Skip to content

Commit d08c81f

Browse files
epcimepcim
committed
Merge pull request #117 from yakara-ltd/ssl-attributes
Configure the SSL protocols and ciphers via attributes
2 parents e54ec1a + a2d2a4d commit d08c81f

File tree

3 files changed

+8
-3
lines changed

3 files changed

+8
-3
lines changed

attributes/default.rb

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,10 @@
107107
default['gitlab']['ssl_certificate'] = "/etc/nginx/ssl/certs/#{node['fqdn']}.pem"
108108
default['gitlab']['ssl_certificate_key'] = "/etc/nginx/ssl/private/#{node['fqdn']}.key"
109109

110+
# Backwards compatible ciphers needed for Java IDEs
111+
default['gitlab']['ssl_ciphers'] = 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
112+
default['gitlab']['ssl_protocols'] = 'TLSv1 TLSv1.1 TLSv1.2'
113+
110114
default['gitlab']['backup_path'] = node['gitlab']['app_home'] + '/backups'
111115
default['gitlab']['backup_keep_time'] = 604_800
112116

recipes/default.rb

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -478,6 +478,8 @@ class unix_stream_socket connectto;
478478
https_boolean: node['gitlab']['https'],
479479
ssl_certificate: node['gitlab']['ssl_certificate'],
480480
ssl_certificate_key: node['gitlab']['ssl_certificate_key'],
481+
ssl_ciphers: node['gitlab']['ssl_ciphers'],
482+
ssl_protocols: node['gitlab']['ssl_protocols'],
481483
listen: "#{node['gitlab']['listen_ip']}:#{listen_port}"
482484
)
483485
end

templates/default/nginx.gitlab.erb

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -83,9 +83,8 @@ server {
8383
ssl_certificate <%= @ssl_certificate %>;
8484
ssl_certificate_key <%= @ssl_certificate_key %>;
8585

86-
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
87-
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
88-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
86+
ssl_ciphers <%= @ssl_ciphers %>;
87+
ssl_protocols <%= @ssl_protocols %>;
8988
ssl_prefer_server_ciphers on;
9089
ssl_session_cache shared:SSL:10m;
9190
ssl_session_timeout 5m;

0 commit comments

Comments
 (0)