diff options
| author | Marin Jankovski <maxlazio@gmail.com> | 2014-11-10 10:20:44 +0100 |
|---|---|---|
| committer | Marin Jankovski <maxlazio@gmail.com> | 2014-11-10 10:20:44 +0100 |
| commit | 70f30abd8413167cd77dbc7cd5dd7a138fc5ee92 (patch) | |
| tree | 0b0a1cbddcaf55f3e27952ca7816bb29ebdecad5 /lib/support/nginx/gitlab-ssl | |
| parent | 6641341b65d925a335e50f17a62a8a599ef54293 (diff) | |
| parent | 271a3520794d0d977ba3907963871da59cee554f (diff) | |
| download | gitlab-ce-70f30abd8413167cd77dbc7cd5dd7a138fc5ee92.tar.gz | |
Merge pull request #8273 from bbodenmiller/nginx-updates
Nginx updates
Diffstat (limited to 'lib/support/nginx/gitlab-ssl')
| -rw-r--r-- | lib/support/nginx/gitlab-ssl | 24 |
1 files changed, 10 insertions, 14 deletions
diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl index e992ebaf656..4e53d5e8b50 100644 --- a/lib/support/nginx/gitlab-ssl +++ b/lib/support/nginx/gitlab-ssl @@ -1,5 +1,5 @@ ## GitLab -## Contributors: randx, yin8086, sashkab, orkoden, axilleas +## Contributors: randx, yin8086, sashkab, orkoden, axilleas, bbodenmiller ## ## Modified from nginx http version ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ @@ -26,9 +26,8 @@ ## [1] https://github.com/agentzh/chunkin-nginx-module#status ## [2] https://github.com/agentzh/chunkin-nginx-module ## -## ################################### -## SSL configuration ## +## configuration ## ################################### ## ## See installation.md#using-https for additional HTTPS configuration details. @@ -37,24 +36,24 @@ upstream gitlab { server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0; } -## Normal HTTP host +## Redirects all HTTP traffic to the HTTPS host server { listen 0.0.0.0:80; listen [::]:80 default_server; server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice - - ## Redirects all traffic to the HTTPS host - root /nowhere; ## root doesn't have to be a valid path since we are redirecting - rewrite ^ https://$server_name$request_uri? permanent; + return 301 https://$server_name$request_uri; + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; } + ## HTTPS host server { listen 0.0.0.0:443 ssl; listen [::]:443 ssl default_server; server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com - server_tokens off; + server_tokens off; ## Don't show the nginx version number, a security best practice root /home/git/gitlab/public; ## Increase this if you want to upload large attachments @@ -72,12 +71,9 @@ server { ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; - ## [WARNING] The following header states that the browser should only communicate - ## with your server over a secure connection for the next 24 months. - add_header Strict-Transport-Security max-age=63072000; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; + ## See app/controllers/application_controller.rb for headers set ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. ## Replace with your ssl_trusted_certificate. For more info see: |