added SSL_DHPARAM_PATH configuration option to specify path of dhparam.pem file.

Changelog.md

@@ -1,6 +1,7 @@
 # Changelog
 
 **latest**
+- added SSL_DHPARAM_PATH configuration option to specify path of dhparam.pem file.
 - added SSL_KEY_PATH configuration option to specify path of ssl key.
 - added SSL_CERTIFICATE_PATH configuration option to specify path of ssl certificate
 - added GITLAB_HTTPS_ONLY configuration option to configure strict https only access

README.md

@@ -465,6 +465,7 @@ Below is the complete list of available options that can be used to customize yo
 - **SSL_SELF_SIGNED**: Set to true when using self signed ssl certificates. false by default.
 - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to /home/git/data/certs/gitlab.crt
 - **SSL_KEY_PATH**: Location of the ssl key. Defaults to /home/git/data/certs/gitlab.key
+- **SSL_DHPARAM_PATH**: Location of the dhparam file. Defaults to /home/git/data/certs/dhparam.pem
 - **REDIS_HOST**: The hostname of the redis server. Defaults to localhost
 - **REDIS_PORT**: The connection port of the redis server. Defaults to 6379.
 - **UNICORN_WORKERS**: The number of unicorn workers to start. Defaults to 2.

assets/config/nginx/gitlab.https.permissive

@@ -85,7 +85,9 @@ server {
   ssl_prefer_server_ciphers on;
   ssl_session_cache  builtin:1000  shared:SSL:10m;
 
-  # ssl_dhparam /home/git/data/certs/dhparam.pem;
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+  ssl_dhparam {{SSL_DHPARAM_PATH}};
 
   # Increase this if you want to upload large attachments
   # Or if you want to accept large git objects over http

assets/config/nginx/gitlab.https.strict

@@ -42,7 +42,9 @@ server {
   ssl_prefer_server_ciphers on;
   ssl_session_cache  builtin:1000  shared:SSL:10m;
 
-  # ssl_dhparam /home/git/data/certs/dhparam.pem;
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+  ssl_dhparam {{SSL_DHPARAM_PATH}};
 
   # Increase this if you want to upload large attachments
   # Or if you want to accept large git objects over http

assets/init

@@ -14,6 +14,7 @@ GITLAB_PROJECTS_LIMIT=${GITLAB_PROJECTS_LIMIT:-10}
 SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false}
 SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-/home/git/data/certs/gitlab.crt}
 SSL_KEY_PATH=${SSL_KEY_PATH:-/home/git/data/certs/gitlab.key}
+SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-/home/git/data/certs/dhparam.pem}
 
 GITLAB_BACKUPS=${GITLAB_BACKUPS:-disable}
 GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-}
@@ -167,6 +168,7 @@ sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/g' -i /etc/nginx/sites-available/
 sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-available/gitlab
 sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i /etc/nginx/sites-available/gitlab
 sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i /etc/nginx/sites-available/gitlab
+sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-available/gitlab
 supervisorctl start nginx
 
 # start mysql server if ${DB_HOST} is localhost