diff --git a/Changelog.md b/Changelog.md index 39751631..cd5a7819 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changelog **latest** +- added SSL_DHPARAM_PATH configuration option to specify path of dhparam.pem file. - added SSL_KEY_PATH configuration option to specify path of ssl key. - added SSL_CERTIFICATE_PATH configuration option to specify path of ssl certificate - added GITLAB_HTTPS_ONLY configuration option to configure strict https only access diff --git a/README.md b/README.md index c527e9b0..87132c36 100644 --- a/README.md +++ b/README.md @@ -465,6 +465,7 @@ Below is the complete list of available options that can be used to customize yo - **SSL_SELF_SIGNED**: Set to true when using self signed ssl certificates. false by default. - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to /home/git/data/certs/gitlab.crt - **SSL_KEY_PATH**: Location of the ssl key. Defaults to /home/git/data/certs/gitlab.key +- **SSL_DHPARAM_PATH**: Location of the dhparam file. Defaults to /home/git/data/certs/dhparam.pem - **REDIS_HOST**: The hostname of the redis server. Defaults to localhost - **REDIS_PORT**: The connection port of the redis server. Defaults to 6379. - **UNICORN_WORKERS**: The number of unicorn workers to start. Defaults to 2. diff --git a/assets/config/nginx/gitlab.https.permissive b/assets/config/nginx/gitlab.https.permissive index b9a6a4ac..436c7a7d 100644 --- a/assets/config/nginx/gitlab.https.permissive +++ b/assets/config/nginx/gitlab.https.permissive @@ -85,7 +85,9 @@ server { ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; - # ssl_dhparam /home/git/data/certs/dhparam.pem; + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_dhparam {{SSL_DHPARAM_PATH}}; # Increase this if you want to upload large attachments # Or if you want to accept large git objects over http diff --git a/assets/config/nginx/gitlab.https.strict b/assets/config/nginx/gitlab.https.strict index f8440a8c..9e6155f4 100644 --- a/assets/config/nginx/gitlab.https.strict +++ b/assets/config/nginx/gitlab.https.strict @@ -42,7 +42,9 @@ server { ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; - # ssl_dhparam /home/git/data/certs/dhparam.pem; + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_dhparam {{SSL_DHPARAM_PATH}}; # Increase this if you want to upload large attachments # Or if you want to accept large git objects over http diff --git a/assets/init b/assets/init index d2d96be5..92445366 100755 --- a/assets/init +++ b/assets/init @@ -14,6 +14,7 @@ GITLAB_PROJECTS_LIMIT=${GITLAB_PROJECTS_LIMIT:-10} SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false} SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-/home/git/data/certs/gitlab.crt} SSL_KEY_PATH=${SSL_KEY_PATH:-/home/git/data/certs/gitlab.key} +SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-/home/git/data/certs/dhparam.pem} GITLAB_BACKUPS=${GITLAB_BACKUPS:-disable} GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-} @@ -167,6 +168,7 @@ sed 's/{{YOUR_SERVER_FQDN}}/'"${GITLAB_HOST}"'/g' -i /etc/nginx/sites-available/ sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-available/gitlab sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i /etc/nginx/sites-available/gitlab sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i /etc/nginx/sites-available/gitlab +sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-available/gitlab supervisorctl start nginx # start mysql server if ${DB_HOST} is localhost