diff --git a/Changelog.md b/Changelog.md index b0aa898f9..7b9d4268c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,8 @@ # Changelog **latest** +- added HSTS_ENABLED configuration option (advanced config) +- added HSTS_MAX_AGE configuration option (advanced config) - upgrade to gitlab-shell 1.9.8 - purge development packages after install. shaves off ~300MB from the image. - rebase image on sameersbn/debian:jessie.20140918 base image diff --git a/README.md b/README.md index 2ba94854e..bd5c0196d 100644 --- a/README.md +++ b/README.md @@ -758,6 +758,8 @@ Below is the complete list of available options that can be used to customize yo - **CA_CERTIFICATES_PATH**: List of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`. - **NGINX_MAX_UPLOAD_SIZE**: Maximum acceptable upload size. Defaults to `20m`. - **NGINX_X_FORWARDED_PROTO**: Advanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`. +- **HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See #138 for use case scenario. +- **HSTS_MAX_AGE**: Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`. - **REDIS_HOST**: The hostname of the redis server. Defaults to `localhost` - **REDIS_PORT**: The connection port of the redis server. Defaults to `6379`. - **UNICORN_WORKERS**: The number of unicorn workers to start. Defaults to `2`. diff --git a/assets/config/nginx/gitlab-ssl b/assets/config/nginx/gitlab-ssl index 887b3a9c9..710eaadb7 100644 --- a/assets/config/nginx/gitlab-ssl +++ b/assets/config/nginx/gitlab-ssl @@ -110,7 +110,7 @@ server { ## ssl_dhparam {{SSL_DHPARAM_PATH}}; - add_header Strict-Transport-Security max-age=63072000; + add_header Strict-Transport-Security max-age={{HSTS_MAX_AGE}}; # add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; diff --git a/assets/init b/assets/init index f7c3d54ea..7c1ab322c 100755 --- a/assets/init +++ b/assets/init @@ -82,6 +82,9 @@ LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-} LDAP_BASE=${LDAP_BASE:-} LDAP_USER_FILTER=${LDAP_USER_FILTER:-} +HSTS_ENABLED=${HSTS_ENABLED:-true} +HSTS_MAX_AGE=${HSTS_MAXAGE:-31536000} + REDMINE_URL=${REDMINE_URL:-} JIRA_URL=${JIRA_URL:-} @@ -457,6 +460,12 @@ sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-enable sed 's/{{NGINX_MAX_UPLOAD_SIZE}}/'"${NGINX_MAX_UPLOAD_SIZE}"'/' -i /etc/nginx/sites-enabled/gitlab sed 's/{{NGINX_X_FORWARDED_PROTO}}/'"${NGINX_X_FORWARDED_PROTO}"'/' -i /etc/nginx/sites-enabled/gitlab +if [ "${HSTS_ENABLED}" == "true" ]; then + sed 's/{{HSTS_MAX_AGE}}/'"${HSTS_MAX_AGE}"'/' -i /etc/nginx/sites-enabled/gitlab +else + sed '/{{HSTS_MAX_AGE}}/d' -i /etc/nginx/sites-enabled/gitlab +fi + # configure relative_url_root if [ -n "${GITLAB_RELATIVE_URL_ROOT}" ]; then sed 's,{{GITLAB_RELATIVE_URL_ROOT}},'"${GITLAB_RELATIVE_URL_ROOT}"',' -i /etc/nginx/sites-enabled/gitlab