From 83202cdf6af241443592ab9623bd630ee29ca334 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=BA=A6=E5=BD=93=E8=8B=97=E5=84=BF?=
 <zuojiazi.cn@gmail.com>
Date: Tue, 16 Feb 2021 16:21:06 +0900
Subject: [PATCH] added `SSL_PROTOCOLS` option to change protocols of the nginx
 (#2304)

---
 Changelog.md                                 | 7 +++++++
 README.md                                    | 9 +++++++--
 assets/runtime/config/nginx/gitlab-pages-ssl | 4 ++--
 assets/runtime/config/nginx/gitlab-registry  | 4 ++--
 assets/runtime/config/nginx/gitlab-ssl       | 4 ++--
 assets/runtime/env-defaults                  | 5 +++++
 assets/runtime/functions                     | 9 +++++++--
 7 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 4160fdfe..4a4c5ce6 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -3,6 +3,13 @@
 This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](
 https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list of changes in GitLab.
 
+**13.8.3-1**
+- added `SSL_PROTOCOLS` option to change protocols of the nginx
+- added `SSL_REGISTRY_CIPHERS`
+- added `SSL_REGISTRY_PROTOCOLS`
+- added `SSL_PAGES_CIPHERS`
+- added `SSL_PAGES_PROTOCOLS`
+
 **13.8.3**
 - gitlab: upgrade CE to v13.8.3
 - gitaly: upgrade v13.8.3
diff --git a/README.md b/README.md
index 8b54fe5f..42f87299 100644
--- a/README.md
+++ b/README.md
@@ -935,6 +935,11 @@ Below is the complete list of available options that can be used to customize yo
 | `SSL_PAGES_KEY_PATH` | Location of the ssl private key for gitlab pages. Defaults to `/home/git/data/certs/pages.key` |
 | `SSL_PAGES_CERT_PATH` | Location of the ssl certificate for the gitlab pages. Defaults to `/home/git/data/certs/pages.crt` |
 | `SSL_CIPHERS` | List of supported SSL ciphers: Defaults to `ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4` |
+| `SSL_PROTOCOLS` | List of supported SSL protocols: Defaults to `TLSv1 TLSv1.1 TLSv1.2 TLSv1.3` |
+| `SSL_PAGES_CIPHERS` | List of supported SSL ciphers for the gitlab pages: Defaults to `SSL_CIPHERS` |
+| `SSL_PAGES_PROTOCOLS` | List of supported SSL protocols for the gitlab pages: Defaults to `SSL_PROTOCOLS` |
+| `SSL_REGISTRY_CIPHERS` | List of supported SSL ciphers for gitlab container registry: Defaults to `SSL_CIPHERS` |
+| `SSL_REGISTRY_PROTOCOLS` | List of supported SSL protocols for gitlab container registry: Defaults to `SSL_PROTOCOLS` |
 | `NGINX_WORKERS` | The number of nginx workers to start. Defaults to `1`. |
 | `NGINX_SERVER_NAMES_HASH_BUCKET_SIZE` | Sets the bucket size for the server names hash tables. This is needed when you have long server_names or your an error message from nginx like *nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size:..*. It should be only increment by a power of 2. Defaults to `32`. |
 | `NGINX_HSTS_ENABLED` | Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario. |
@@ -1304,8 +1309,8 @@ Usage when using `docker-compose` can also be found there.
 > Since GitLab release `8.6.0` PostgreSQL users should enable `pg_trgm` extension on the GitLab database. Refer to GitLab's [Postgresql Requirements](http://doc.gitlab.com/ce/install/requirements.html#postgresql-requirements) for more information
 >
 > If you're using `sameersbn/postgresql` then please upgrade to `sameersbn/postgresql:12-20200524` or later and add `DB_EXTENSION=pg_trgm,btree_gist` to the environment of the PostgreSQL container (see: https://github.com/sameersbn/docker-gitlab/blob/master/docker-compose.yml#L8).
-> 
-> As of version 13.7.0, the required PostgreSQL is version 12.x. If you're using PostgreSQL image other than the above, please review section [Upgrading PostgreSQL](#upgrading-postgresql). 
+>
+> As of version 13.7.0, the required PostgreSQL is version 12.x. If you're using PostgreSQL image other than the above, please review section [Upgrading PostgreSQL](#upgrading-postgresql).
 
 GitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down.
 
diff --git a/assets/runtime/config/nginx/gitlab-pages-ssl b/assets/runtime/config/nginx/gitlab-pages-ssl
index dba9f0a2..d18956d3 100644
--- a/assets/runtime/config/nginx/gitlab-pages-ssl
+++ b/assets/runtime/config/nginx/gitlab-pages-ssl
@@ -35,8 +35,8 @@ server {
   ssl_certificate_key {{SSL_PAGES_KEY_PATH}};
 
   # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "{{SSL_PAGES_CIPHERS}}";
+  ssl_protocols {{SSL_PAGES_PROTOCOLS}};
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 5m;
diff --git a/assets/runtime/config/nginx/gitlab-registry b/assets/runtime/config/nginx/gitlab-registry
index 562b37ef..28043656 100644
--- a/assets/runtime/config/nginx/gitlab-registry
+++ b/assets/runtime/config/nginx/gitlab-registry
@@ -30,8 +30,8 @@ server {
   ssl_certificate {{SSL_REGISTRY_CERT_PATH}};
   ssl_certificate_key {{SSL_REGISTRY_KEY_PATH}};
 
-  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
-  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "{{SSL_REGISTRY_CIPHERS}}";
+  ssl_protocols {{SSL_REGISTRY_PROTOCOLS}};
   ssl_prefer_server_ciphers on;
   ssl_session_cache  builtin:1000  shared:SSL:10m;
   ssl_session_timeout  5m;
diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl
index 24acfe17..79bd0966 100644
--- a/assets/runtime/config/nginx/gitlab-ssl
+++ b/assets/runtime/config/nginx/gitlab-ssl
@@ -60,7 +60,7 @@ server {
 
   # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
   ssl_ciphers "{{SSL_CIPHERS}}";
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_protocols {{SSL_PROTOCOLS}};
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 5m;
@@ -117,7 +117,7 @@ server {
     proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
     proxy_set_header    Upgrade             $http_upgrade;
     proxy_set_header    Connection          $connection_upgrade_gitlab_ssl;
-    
+
     proxy_pass http://gitlab-workhorse;
   }
 
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index 4a1c65bb..14b0d414 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -214,14 +214,19 @@ SSL_KEY_PATH=${SSL_KEY_PATH:-$GITLAB_DATA_DIR/certs/gitlab.key}
 SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-$GITLAB_DATA_DIR/certs/dhparam.pem}
 SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}
 SSL_CIPHERS=${SSL_CIPHERS:-'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'}
+SSL_PROTOCOLS=${SSL_PROTOCOLS:-'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'}
 
 SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_REGISTRY_KEY_PATH}
 SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/registry.key}
 SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_REGISTRY_CERT_PATH}
 SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/registry.crt}
+SSL_REGISTRY_CIPHERS=${SSL_REGISTRY_CIPHERS:-$SSL_CIPHERS}
+SSL_REGISTRY_PROTOCOLS=${SSL_REGISTRY_PROTOCOLS:-$SSL_PROTOCOLS}
 
 SSL_PAGES_KEY_PATH=${SSL_PAGES_KEY_PATH:-$GITLAB_DATA_DIR/certs/pages.key}
 SSL_PAGES_CERT_PATH=${SSL_PAGES_CERT_PATH:-$GITLAB_DATA_DIR/certs/pages.crt}
+SSL_PAGES_CIPHERS=${SSL_PAGES_CIPHERS:-$SSL_CIPHERS}
+SSL_PAGES_PROTOCOLS=${SSL_PAGES_PROTOCOLS:-$SSL_PROTOCOLS}
 
 SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$CA_CERTIFICATES_PATH} # backward compatibility
 SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$GITLAB_DATA_DIR/certs/ca.crt}
diff --git a/assets/runtime/functions b/assets/runtime/functions
index 6eb19ecf..7b58bf38 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -1176,7 +1176,8 @@ nginx_configure_gitlab_ssl() {
       SSL_DHPARAM_PATH \
       SSL_VERIFY_CLIENT \
       SSL_CA_CERTIFICATES_PATH \
-      SSL_CIPHERS
+      SSL_CIPHERS \
+      SSL_PROTOCOLS
   fi
 }
 
@@ -1265,7 +1266,9 @@ nginx_configure_gitlab_registry() {
       GITLAB_REGISTRY_HOST \
       GITLAB_REGISTRY_API_URL \
       SSL_REGISTRY_KEY_PATH \
-      SSL_REGISTRY_CERT_PATH
+      SSL_REGISTRY_CERT_PATH \
+      SSL_REGISTRY_CIPHERS \
+      SSL_REGISTRY_PROTOCOLS
   fi
 }
 
@@ -1283,6 +1286,8 @@ nginx_configure_pages(){
           GITLAB_PAGES_DOMAIN \
           SSL_PAGES_CERT_PATH \
           SSL_PAGES_KEY_PATH \
+          SSL_PAGES_CIPHERS \
+          SSL_PAGES_PROTOCOLS \
           SSL_DHPARAM_PATH \
           GITLAB_LOG_DIR
       else