From 3bc032a4a7be641b7e37573611e7d0bfacbc4823 Mon Sep 17 00:00:00 2001
From: Jens Kohl <jens.kohl@gmail.com>
Date: Mon, 25 Aug 2014 15:24:03 +0200
Subject: [PATCH] Add option to configure HSTS

---
 Changelog.md                                |  1 +
 README.md                                   | 16 ++++++++++++++++
 assets/config/nginx/gitlab.https.permissive |  2 +-
 assets/config/nginx/gitlab.https.strict     |  2 +-
 assets/init                                 |  2 ++
 5 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 454a3f89a..5ba34af42 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -2,6 +2,7 @@
 
 **latest**
 - added OAUTH_GOOGLE_RESTRICT_DOMAIN config option.
+- added GITLAB_HTTPS_HSTS_MAXAGE to specify HSTS max age value.
 
 **7.2.0**
 - upgrade to gitlab-ce 7.2.0
diff --git a/README.md b/README.md
index e87004b64..9769323d4 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,7 @@
       - [Using HTTPS with a load balancer](#using-https-with-a-load-balancer)
       - [Establishing trust with your server](#establishing-trust-with-your-server)
       - [Installing Trusted SSL Server Certificates](#installing-trusted-ssl-server-certificates)
+      - [Configuring HSTS](#configuring-hsts)
     - [Putting it all together](#putting-it-all-together)
     - [Run under sub URI](#run-under-sub-uri)
     - [OmniAuth Integration](#omniauth-integration)
@@ -597,6 +598,20 @@ Copy the ca.crt file into the certs directory on the [datastore](#data-store). T
 
 By default, our own server certificate [gitlab.crt](#generation-of-self-signed-certificates) is added to the trusted certificates list.
 
+#### Configuring HSTS
+HSTS if supported by the browsers makes sure that your users will only reach your sever via HTTPS. When the user comes for the first time it sees a header from the server which states for how long from now this site should only be reachable via HTTPS - that's the HSTS max-age value.
+
+With GITLAB_HTTPS_HSTS_MAXAGE you can configure that value. The default value is **63072000** seconds. If you want to disable a already sent HSTS MAXAGE value, set it to **0**.
+
+```bash
+docker run --name=gitlab -d \
+  -e 'GITLAB_HTTPS=true' \
+  -e 'GITLAB_HTTPS_ONLY=false' \
+  -e 'GITLAB_HTTPS_HSTS_MAXAGE=2592000'
+  -v /opt/gitlab/data:/home/git/data \
+  sameersbn/gitlab:latest
+```
+
 ### Putting it all together
 
 ```bash
@@ -700,6 +715,7 @@ Below is the complete list of available options that can be used to customize yo
 - **GITLAB_RELATIVE_URL_ROOT**: The sub URI of the GitLab server, e.g. /gitlab. No default.
 - **GITLAB_HTTPS**: Set to true to enable https support, disabled by default.
 - **GITLAB_HTTPS_ONLY**: Configure access over plain http when GITLAB_HTTPS is enabled. Should be set to false when using a load balancer. Defaults to true.
+- **GITLAB_HTTPS_HSTS_MAXAGE**: Congfigure HSTS max-age lifespan in seconds. Default value is 63072000 seconds.
 - **SSL_SELF_SIGNED**: Set to true when using self signed ssl certificates. false by default.
 - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to /home/git/data/certs/gitlab.crt
 - **SSL_KEY_PATH**: Location of the ssl private key. Defaults to /home/git/data/certs/gitlab.key
diff --git a/assets/config/nginx/gitlab.https.permissive b/assets/config/nginx/gitlab.https.permissive
index 280aee128..f5a2acc42 100644
--- a/assets/config/nginx/gitlab.https.permissive
+++ b/assets/config/nginx/gitlab.https.permissive
@@ -99,7 +99,7 @@ server {
   ##
   ssl_dhparam {{SSL_DHPARAM_PATH}};
 
-  add_header Strict-Transport-Security max-age=63072000;
+  add_header Strict-Transport-Security max-age={{GITLAB_HTTPS_HSTS_MAXAGE}};
   add_header X-Frame-Options DENY;
   add_header X-Content-Type-Options nosniff;
 
diff --git a/assets/config/nginx/gitlab.https.strict b/assets/config/nginx/gitlab.https.strict
index d2f5d7804..617cee244 100644
--- a/assets/config/nginx/gitlab.https.strict
+++ b/assets/config/nginx/gitlab.https.strict
@@ -110,7 +110,7 @@ server {
   ##
   ssl_dhparam {{SSL_DHPARAM_PATH}};
 
-  add_header Strict-Transport-Security max-age=63072000;
+  add_header Strict-Transport-Security max-age={{GITLAB_HTTPS_HSTS_MAXAGE}};
   # add_header X-Frame-Options DENY;
   add_header X-Content-Type-Options nosniff;
 
diff --git a/assets/init b/assets/init
index f5c037787..c77246421 100755
--- a/assets/init
+++ b/assets/init
@@ -7,6 +7,7 @@ GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-$GITLAB_SHELL_SSH_PORT} # for backwards compa
 GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-22}
 GITLAB_HTTPS=${GITLAB_HTTPS:-false}
 GITLAB_HTTPS_ONLY=${GITLAB_HTTPS_ONLY:-true}
+GITLAB_HTTPS_HSTS_MAXAGE=${GITLAB_HTTPS_HSTS_MAXAGE:63072000}
 GITLAB_EMAIL=${GITLAB_EMAIL:-example@example.com}
 GITLAB_SIGNUP=${GITLAB_SIGNUP:-false}
 GITLAB_SIGNIN=${GITLAB_SIGNIN:-true}
@@ -210,6 +211,7 @@ sed 's/{{GITLAB_PORT}}/'"${GITLAB_PORT}"'/' -i /etc/nginx/sites-available/gitlab
 sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i /etc/nginx/sites-available/gitlab
 sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i /etc/nginx/sites-available/gitlab
 sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-available/gitlab
+sed 's,{{GITLAB_HTTPS_HSTS_MAXAGE}},'"${GITLAB_HTTPS_HSTS_MAXAGE}"',' -i /etc/nginx/sites-available/gitlab
 sed 's/{{NGINX_MAX_UPLOAD_SIZE}}/'"${NGINX_MAX_UPLOAD_SIZE}"'/g' -i /etc/nginx/sites-available/gitlab
 
 # configure relative_url_root