Skip to content

Commit 83202cd

Browse files
authored
added SSL_PROTOCOLS option to change protocols of the nginx (#2304)
1 parent 3088351 commit 83202cd

File tree

7 files changed

+32
-10
lines changed

7 files changed

+32
-10
lines changed

Changelog.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,13 @@
33
This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](
44
https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list of changes in GitLab.
55

6+
**13.8.3-1**
7+
- added `SSL_PROTOCOLS` option to change protocols of the nginx
8+
- added `SSL_REGISTRY_CIPHERS`
9+
- added `SSL_REGISTRY_PROTOCOLS`
10+
- added `SSL_PAGES_CIPHERS`
11+
- added `SSL_PAGES_PROTOCOLS`
12+
613
**13.8.3**
714
- gitlab: upgrade CE to v13.8.3
815
- gitaly: upgrade v13.8.3

README.md

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -935,6 +935,11 @@ Below is the complete list of available options that can be used to customize yo
935935
| `SSL_PAGES_KEY_PATH` | Location of the ssl private key for gitlab pages. Defaults to `/home/git/data/certs/pages.key` |
936936
| `SSL_PAGES_CERT_PATH` | Location of the ssl certificate for the gitlab pages. Defaults to `/home/git/data/certs/pages.crt` |
937937
| `SSL_CIPHERS` | List of supported SSL ciphers: Defaults to `ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4` |
938+
| `SSL_PROTOCOLS` | List of supported SSL protocols: Defaults to `TLSv1 TLSv1.1 TLSv1.2 TLSv1.3` |
939+
| `SSL_PAGES_CIPHERS` | List of supported SSL ciphers for the gitlab pages: Defaults to `SSL_CIPHERS` |
940+
| `SSL_PAGES_PROTOCOLS` | List of supported SSL protocols for the gitlab pages: Defaults to `SSL_PROTOCOLS` |
941+
| `SSL_REGISTRY_CIPHERS` | List of supported SSL ciphers for gitlab container registry: Defaults to `SSL_CIPHERS` |
942+
| `SSL_REGISTRY_PROTOCOLS` | List of supported SSL protocols for gitlab container registry: Defaults to `SSL_PROTOCOLS` |
938943
| `NGINX_WORKERS` | The number of nginx workers to start. Defaults to `1`. |
939944
| `NGINX_SERVER_NAMES_HASH_BUCKET_SIZE` | Sets the bucket size for the server names hash tables. This is needed when you have long server_names or your an error message from nginx like *nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size:..*. It should be only increment by a power of 2. Defaults to `32`. |
940945
| `NGINX_HSTS_ENABLED` | Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario. |
@@ -1304,8 +1309,8 @@ Usage when using `docker-compose` can also be found there.
13041309
> Since GitLab release `8.6.0` PostgreSQL users should enable `pg_trgm` extension on the GitLab database. Refer to GitLab's [Postgresql Requirements](http://doc.gitlab.com/ce/install/requirements.html#postgresql-requirements) for more information
13051310
>
13061311
> If you're using `sameersbn/postgresql` then please upgrade to `sameersbn/postgresql:12-20200524` or later and add `DB_EXTENSION=pg_trgm,btree_gist` to the environment of the PostgreSQL container (see: https://github.com/sameersbn/docker-gitlab/blob/master/docker-compose.yml#L8).
1307-
>
1308-
> As of version 13.7.0, the required PostgreSQL is version 12.x. If you're using PostgreSQL image other than the above, please review section [Upgrading PostgreSQL](#upgrading-postgresql).
1312+
>
1313+
> As of version 13.7.0, the required PostgreSQL is version 12.x. If you're using PostgreSQL image other than the above, please review section [Upgrading PostgreSQL](#upgrading-postgresql).
13091314
13101315
GitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down.
13111316

assets/runtime/config/nginx/gitlab-pages-ssl

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,8 @@ server {
3535
ssl_certificate_key {{SSL_PAGES_KEY_PATH}};
3636

3737
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
38-
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
39-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
38+
ssl_ciphers "{{SSL_PAGES_CIPHERS}}";
39+
ssl_protocols {{SSL_PAGES_PROTOCOLS}};
4040
ssl_prefer_server_ciphers on;
4141
ssl_session_cache shared:SSL:10m;
4242
ssl_session_timeout 5m;

assets/runtime/config/nginx/gitlab-registry

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,8 @@ server {
3030
ssl_certificate {{SSL_REGISTRY_CERT_PATH}};
3131
ssl_certificate_key {{SSL_REGISTRY_KEY_PATH}};
3232

33-
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
34-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
33+
ssl_ciphers "{{SSL_REGISTRY_CIPHERS}}";
34+
ssl_protocols {{SSL_REGISTRY_PROTOCOLS}};
3535
ssl_prefer_server_ciphers on;
3636
ssl_session_cache builtin:1000 shared:SSL:10m;
3737
ssl_session_timeout 5m;

assets/runtime/config/nginx/gitlab-ssl

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ server {
6060

6161
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
6262
ssl_ciphers "{{SSL_CIPHERS}}";
63-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
63+
ssl_protocols {{SSL_PROTOCOLS}};
6464
ssl_prefer_server_ciphers on;
6565
ssl_session_cache shared:SSL:10m;
6666
ssl_session_timeout 5m;
@@ -117,7 +117,7 @@ server {
117117
proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}};
118118
proxy_set_header Upgrade $http_upgrade;
119119
proxy_set_header Connection $connection_upgrade_gitlab_ssl;
120-
120+
121121
proxy_pass http://gitlab-workhorse;
122122
}
123123

assets/runtime/env-defaults

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -214,14 +214,19 @@ SSL_KEY_PATH=${SSL_KEY_PATH:-$GITLAB_DATA_DIR/certs/gitlab.key}
214214
SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-$GITLAB_DATA_DIR/certs/dhparam.pem}
215215
SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}
216216
SSL_CIPHERS=${SSL_CIPHERS:-'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'}
217+
SSL_PROTOCOLS=${SSL_PROTOCOLS:-'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'}
217218

218219
SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_REGISTRY_KEY_PATH}
219220
SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/registry.key}
220221
SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_REGISTRY_CERT_PATH}
221222
SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/registry.crt}
223+
SSL_REGISTRY_CIPHERS=${SSL_REGISTRY_CIPHERS:-$SSL_CIPHERS}
224+
SSL_REGISTRY_PROTOCOLS=${SSL_REGISTRY_PROTOCOLS:-$SSL_PROTOCOLS}
222225

223226
SSL_PAGES_KEY_PATH=${SSL_PAGES_KEY_PATH:-$GITLAB_DATA_DIR/certs/pages.key}
224227
SSL_PAGES_CERT_PATH=${SSL_PAGES_CERT_PATH:-$GITLAB_DATA_DIR/certs/pages.crt}
228+
SSL_PAGES_CIPHERS=${SSL_PAGES_CIPHERS:-$SSL_CIPHERS}
229+
SSL_PAGES_PROTOCOLS=${SSL_PAGES_PROTOCOLS:-$SSL_PROTOCOLS}
225230

226231
SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$CA_CERTIFICATES_PATH} # backward compatibility
227232
SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$GITLAB_DATA_DIR/certs/ca.crt}

assets/runtime/functions

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1176,7 +1176,8 @@ nginx_configure_gitlab_ssl() {
11761176
SSL_DHPARAM_PATH \
11771177
SSL_VERIFY_CLIENT \
11781178
SSL_CA_CERTIFICATES_PATH \
1179-
SSL_CIPHERS
1179+
SSL_CIPHERS \
1180+
SSL_PROTOCOLS
11801181
fi
11811182
}
11821183

@@ -1265,7 +1266,9 @@ nginx_configure_gitlab_registry() {
12651266
GITLAB_REGISTRY_HOST \
12661267
GITLAB_REGISTRY_API_URL \
12671268
SSL_REGISTRY_KEY_PATH \
1268-
SSL_REGISTRY_CERT_PATH
1269+
SSL_REGISTRY_CERT_PATH \
1270+
SSL_REGISTRY_CIPHERS \
1271+
SSL_REGISTRY_PROTOCOLS
12691272
fi
12701273
}
12711274

@@ -1283,6 +1286,8 @@ nginx_configure_pages(){
12831286
GITLAB_PAGES_DOMAIN \
12841287
SSL_PAGES_CERT_PATH \
12851288
SSL_PAGES_KEY_PATH \
1289+
SSL_PAGES_CIPHERS \
1290+
SSL_PAGES_PROTOCOLS \
12861291
SSL_DHPARAM_PATH \
12871292
GITLAB_LOG_DIR
12881293
else

0 commit comments

Comments
 (0)