Update nginx config to use strong ssl security

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Author: axilleas

web-server/nginx/gitlab-ssl

@@ -1,22 +1,54 @@
-# GITLAB
-# Contributors: yin8086, sashkab, orkoden, axilleas
-# App Version: 5.4 - 6.0
-
-# Modified from nginx http version
-# Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
-
-# You need to run openssl to generate a self-signed ssl certificate.
-# cd /etc/nginx/
-# sudo openssl req -new -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
-# sudo chmod o-r gitlab.key
-# Also you need to edit gitlab-shell config.
-#  1) Set "gitlab_url" param in gitlab-shell/config.yml to https://git.example.com
-#  2) Set "ca_file" to /etc/nginx/gitlab.crt
-#  3) Set "self_signed_cert" to true
-# You also need to edit gitlab/config/gitlab.yml
-#  1) Define port for http "port: 443"
-#  2) Enable https "https: true"
-#  3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
+## GitLab
+## Contributors: randx, yin8086, sashkab, orkoden, axilleas
+## App Version: 5.4 - 6.0
+##
+## Modified from nginx http version
+## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
+##
+## Lines starting with two hashes (##) are comments containing information
+## for configuration. One hash (#) comments are actual configuration parameters
+## which you can comment/uncomment to your liking.
+##
+###################################
+##        SSL configuration      ##
+###################################
+##
+## Optimal configuration is taken from:
+## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+## Make sure to read it and understand what each option does.
+##
+## [Optional] Generate a self-signed ssl certificate:
+##   cd /etc/nginx/
+##   sudo openssl req -new -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
+##   sudo chmod o-r gitlab.key
+##
+## Edit `gitlab-shell/config.yml`:
+##  1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
+##  2) Set "ca_file" to `/etc/nginx/gitlab.crt`
+##  3) Set "self_signed_cert" to `true`
+## Edit `gitlab/config/gitlab.yml`:
+##  1) Define port for http "port: 443"
+##  2) Enable https "https: true"
+##  3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
+##
+##################################
+##        CHUNKED TRANSFER      ##
+##################################
+##
+## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
+## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
+## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
+## around this by tweaking this configuration file and either:
+## - installing an old version of Nginx with the chunkin module [2] compiled in, or
+## - using a newer version of Nginx.
+##
+## At the time of writing we do not know if either of these theoretical solutions works. As a workaround
+## users can use Git over SSH to push large files.
+##
+## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
+## [1] https://github.com/agentzh/chunkin-nginx-module#status
+## [2] https://github.com/agentzh/chunkin-nginx-module
+
 
 upstream gitlab {
 
@@ -25,60 +57,98 @@ upstream gitlab {
 
   ## Uncomment if puma/unicorn are configured to listen on a tcp port.
   ## Check the port number in /home/git/gitlab/config/{puma.rb/unicorn.rb}
-  # server 127.0.0.1:9292;
+  # server 127.0.0.1:8080;
 }
 
-# This is a normal HTTP host which redirects all traffic to the HTTPS host.
-# Replace git.example.com with your FQDN.
+## This is a normal HTTP host which redirects all traffic to the HTTPS host.
 server {
-    listen *:80;
-    server_name git.example.com;
-    server_tokens off;
-    root /nowhere; # this doesn't have to be a valid path since we are redirecting, you don't have to change it.
-    rewrite ^ https://$server_name$request_uri permanent;
+  listen *:80;
+  ## Replace git.example.com with your FQDN.
+  server_name git.example.com;
+  server_tokens off;
+  ## this doesn't have to be a valid path since we are redirecting, you don't have to change it.
+  root /nowhere;
+  rewrite ^ https://$server_name$request_uri permanent;
 }
+
 server {
-    listen 443 ssl;
-    server_name git.example.com;
-    server_tokens off;
+  listen 443 ssl;
+  server_name git.example.com; # Replace git.example.com with your FQDN.
+  server_tokens off;
+  root /home/git/gitlab/public;
+
+  ## Increase this if you want to upload large attachments
+  ## Or if you want to accept large git objects over http
+  client_max_body_size 20m;
+
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+  ssl on;
+  ssl_certificate /etc/nginx/gitlab.crt;
+  ssl_certificate_key /etc/nginx/gitlab.key;
+
+  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
+
+  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+  ssl_session_cache  builtin:1000  shared:SSL:10m;
+
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  resolver 8.8.4.4 8.8.8.8 valid=300s;
+  resolver_timeout 10s;
+
+  ssl_prefer_server_ciphers   on;
+  ## [Optional] Generate a stronger DHE parameter (recommended):
+  ##   cd /etc/ssl/certs
+  ##   openssl dhparam -out dhparam.pem 2048
+  ##
+  # ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+  add_header Strict-Transport-Security max-age=63072000;
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+
+  ## Individual nginx logs for this GitLab vhost
+  access_log  /var/log/nginx/gitlab_access.log;
+  error_log   /var/log/nginx/gitlab_error.log;
+
+  location / {
+    ## Serve static files from defined root folder.
+    ## @gitlab is a named location for the upstream fallback, see below.
+    try_files $uri $uri/index.html $uri.html @gitlab;
+  }
+
+  ## If a file, which is not found in the root folder is requested,
+  ## then the proxy pass the request to the upsteam (gitlab unicorn).
+  location @gitlab {
+
+    ## If you use https make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header   Host              $http_host;
+    proxy_set_header   X-Real-IP         $remote_addr;
+    proxy_set_header   X-Forwarded-Ssl   on;
+    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header   X-Forwarded-Proto $scheme;
+
+    proxy_pass http://gitlab;
+  }
+
+  ## Enable gzip compression as per rails guide:
+  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
+  location ~ ^/(assets)/ {
     root /home/git/gitlab/public;
+    gzip_static on; # to serve pre-gzipped version
+    expires max;
+    add_header Cache-Control public;
+  }
 
-    # Increase this if you want to upload large attachments
-    # Or if you want to accept large git objects over http
-    client_max_body_size 20m;
-
-    ssl on;
-    ssl_certificate /etc/nginx/gitlab.crt;
-    ssl_certificate_key /etc/nginx/gitlab.key;
-    ssl_protocols  SSLv3 TLSv1 TLSv1.2;
-    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
-    ssl_prefer_server_ciphers   on;
-
-    # individual nginx logs for this gitlab vhost
-    access_log  /var/log/nginx/gitlab_access.log;
-    error_log   /var/log/nginx/gitlab_error.log;
-
-    location / {
-        # serve static files from defined root folder;.
-        # @gitlab is a named location for the upstream fallback, see below
-        try_files $uri $uri/index.html $uri.html @gitlab;
-    }
-
-    # if a file, which is not found in the root folder is requested,
-    # then the proxy pass the request to the upsteam (gitlab unicorn)
-    location @gitlab {
-        proxy_read_timeout    300; # https://github.com/gitlabhq/gitlabhq/issues/694
-        proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
-        proxy_redirect        off;
-
-        proxy_set_header   Host              $http_host;
-        proxy_set_header   X-Real-IP         $remote_addr;
-        proxy_set_header   X-Forwarded-Ssl   on;
-        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
-        proxy_set_header   X-Forwarded-Proto $scheme;
-
-        proxy_pass http://gitlab;
-    }
-    
-    error_page 502 /502.html;
-}
+  error_page 502 /502.html;
+}