diff --git a/Changelog.md b/Changelog.md index 454a3f89a..5ba34af42 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,7 @@ **latest** - added OAUTH_GOOGLE_RESTRICT_DOMAIN config option. +- added GITLAB_HTTPS_HSTS_MAXAGE to specify HSTS max age value. **7.2.0** - upgrade to gitlab-ce 7.2.0 diff --git a/README.md b/README.md index e87004b64..9769323d4 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,7 @@ - [Using HTTPS with a load balancer](#using-https-with-a-load-balancer) - [Establishing trust with your server](#establishing-trust-with-your-server) - [Installing Trusted SSL Server Certificates](#installing-trusted-ssl-server-certificates) + - [Configuring HSTS](#configuring-hsts) - [Putting it all together](#putting-it-all-together) - [Run under sub URI](#run-under-sub-uri) - [OmniAuth Integration](#omniauth-integration) @@ -597,6 +598,20 @@ Copy the ca.crt file into the certs directory on the [datastore](#data-store). T By default, our own server certificate [gitlab.crt](#generation-of-self-signed-certificates) is added to the trusted certificates list. +#### Configuring HSTS +HSTS if supported by the browsers makes sure that your users will only reach your sever via HTTPS. When the user comes for the first time it sees a header from the server which states for how long from now this site should only be reachable via HTTPS - that's the HSTS max-age value. + +With GITLAB_HTTPS_HSTS_MAXAGE you can configure that value. The default value is **63072000** seconds. If you want to disable a already sent HSTS MAXAGE value, set it to **0**. + +```bash +docker run --name=gitlab -d \ + -e 'GITLAB_HTTPS=true' \ + -e 'GITLAB_HTTPS_ONLY=false' \ + -e 'GITLAB_HTTPS_HSTS_MAXAGE=2592000' + -v /opt/gitlab/data:/home/git/data \ + sameersbn/gitlab:latest +``` + ### Putting it all together ```bash @@ -700,6 +715,7 @@ Below is the complete list of available options that can be used to customize yo - **GITLAB_RELATIVE_URL_ROOT**: The sub URI of the GitLab server, e.g. /gitlab. No default. - **GITLAB_HTTPS**: Set to true to enable https support, disabled by default. - **GITLAB_HTTPS_ONLY**: Configure access over plain http when GITLAB_HTTPS is enabled. Should be set to false when using a load balancer. Defaults to true. +- **GITLAB_HTTPS_HSTS_MAXAGE**: Congfigure HSTS max-age lifespan in seconds. Default value is 63072000 seconds. - **SSL_SELF_SIGNED**: Set to true when using self signed ssl certificates. false by default. - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to /home/git/data/certs/gitlab.crt - **SSL_KEY_PATH**: Location of the ssl private key. Defaults to /home/git/data/certs/gitlab.key diff --git a/assets/config/nginx/gitlab.https.permissive b/assets/config/nginx/gitlab.https.permissive index 280aee128..f5a2acc42 100644 --- a/assets/config/nginx/gitlab.https.permissive +++ b/assets/config/nginx/gitlab.https.permissive @@ -99,7 +99,7 @@ server { ## ssl_dhparam {{SSL_DHPARAM_PATH}}; - add_header Strict-Transport-Security max-age=63072000; + add_header Strict-Transport-Security max-age={{GITLAB_HTTPS_HSTS_MAXAGE}}; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; diff --git a/assets/config/nginx/gitlab.https.strict b/assets/config/nginx/gitlab.https.strict index d2f5d7804..617cee244 100644 --- a/assets/config/nginx/gitlab.https.strict +++ b/assets/config/nginx/gitlab.https.strict @@ -110,7 +110,7 @@ server { ## ssl_dhparam {{SSL_DHPARAM_PATH}}; - add_header Strict-Transport-Security max-age=63072000; + add_header Strict-Transport-Security max-age={{GITLAB_HTTPS_HSTS_MAXAGE}}; # add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; diff --git a/assets/init b/assets/init index f5c037787..c77246421 100755 --- a/assets/init +++ b/assets/init @@ -7,6 +7,7 @@ GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-$GITLAB_SHELL_SSH_PORT} # for backwards compa GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-22} GITLAB_HTTPS=${GITLAB_HTTPS:-false} GITLAB_HTTPS_ONLY=${GITLAB_HTTPS_ONLY:-true} +GITLAB_HTTPS_HSTS_MAXAGE=${GITLAB_HTTPS_HSTS_MAXAGE:63072000} GITLAB_EMAIL=${GITLAB_EMAIL:-example@example.com} GITLAB_SIGNUP=${GITLAB_SIGNUP:-false} GITLAB_SIGNIN=${GITLAB_SIGNIN:-true} @@ -210,6 +211,7 @@ sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-available/gitlab sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i /etc/nginx/sites-available/gitlab sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i /etc/nginx/sites-available/gitlab sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-available/gitlab +sed 's,{{GITLAB_HTTPS_HSTS_MAXAGE}},'"${GITLAB_HTTPS_HSTS_MAXAGE}"',' -i /etc/nginx/sites-available/gitlab sed 's/{{NGINX_MAX_UPLOAD_SIZE}}/'"${NGINX_MAX_UPLOAD_SIZE}"'/g' -i /etc/nginx/sites-available/gitlab # configure relative_url_root