Simplify the ssl setup file.
This commit is contained in:
Sytse Sijbrandij
parent
833bc30593
commit
8aff39a6d0
|
|
@ -20,9 +20,9 @@ upstream gitlab {
|
|||
}
|
||||
|
||||
server {
|
||||
listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea
|
||||
server_name YOUR_SERVER_FQDN; # e.g., server_name source.example.com;
|
||||
server_tokens off; # don't show the version number, a security best practice
|
||||
listen *:80 default_server;
|
||||
server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
root /home/git/gitlab/public;
|
||||
|
||||
# Increase this if you want to upload large attachments
|
||||
|
|
|
|||
|
|
@ -3,33 +3,11 @@
|
|||
##
|
||||
## Modified from nginx http version
|
||||
## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
|
||||
## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||
##
|
||||
## Lines starting with two hashes (##) are comments containing information
|
||||
## for configuration. One hash (#) comments are actual configuration parameters
|
||||
## which you can comment/uncomment to your liking.
|
||||
##
|
||||
###################################
|
||||
## SSL configuration ##
|
||||
###################################
|
||||
##
|
||||
## Optimal configuration is taken from:
|
||||
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||
## Make sure to read it and understand what each option does.
|
||||
##
|
||||
## [Optional] Generate a self-signed ssl certificate:
|
||||
## mkdir /etc/nginx/ssl/
|
||||
## cd /etc/nginx/ssl/
|
||||
## sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
|
||||
## sudo chmod o-r gitlab.key
|
||||
##
|
||||
## Edit `gitlab-shell/config.yml`:
|
||||
## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
|
||||
## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt`
|
||||
## 3) Set "self_signed_cert" to `true`
|
||||
## Edit `gitlab/config/gitlab.yml`:
|
||||
## 1) Define port for http "port: 443"
|
||||
## 2) Enable https "https: true"
|
||||
## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
|
||||
## Lines starting with two hashes (##) are comments with information.
|
||||
## Lines starting with one hash (#) are configuration parameters.
|
||||
## The last category can be commented/uncommented to your liking.
|
||||
##
|
||||
##################################
|
||||
## CHUNKED TRANSFER ##
|
||||
|
|
@ -48,33 +26,41 @@
|
|||
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
|
||||
## [1] https://github.com/agentzh/chunkin-nginx-module#status
|
||||
## [2] https://github.com/agentzh/chunkin-nginx-module
|
||||
|
||||
##
|
||||
###################################
|
||||
## SSL file editing ##
|
||||
###################################
|
||||
##
|
||||
## Edit `gitlab-shell/config.yml`:
|
||||
## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
|
||||
## 2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt`
|
||||
## 3) Set "self_signed_cert" to `true`
|
||||
## Edit `gitlab/config/gitlab.yml`:
|
||||
## 1) Define port for http "port: 443"
|
||||
## 2) Enable https "https: true"
|
||||
## 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
|
||||
##
|
||||
###################################
|
||||
## SSL configuration ##
|
||||
###################################
|
||||
##
|
||||
|
||||
upstream gitlab {
|
||||
|
||||
## Uncomment if you have set up unicorn to listen on a unix socket (recommended).
|
||||
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
|
||||
|
||||
## Uncomment if unicorn is configured to listen on a tcp port.
|
||||
## Check the port number in /home/git/gitlab/config/unicorn.rb
|
||||
# server 127.0.0.1:8080;
|
||||
}
|
||||
|
||||
## This is a normal HTTP host which redirects all traffic to the HTTPS host.
|
||||
server {
|
||||
listen *:80;
|
||||
## Replace git.example.com with your FQDN.
|
||||
server_name git.example.com;
|
||||
server_tokens off;
|
||||
## root doesn't have to be a valid path since we are redirecting
|
||||
root /nowhere;
|
||||
listen *:80 default_server;
|
||||
server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
root /nowhere; ## root doesn't have to be a valid path since we are redirecting
|
||||
rewrite ^ https://$server_name$request_uri permanent;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
## Replace git.example.com with your FQDN.
|
||||
server_name git.example.com;
|
||||
server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
|
||||
server_tokens off;
|
||||
root /home/git/gitlab/public;
|
||||
|
||||
|
|
@ -93,22 +79,7 @@ server {
|
|||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
||||
|
||||
## Enable OCSP stapling to reduce the overhead and latency of running SSL.
|
||||
## Replace with your ssl_trusted_certificate. For more info see:
|
||||
## - https://medium.com/devops-programming/4445f4862461
|
||||
## - https://www.ruby-forum.com/topic/4419319
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
|
||||
resolver 208.67.222.222 208.67.222.220 valid=300s;
|
||||
resolver_timeout 10s;
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
## [Optional] Generate a stronger DHE parameter (recommended):
|
||||
## cd /etc/ssl/certs
|
||||
## openssl dhparam -out dhparam.pem 2048
|
||||
##
|
||||
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||
|
||||
add_header Strict-Transport-Security max-age=63072000;
|
||||
add_header X-Frame-Options DENY;
|
||||
|
|
|
|||
Loading…
Reference in New Issue