Skip to content

Commit 18f6b64

Browse files
axilleasaxilleas
committed
Minor fixes
- Keep self signed certificates to own directory - Add comments on OCSP stapling
1 parent 7cf0fa2 commit 18f6b64

File tree

1 file changed

+16
-8
lines changed

1 file changed

+16
-8
lines changed

web-server/nginx/gitlab-ssl

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,10 @@
1818
## Make sure to read it and understand what each option does.
1919
##
2020
## [Optional] Generate a self-signed ssl certificate:
21-
## cd /etc/nginx/
22-
## sudo openssl req -new -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
23-
## sudo chmod o-r gitlab.key
21+
## mkdir /etc/nginx/ssl/
22+
## cd /etc/nginx/ssl/
23+
## sudo openssl req -new -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
24+
## sudo chmod o-r gitlab.key
2425
##
2526
## Edit `gitlab-shell/config.yml`:
2627
## 1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
@@ -66,14 +67,16 @@ server {
6667
## Replace git.example.com with your FQDN.
6768
server_name git.example.com;
6869
server_tokens off;
69-
## this doesn't have to be a valid path since we are redirecting, you don't have to change it.
70+
## This doesn't have to be a valid path since we are redirecting,
71+
## you don't have to change it.
7072
root /nowhere;
7173
rewrite ^ https://$server_name$request_uri permanent;
7274
}
7375

7476
server {
7577
listen 443 ssl;
76-
server_name git.example.com; # Replace git.example.com with your FQDN.
78+
## Replace git.example.com with your FQDN.
79+
server_name git.example.com;
7780
server_tokens off;
7881
root /home/git/gitlab/public;
7982

@@ -84,17 +87,22 @@ server {
8487
## Strong SSL Security
8588
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
8689
ssl on;
87-
ssl_certificate /etc/nginx/gitlab.crt;
88-
ssl_certificate_key /etc/nginx/gitlab.key;
90+
ssl_certificate /etc/nginx/ssl/gitlab.crt;
91+
ssl_certificate_key /etc/nginx/ssl/gitlab.key;
8992

9093
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
9194

9295
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
9396
ssl_session_cache builtin:1000 shared:SSL:10m;
9497

98+
## Enable OCSP stapling to reduce the overhead and latency of running SSL.
99+
## Replace with your ssl_trusted_certificate. For more info see:
100+
## - https://medium.com/devops-programming/4445f4862461
101+
## - https://www.ruby-forum.com/topic/4419319
95102
ssl_stapling on;
96103
ssl_stapling_verify on;
97-
resolver 8.8.4.4 8.8.8.8 valid=300s;
104+
ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
105+
resolver 208.67.222.222 208.67.222.220 valid=300s;
98106
resolver_timeout 10s;
99107

100108
ssl_prefer_server_ciphers on;

0 commit comments

Comments
 (0)