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-} @@ -163,6 +165,8 @@ fi sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/g' -i /etc/nginx/sites-available/gitlab sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-available/gitlab +sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i /etc/nginx/sites-available/gitlab +sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i /etc/nginx/sites-available/gitlab supervisorctl start nginx # start mysql server if ${DB_HOST} is localhost From aa709bb49db9647db82811ea09c4935ad9868ae7 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Mon, 28 Apr 2014 10:52:20 +0530 Subject: [PATCH 15/26] configure ssl session cache --- assets/config/nginx/gitlab.https.permissive | 3 ++- assets/config/nginx/gitlab.https.strict | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/assets/config/nginx/gitlab.https.permissive b/assets/config/nginx/gitlab.https.permissive index a03dead1..b9a6a4ac 100644 --- a/assets/config/nginx/gitlab.https.permissive +++ b/assets/config/nginx/gitlab.https.permissive @@ -83,7 +83,8 @@ server { ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_prefer_server_ciphers on; - # ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_session_cache builtin:1000 shared:SSL:10m; + # ssl_dhparam /home/git/data/certs/dhparam.pem; # Increase this if you want to upload large attachments diff --git a/assets/config/nginx/gitlab.https.strict b/assets/config/nginx/gitlab.https.strict index f107dd33..f8440a8c 100644 --- a/assets/config/nginx/gitlab.https.strict +++ b/assets/config/nginx/gitlab.https.strict @@ -40,7 +40,8 @@ server { ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_prefer_server_ciphers on; - # ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_session_cache builtin:1000 shared:SSL:10m; + # ssl_dhparam /home/git/data/certs/dhparam.pem; # Increase this if you want to upload large attachments From 908958940215d0061a0ae4c2c36637edbd54e271 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Mon, 28 Apr 2014 10:54:24 +0530 Subject: [PATCH 16/26] README: update reference links --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index c2b33e92..c527e9b0 100644 --- a/README.md +++ b/README.md @@ -611,3 +611,5 @@ For a complete list of available rake tasks please refer https://github.com/gitl * https://github.com/gitlabhq/gitlabhq * https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/installation.md * https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/requirements.md + * http://wiki.nginx.org/HttpSslModule + * https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html From c1f501c0deecbd1a2484b1c4bbcd9dfc068ea234 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Mon, 28 Apr 2014 23:17:02 +0530 Subject: [PATCH 17/26] added SSL_DHPARAM_PATH configuration option to specify path of dhparam.pem file. --- Changelog.md | 1 + README.md | 1 + assets/config/nginx/gitlab.https.permissive | 4 +++- assets/config/nginx/gitlab.https.strict | 4 +++- assets/init | 2 ++ 5 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 39751631..cd5a7819 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changelog **latest** +- added SSL_DHPARAM_PATH configuration option to specify path of dhparam.pem file. - added SSL_KEY_PATH configuration option to specify path of ssl key. - added SSL_CERTIFICATE_PATH configuration option to specify path of ssl certificate - added GITLAB_HTTPS_ONLY configuration option to configure strict https only access diff --git a/README.md b/README.md index c527e9b0..87132c36 100644 --- a/README.md +++ b/README.md @@ -465,6 +465,7 @@ Below is the complete list of available options that can be used to customize yo - **SSL_SELF_SIGNED**: Set to true when using self signed ssl certificates. false by default. - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to /home/git/data/certs/gitlab.crt - **SSL_KEY_PATH**: Location of the ssl key. Defaults to /home/git/data/certs/gitlab.key +- **SSL_DHPARAM_PATH**: Location of the dhparam file. Defaults to /home/git/data/certs/dhparam.pem - **REDIS_HOST**: The hostname of the redis server. Defaults to localhost - **REDIS_PORT**: The connection port of the redis server. Defaults to 6379. - **UNICORN_WORKERS**: The number of unicorn workers to start. Defaults to 2. diff --git a/assets/config/nginx/gitlab.https.permissive b/assets/config/nginx/gitlab.https.permissive index b9a6a4ac..436c7a7d 100644 --- a/assets/config/nginx/gitlab.https.permissive +++ b/assets/config/nginx/gitlab.https.permissive @@ -85,7 +85,9 @@ server { ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; - # ssl_dhparam /home/git/data/certs/dhparam.pem; + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_dhparam {{SSL_DHPARAM_PATH}}; # Increase this if you want to upload large attachments # Or if you want to accept large git objects over http diff --git a/assets/config/nginx/gitlab.https.strict b/assets/config/nginx/gitlab.https.strict index f8440a8c..9e6155f4 100644 --- a/assets/config/nginx/gitlab.https.strict +++ b/assets/config/nginx/gitlab.https.strict @@ -42,7 +42,9 @@ server { ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; - # ssl_dhparam /home/git/data/certs/dhparam.pem; + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_dhparam {{SSL_DHPARAM_PATH}}; # Increase this if you want to upload large attachments # Or if you want to accept large git objects over http diff --git a/assets/init b/assets/init index d2d96be5..92445366 100755 --- a/assets/init +++ b/assets/init @@ -14,6 +14,7 @@ GITLAB_PROJECTS_LIMIT=${GITLAB_PROJECTS_LIMIT:-10} SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false} SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-/home/git/data/certs/gitlab.crt} SSL_KEY_PATH=${SSL_KEY_PATH:-/home/git/data/certs/gitlab.key} +SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-/home/git/data/certs/dhparam.pem} GITLAB_BACKUPS=${GITLAB_BACKUPS:-disable} GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-} @@ -167,6 +168,7 @@ sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/g' -i /etc/nginx/sites-available/ sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-available/gitlab sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i /etc/nginx/sites-available/gitlab sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i /etc/nginx/sites-available/gitlab +sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-available/gitlab supervisorctl start nginx # start mysql server if ${DB_HOST} is localhost From 4e97f78641a826f1c9863f69c1444d0904101d9c Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Mon, 28 Apr 2014 23:42:29 +0530 Subject: [PATCH 18/26] README: document SSL support --- README.md | 109 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) diff --git a/README.md b/README.md index 87132c36..0c7ef9ff 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,13 @@ - [External Redis Server](#external-redis-server) - [Linking to Redis Container](#linking-to-redis-container) - [Mail](#mail) + - [SSL](#ssl) + - [Generation of Self Signed Certificates](#generation-of-self-signed certificates) + - [Strengthening the server security](#strengthening-the-server-security) + - [Installation of the Certificates](#installation-of-the-certificates) + - [Enabling HTTPS support](#enabling-https-support) + - [Using HTTPS with a load balancer](#using-https-with-a-load-balancer) + - [Establishing trust with your server](#establishing-trust-with-your-server) - [Putting it all together](#putting-it-all-together) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) @@ -424,6 +431,107 @@ docker run --name=gitlab -d \ sameersbn/gitlab:latest ``` +### SSL +Access to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self signed certificates can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section. + +To secure your application via SSL you basically need two things: +- Private key (.key) +- SSL certificate (.crt) + +When using CA certified certificates, these are files are provided to you by the CA. When you are using self-signed certificates you need to generate these files yourself. Skip the following section if you are armed with CA certified SSL certificates. + +#### Generation of Self Signed Certificates +Generation of self-signed SSL certificates involve a simple 2 step procedure. + +**STEP 1**: Create the server private key +```bash +openssl genrsa -out gitlab.key 204 +``` + +**STEP 2**: Create the certificate signing request (CSR) +```bash +openssl genrsa -des3 -out gitlab.key 2048 +``` + +**STEP 3**: Sign the certificate using the private key and CSR +```bash +openssl x509 -req -days 365 -in gitlab.csr -signkey gitlab.key -out gitlab.crt +``` + +Congratulations! you have now generated an SSL certificate thats valid for 365 days. + +#### Strengthening the server security +This section provide you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). To achieve this we need to generate stronger DHE parameters. + +```bash +openssl dhparam -out dhparam.pem 2048 +``` + +#### Installation of the SSL Certificates +Out of the four files generated above, we need to install the gitlab.key, gitlab.crt and dhparam.pem files at the gitlab server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again). + +The default path that the gitlab application is configured to look for the SSL certificates is at /home/git/data/certs, this can however be changed using the SSL_KEY_PATH, SSL_CERTIFICATE_PATH and SSL_DHPARAM_PATH configuration options. + +If you remember from above, the /home/git/data path is basically the path of the [data store](#data-store), which basically means that we have to create a folder named certs inside /opt/gitlab/data/ and copy the files there and as a measure of safely we will update the permission on the gitlab.key file to only be readable by the owner of the file. + +```bash +mkdir -p /opt/gitlab/data/certs +cp gitlab.key /opt/gitlab/data/certs/ +cp gitlab.crt /opt/gitlab/data/certs/ +cp dhparam.pem /opt/gitlab/data/certs/ +chmod 400 /opt/gitlab/data/certs/gitlab.key +``` + +Great! we are now just a step away from having out application secured. + +#### Enabling HTTPS support +HTTPS support can be enabled by setting the GITLAB_HTTPS option to true. Additionally, when using self-signed SSL certificates you also need to the set SSL_SELF_SIGNED option to true. Assuming we are using self-signed certificates + +```bash +docker run --name=gitlab -d \ + -e "GITLAB_HTTPS=true" -e "SSL_SELF_SIGNED=true" \ + -v /opt/gitlab/data:/home/git/data \ + sameersbn/gitlab:latest +``` + +In this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer. + +#### Using HTTPS with a load balancer +Load balancers like haproxy/hipache talk to backend applications over plain http. As such, the above configuration is not sufficient for the application to work with a load balancer. + +For this to work, you should set the GITLAB_HTTPS_ONLY option to false so that the gitlab application can process both http as well as https requests. Additionally you should also configure the load balancer to support https requests. But that is out of the scope of this document. Please refer to [Using SSL/HTTPS with HAProxy](http://seanmcgary.com/posts/using-sslhttps-with-haproxy) for information on the subject. + +Note that when the GITLAB_HTTPS_ONLY is disabled, the application does not perform the automatic http to https redirection and this functionality has to be configured at the load balancer which is also described in the link above. Unfortunately hipache does not come with an option to perform http to https redirection, so the only choice you really have is to switch to using haproxy. + +In summation, the docker command would look something like this: +```bash +docker run --name=gitlab -d \ + -e "GITLAB_HTTPS=true" -e "SSL_SELF_SIGNED=true" \ + -e "GITLAB_HTTPS_ONLY=false" \ + -v /opt/gitlab/data:/home/git/data \ + sameersbn/gitlab:latest +``` + +Again, drop the ```-e "SSL_SELF_SIGNED=true"``` option if you are using CA certified SSL certificates. + +#### Establishing trust with your server +This section deals will self-signed ssl certificated. If you are using CA certified certificates, your done. + +This section is more of a client side configuration so as to add a level of confidence at the client to be 100 percent sure they are communicating with whom they think they. + +This is simply done by adding the servers certificate into their list of trusted ceritficates. On ubuntu, this is done by appending the contents of the gitlab.key file to the ```/etc/ssl/certs/ca-certificates.crt``` file. + +Again, this is a client side configuration which means that everyone who is going to communicate with the server should perform this configuration on their machine. + +In short, distribute the gitlab.crt file among your developers and ask them to add it to their list of trusted ssl certificates. Failure to do so will result in errors that look like this: + +```bash +git clone https://git.local.host/gitlab-ce.git +fatal: unable to access 'https://git.local.host/gitlab-ce.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none +``` + +There you have it, thats all there is to it. + ### Putting it all together ```bash @@ -614,3 +722,4 @@ For a complete list of available rake tasks please refer https://github.com/gitl * https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/requirements.md * http://wiki.nginx.org/HttpSslModule * https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + * https://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/nginx/gitlab-ssl From e69a39af1e2662989e4f7a7606e34d65f4e178e3 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Mon, 28 Apr 2014 23:57:24 +0530 Subject: [PATCH 19/26] README: fix typos --- README.md | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 0c7ef9ff..c2c9114d 100644 --- a/README.md +++ b/README.md @@ -438,10 +438,10 @@ To secure your application via SSL you basically need two things: - Private key (.key) - SSL certificate (.crt) -When using CA certified certificates, these are files are provided to you by the CA. When you are using self-signed certificates you need to generate these files yourself. Skip the following section if you are armed with CA certified SSL certificates. +When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are armed with CA certified SSL certificates. #### Generation of Self Signed Certificates -Generation of self-signed SSL certificates involve a simple 2 step procedure. +Generation of self-signed SSL certificates involves a simple 3 step procedure. **STEP 1**: Create the server private key ```bash @@ -461,7 +461,7 @@ openssl x509 -req -days 365 -in gitlab.csr -signkey gitlab.key -out gitlab.crt Congratulations! you have now generated an SSL certificate thats valid for 365 days. #### Strengthening the server security -This section provide you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). To achieve this we need to generate stronger DHE parameters. +This section provides you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). To achieve this we need to generate stronger DHE parameters. ```bash openssl dhparam -out dhparam.pem 2048 @@ -472,7 +472,7 @@ Out of the four files generated above, we need to install the gitlab.key, gitlab The default path that the gitlab application is configured to look for the SSL certificates is at /home/git/data/certs, this can however be changed using the SSL_KEY_PATH, SSL_CERTIFICATE_PATH and SSL_DHPARAM_PATH configuration options. -If you remember from above, the /home/git/data path is basically the path of the [data store](#data-store), which basically means that we have to create a folder named certs inside /opt/gitlab/data/ and copy the files there and as a measure of safely we will update the permission on the gitlab.key file to only be readable by the owner of the file. +If you remember from above, the /home/git/data path is the path of the [data store](#data-store), which means that we have to create a folder named certs inside /opt/gitlab/data/ and copy the files into it and as a measure of security we will update the permission on the gitlab.key file to only be readable by the owner. ```bash mkdir -p /opt/gitlab/data/certs @@ -482,10 +482,10 @@ cp dhparam.pem /opt/gitlab/data/certs/ chmod 400 /opt/gitlab/data/certs/gitlab.key ``` -Great! we are now just a step away from having out application secured. +Great! we are now just a step away from having our application secured. #### Enabling HTTPS support -HTTPS support can be enabled by setting the GITLAB_HTTPS option to true. Additionally, when using self-signed SSL certificates you also need to the set SSL_SELF_SIGNED option to true. Assuming we are using self-signed certificates +HTTPS support can be enabled by setting the GITLAB_HTTPS option to true. Additionally, when using self-signed SSL certificates you need to the set SSL_SELF_SIGNED option to true as well. Assuming we are using self-signed certificates ```bash docker run --name=gitlab -d \ @@ -515,15 +515,13 @@ docker run --name=gitlab -d \ Again, drop the ```-e "SSL_SELF_SIGNED=true"``` option if you are using CA certified SSL certificates. #### Establishing trust with your server -This section deals will self-signed ssl certificated. If you are using CA certified certificates, your done. +This section deals will self-signed ssl certificates. If you are using CA certified certificates, your done. This section is more of a client side configuration so as to add a level of confidence at the client to be 100 percent sure they are communicating with whom they think they. -This is simply done by adding the servers certificate into their list of trusted ceritficates. On ubuntu, this is done by appending the contents of the gitlab.key file to the ```/etc/ssl/certs/ca-certificates.crt``` file. +This is simply done by adding the servers certificate into their list of trusted ceritficates. On ubuntu, this is done by appending the contents of the gitlab.crt file to the ```/etc/ssl/certs/ca-certificates.crt``` file. -Again, this is a client side configuration which means that everyone who is going to communicate with the server should perform this configuration on their machine. - -In short, distribute the gitlab.crt file among your developers and ask them to add it to their list of trusted ssl certificates. Failure to do so will result in errors that look like this: +Again, this is a client side configuration which means that everyone who is going to communicate with the server should perform this configuration on their machine. In short, distribute the gitlab.crt file among your developers and ask them to add it to their list of trusted ssl certificates. Failure to do so will result in errors that look like this: ```bash git clone https://git.local.host/gitlab-ce.git From f5f7e7786adcc923e8bca3e747ea888344e57ab9 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Tue, 29 Apr 2014 00:49:31 +0530 Subject: [PATCH 20/26] ssl: check if required files exist before enabling https support --- assets/init | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/assets/init b/assets/init index 92445366..9b9b87b3 100755 --- a/assets/init +++ b/assets/init @@ -90,6 +90,18 @@ case "${DB_TYPE}" in *) echo "Unsupported database adapter. Available adapters are mysql and postgres." && exit 1 ;; esac +if [ "${GITLAB_HTTPS}" == "true" ]; then + # make sure the required files exist + if [ ! -f "${SSL_CERTIFICATE_PATH}" -o ! -f "${SSL_KEY_PATH}" -o ! -f "${SSL_DHPARAM_PATH}" ]; then + echo "" + echo " WARNING: " + echo " Files required for HTTPS support cannot be found" + echo " Disabling https support." + echo "" + GITLAB_HTTPS="false" + fi +fi + case "${GITLAB_HTTPS}" in true) GITLAB_URL="https://${GITLAB_HOST}${GITLAB_PORT:+:$GITLAB_PORT}/" From b8e8f2f6efcbc5a88c747cef8f45dd69fef6e64d Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Tue, 29 Apr 2014 00:53:06 +0530 Subject: [PATCH 21/26] removed the kickstart wget request the application should already be kickstarted when gitlab:check rake task is executed. --- assets/init | 7 ------- 1 file changed, 7 deletions(-) diff --git a/assets/init b/assets/init index 9b9b87b3..514af3aa 100755 --- a/assets/init +++ b/assets/init @@ -433,13 +433,6 @@ EOF esac crontab -u git /tmp/cron.git && rm -rf /tmp/cron.git - # kickstart the rails application - if [ "${GITLAB_HTTPS}" == "true" ]; then - wget --no-check-certificate "https://${GITLAB_HOST}" -O /dev/null - else - wget "http://${GITLAB_HOST}" -O /dev/null - fi - # watch the access logs tail -F /var/log/nginx/gitlab_access.log } From 1df4ce964f2597829ef6f4581f227e5e8129a665 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Tue, 29 Apr 2014 10:00:30 +0530 Subject: [PATCH 22/26] README: fix link to certificate generation section in TOC --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c2c9114d..e24d3953 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ - [Linking to Redis Container](#linking-to-redis-container) - [Mail](#mail) - [SSL](#ssl) - - [Generation of Self Signed Certificates](#generation-of-self-signed certificates) + - [Generation of Self Signed Certificates](#generation-of-self-signed-certificates) - [Strengthening the server security](#strengthening-the-server-security) - [Installation of the Certificates](#installation-of-the-certificates) - [Enabling HTTPS support](#enabling-https-support) From eacd5c2c4e4b45ceb031bf694ac8dd4e07242587 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Tue, 29 Apr 2014 10:02:08 +0530 Subject: [PATCH 23/26] README: fix command for generation of the private key --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e24d3953..e85d649b 100644 --- a/README.md +++ b/README.md @@ -445,7 +445,7 @@ Generation of self-signed SSL certificates involves a simple 3 step procedure. **STEP 1**: Create the server private key ```bash -openssl genrsa -out gitlab.key 204 +openssl genrsa -out gitlab.key 2048 ``` **STEP 2**: Create the certificate signing request (CSR) From b3015cdd423c8918cf83d828a11d64b5df11d360 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Tue, 29 Apr 2014 10:04:02 +0530 Subject: [PATCH 24/26] README: fix command for creation of the CSR --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e85d649b..352e1605 100644 --- a/README.md +++ b/README.md @@ -450,7 +450,7 @@ openssl genrsa -out gitlab.key 2048 **STEP 2**: Create the certificate signing request (CSR) ```bash -openssl genrsa -des3 -out gitlab.key 2048 +openssl req -new -key gitlab.key -out gitlab.csr ``` **STEP 3**: Sign the certificate using the private key and CSR From c3e4b21af93b4f3ca91f72279c1049e79cdad035 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Tue, 29 Apr 2014 20:48:48 +0530 Subject: [PATCH 25/26] README: added instructions on installing the root certificate at the web browser --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 352e1605..1c15e7a4 100644 --- a/README.md +++ b/README.md @@ -528,6 +528,8 @@ git clone https://git.local.host/gitlab-ce.git fatal: unable to access 'https://git.local.host/gitlab-ce.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none ``` +You can do the same at the web browser. Instructions for installing the root certificate for firefox can be found [here](http://portal.threatpulse.com/docs/sol/Content/03Solutions/ManagePolicy/SSL/ssl_firefox_cert_ta.htm). You will find similar options chrome, just make sure you install the certificate under the authorities tab of the certificate manager dialog. + There you have it, thats all there is to it. ### Putting it all together From 5378fc6819efdfbccd75f53d839c0cd4152847c3 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Tue, 29 Apr 2014 20:50:09 +0530 Subject: [PATCH 26/26] Updated changelog --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index cd5a7819..a5de492b 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changelog **latest** +- added SSL support - added SSL_DHPARAM_PATH configuration option to specify path of dhparam.pem file. - added SSL_KEY_PATH configuration option to specify path of ssl key. - added SSL_CERTIFICATE_PATH configuration option to specify path of ssl certificate