Authentication tokens are allowed to be part of URI and therefore they are printed
in the access log. This can be a security concern especially when system and
application logs are being send to an external logging system (syslog, wazuh,
splunk, etc.).
Before this commit running "nginx -c -f /etc/nginx/nginx.conf" warned:
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/sites-enabled/gitlab:60
http://bettercrypto.org/ suggests to restrict `ssl_ciphers`.
GitLab allows weaker SSL ciphers due to some Java IDEs.
This commit make SSL ciphers configurable via the environment variable
`SSL_CIPHERS`.
Example in docker-compose.yml:
version: '2'
...
services:
...
gitlab:
...
environment:
- SSL_CIPHERS=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
GitLab 8.4.0 requires a working database connection while executing the
`assets:precompile` raketask. As a result the execution of the rake task
is postponed to execute at runtime with the assets cached in the data
volume. This adds a noticable increase in the container startup time.
When relative_url is in used, the links to assets in the
`application.css` file to not have the relative_url prefix. To fix this
we proxy pass asset requests to the upstream gitlab unicorn.
Fixes#521
