diff --git a/assets/config/nginx/gitlab.https.permissive b/assets/config/nginx/gitlab.https.permissive index 24d0c07d..76157708 100644 --- a/assets/config/nginx/gitlab.https.permissive +++ b/assets/config/nginx/gitlab.https.permissive @@ -1,26 +1,66 @@ -# GITLAB -# Maintainer: @randx - -# CHUNKED TRANSFER -# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not -# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file) -# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either -# - installing an old version of Nginx with the chunkin module [2] compiled in, or -# - using a newer version of Nginx. -# -# At the time of writing we do not know if either of these theoretical solutions works. As a workaround -# users can use Git over SSH to push large files. -# -# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 -# [1] https://github.com/agentzh/chunkin-nginx-module#status -# [2] https://github.com/agentzh/chunkin-nginx-module +## GitLab +## Contributors: randx, yin8086, sashkab, orkoden, axilleas +## +## Modified from nginx http version +## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ +## +## Lines starting with two hashes (##) are comments containing information +## for configuration. One hash (#) comments are actual configuration parameters +## which you can comment/uncomment to your liking. +## +################################### +## SSL configuration ## +################################### +## +## Optimal configuration is taken from: +## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html +## Make sure to read it and understand what each option does. +## +## [Optional] Generate a self-signed ssl certificate: +## mkdir /etc/nginx/ssl/ +## cd /etc/nginx/ssl/ +## sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key +## sudo chmod o-r gitlab.key +## +## Edit `gitlab-shell/config.yml`: +## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com` +## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt` +## 3) Set "self_signed_cert" to `true` +## Edit `gitlab/config/gitlab.yml`: +## 1) Define port for http "port: 443" +## 2) Enable https "https: true" +## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm" +## +################################## +## CHUNKED TRANSFER ## +################################## +## +## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] +## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object +## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get +## around this by tweaking this configuration file and either: +## - installing an old version of Nginx with the chunkin module [2] compiled in, or +## - using a newer version of Nginx. +## +## At the time of writing we do not know if either of these theoretical solutions works. As a workaround +## users can use Git over SSH to push large files. +## +## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 +## [1] https://github.com/agentzh/chunkin-nginx-module#status +## [2] https://github.com/agentzh/chunkin-nginx-module upstream gitlab { + + ## Uncomment if you have set up unicorn to listen on a unix socket (recommended). server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; + + ## Uncomment if unicorn is configured to listen on a tcp port. + ## Check the port number in /home/git/gitlab/config/unicorn.rb + # server 127.0.0.1:8080; } server { - listen *:80; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea + listen 80; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea server_name {{YOUR_SERVER_FQDN}}; # e.g., server_name source.example.com; server_tokens off; # don't show the version number, a security best practice root /dev/null; @@ -72,59 +112,87 @@ server { server { listen 443 ssl; + ## Replace git.example.com with your FQDN. server_name {{YOUR_SERVER_FQDN}}; server_tokens off; root /dev/null; - ssl on; - ssl_certificate {{SSL_CERTIFICATE_PATH}}; - ssl_certificate_key {{SSL_KEY_PATH}}; - ssl_protocols SSLv3 TLSv1 TLSv1.2; - - ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; - - ssl_prefer_server_ciphers on; - ssl_session_cache builtin:1000 shared:SSL:10m; + ## Increase this if you want to upload large attachments + ## Or if you want to accept large git objects over http + client_max_body_size {{NGINX_MAX_UPLOAD_SIZE}}; ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl on; + ssl_certificate {{SSL_CERTIFICATE_PATH}}; + ssl_certificate_key {{SSL_KEY_PATH}}; + + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache builtin:1000 shared:SSL:10m; + + ## Enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; + # resolver_timeout 10s; + + ssl_prefer_server_ciphers on; + ## [Optional] Generate a stronger DHE parameter (recommended): + ## cd /etc/ssl/certs + ## openssl dhparam -out dhparam.pem 2048 + ## ssl_dhparam {{SSL_DHPARAM_PATH}}; - # Increase this if you want to upload large attachments - # Or if you want to accept large git objects over http - client_max_body_size {{NGINX_MAX_UPLOAD_SIZE}}; + add_header Strict-Transport-Security max-age=63072000; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; - # individual nginx logs for this gitlab vhost + ## Individual nginx logs for this GitLab vhost access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; location {{GITLAB_RELATIVE_URL_ROOT}}/ { root /home/git/gitlab/public; - # serve static files from defined root folder;. - # @gitlab is a named location for the upstream fallback, see below + ## Serve static files from defined root folder. + ## @gitlab is a named location for the upstream fallback, see below. try_files $uri $uri/index.html $uri.html @gitlab; } - # if a file, which is not found in the root folder is requested, - # then the proxy pass the request to the upsteam (gitlab unicorn) + ## If a file, which is not found in the root folder is requested, + ## then the proxy pass the request to the upsteam (gitlab unicorn). location @gitlab { - # If you use https make sure you disable gzip compression - # to be safe against BREACH attack + + ## If you use https make sure you disable gzip compression + ## to be safe against BREACH attack. gzip off; - proxy_read_timeout 300; # Some requests take more than 30 seconds. - proxy_connect_timeout 300; # Some requests take more than 30 seconds. - proxy_redirect off; + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://gitlab; } - # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + ## Enable gzip compression as per rails guide: + ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + ## WARNING: If you are using relative urls do remove the block below + ## See config/application.rb under "Relative url support" for the list of + ## other files that need to be changed for relative url support location ~ ^{{GITLAB_RELATIVE_URL_ROOT}}/assets/(.*) { alias /home/git/gitlab/public/assets/$1; gzip_static on; # to serve pre-gzipped version diff --git a/assets/config/nginx/gitlab.https.strict b/assets/config/nginx/gitlab.https.strict index 0f8324a7..6adb4d81 100644 --- a/assets/config/nginx/gitlab.https.strict +++ b/assets/config/nginx/gitlab.https.strict @@ -1,86 +1,159 @@ -# GITLAB -# Maintainer: @randx +## GitLab +## Contributors: randx, yin8086, sashkab, orkoden, axilleas +## +## Modified from nginx http version +## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ +## +## Lines starting with two hashes (##) are comments containing information +## for configuration. One hash (#) comments are actual configuration parameters +## which you can comment/uncomment to your liking. +## +################################### +## SSL configuration ## +################################### +## +## Optimal configuration is taken from: +## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html +## Make sure to read it and understand what each option does. +## +## [Optional] Generate a self-signed ssl certificate: +## mkdir /etc/nginx/ssl/ +## cd /etc/nginx/ssl/ +## sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key +## sudo chmod o-r gitlab.key +## +## Edit `gitlab-shell/config.yml`: +## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com` +## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt` +## 3) Set "self_signed_cert" to `true` +## Edit `gitlab/config/gitlab.yml`: +## 1) Define port for http "port: 443" +## 2) Enable https "https: true" +## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm" +## +################################## +## CHUNKED TRANSFER ## +################################## +## +## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] +## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object +## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get +## around this by tweaking this configuration file and either: +## - installing an old version of Nginx with the chunkin module [2] compiled in, or +## - using a newer version of Nginx. +## +## At the time of writing we do not know if either of these theoretical solutions works. As a workaround +## users can use Git over SSH to push large files. +## +## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 +## [1] https://github.com/agentzh/chunkin-nginx-module#status +## [2] https://github.com/agentzh/chunkin-nginx-module -# CHUNKED TRANSFER -# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not -# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file) -# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either -# - installing an old version of Nginx with the chunkin module [2] compiled in, or -# - using a newer version of Nginx. -# -# At the time of writing we do not know if either of these theoretical solutions works. As a workaround -# users can use Git over SSH to push large files. -# -# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 -# [1] https://github.com/agentzh/chunkin-nginx-module#status -# [2] https://github.com/agentzh/chunkin-nginx-module upstream gitlab { + + ## Uncomment if you have set up unicorn to listen on a unix socket (recommended). server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; + + ## Uncomment if unicorn is configured to listen on a tcp port. + ## Check the port number in /home/git/gitlab/config/unicorn.rb + # server 127.0.0.1:8080; } +## This is a normal HTTP host which redirects all traffic to the HTTPS host. server { listen *:80; + ## Replace git.example.com with your FQDN. server_name _; server_tokens off; + ## root doesn't have to be a valid path since we are redirecting + root /nowhere; rewrite ^ https://$host:{{GITLAB_PORT}}$request_uri? permanent; } server { listen 443 ssl; + ## Replace git.example.com with your FQDN. server_name {{YOUR_SERVER_FQDN}}; server_tokens off; root /dev/null; - ssl on; - ssl_certificate {{SSL_CERTIFICATE_PATH}}; - ssl_certificate_key {{SSL_KEY_PATH}}; - ssl_protocols SSLv3 TLSv1 TLSv1.2; - - ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; - - ssl_prefer_server_ciphers on; - ssl_session_cache builtin:1000 shared:SSL:10m; + ## Increase this if you want to upload large attachments + ## Or if you want to accept large git objects over http + client_max_body_size {{NGINX_MAX_UPLOAD_SIZE}}; ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl on; + ssl_certificate {{SSL_CERTIFICATE_PATH}}; + ssl_certificate_key {{SSL_KEY_PATH}}; + + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache builtin:1000 shared:SSL:10m; + + ## Enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; + # resolver_timeout 10s; + + ssl_prefer_server_ciphers on; + ## [Optional] Generate a stronger DHE parameter (recommended): + ## cd /etc/ssl/certs + ## openssl dhparam -out dhparam.pem 2048 + ## ssl_dhparam {{SSL_DHPARAM_PATH}}; - # Increase this if you want to upload large attachments - # Or if you want to accept large git objects over http - client_max_body_size {{NGINX_MAX_UPLOAD_SIZE}}; + add_header Strict-Transport-Security max-age=63072000; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; - # individual nginx logs for this gitlab vhost + ## Individual nginx logs for this GitLab vhost access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; location {{GITLAB_RELATIVE_URL_ROOT}}/ { root /home/git/gitlab/public; - # serve static files from defined root folder;. - # @gitlab is a named location for the upstream fallback, see below + ## Serve static files from defined root folder. + ## @gitlab is a named location for the upstream fallback, see below. try_files $uri $uri/index.html $uri.html @gitlab; } - # if a file, which is not found in the root folder is requested, - # then the proxy pass the request to the upsteam (gitlab unicorn) + ## If a file, which is not found in the root folder is requested, + ## then the proxy pass the request to the upsteam (gitlab unicorn). location @gitlab { - # If you use https make sure you disable gzip compression - # to be safe against BREACH attack + + ## If you use https make sure you disable gzip compression + ## to be safe against BREACH attack. gzip off; - proxy_read_timeout 300; # Some requests take more than 30 seconds. - proxy_connect_timeout 300; # Some requests take more than 30 seconds. - proxy_redirect off; + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://gitlab; } - # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + ## Enable gzip compression as per rails guide: + ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + ## WARNING: If you are using relative urls do remove the block below + ## See config/application.rb under "Relative url support" for the list of + ## other files that need to be changed for relative url support location ~ ^{{GITLAB_RELATIVE_URL_ROOT}}/assets/(.*) { alias /home/git/gitlab/public/assets/$1; gzip_static on; # to serve pre-gzipped version