Merge branch 'hsts-config'

Closes #138
sameersbn · Sep 19, 2014 · 9458cb6 · 9458cb6
2 parents 96948c0 + 979632d
commit 9458cb6
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 1 deletion.
diff --git a/Changelog.md b/Changelog.md
@@ -1,6 +1,8 @@
 # Changelog
 
 **latest**
+- added HSTS_ENABLED configuration option (advanced config)
+- added HSTS_MAX_AGE configuration option (advanced config)
 - upgrade to gitlab-shell 1.9.8
 - purge development packages after install. shaves off ~300MB from the image.
 - rebase image on sameersbn/debian:jessie.20140918 base image

diff --git a/README.md b/README.md
@@ -758,6 +758,8 @@ Below is the complete list of available options that can be used to customize yo
 - **CA_CERTIFICATES_PATH**: List of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`.
 - **NGINX_MAX_UPLOAD_SIZE**: Maximum acceptable upload size. Defaults to `20m`.
 - **NGINX_X_FORWARDED_PROTO**: Advanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`.
+- **HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See #138 for use case scenario.
+- **HSTS_MAX_AGE**: Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.
 - **REDIS_HOST**: The hostname of the redis server. Defaults to `localhost`
 - **REDIS_PORT**: The connection port of the redis server. Defaults to `6379`.
 - **UNICORN_WORKERS**: The number of unicorn workers to start. Defaults to `2`.

diff --git a/assets/config/nginx/gitlab-ssl b/assets/config/nginx/gitlab-ssl
@@ -110,7 +110,7 @@ server {
   ##
   ssl_dhparam {{SSL_DHPARAM_PATH}};
 
-  add_header Strict-Transport-Security max-age=63072000;
+  add_header Strict-Transport-Security max-age={{HSTS_MAX_AGE}};
   # add_header X-Frame-Options DENY;
   add_header X-Content-Type-Options nosniff;
 

diff --git a/assets/init b/assets/init
@@ -82,6 +82,9 @@ LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-}
 LDAP_BASE=${LDAP_BASE:-}
 LDAP_USER_FILTER=${LDAP_USER_FILTER:-}
 
+HSTS_ENABLED=${HSTS_ENABLED:-true}
+HSTS_MAX_AGE=${HSTS_MAXAGE:-31536000}
+
 REDMINE_URL=${REDMINE_URL:-}
 JIRA_URL=${JIRA_URL:-}
 
@@ -457,6 +460,12 @@ sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i /etc/nginx/sites-enable
 sed 's/{{NGINX_MAX_UPLOAD_SIZE}}/'"${NGINX_MAX_UPLOAD_SIZE}"'/' -i /etc/nginx/sites-enabled/gitlab
 sed 's/{{NGINX_X_FORWARDED_PROTO}}/'"${NGINX_X_FORWARDED_PROTO}"'/' -i /etc/nginx/sites-enabled/gitlab
 
+if [ "${HSTS_ENABLED}" == "true" ]; then
+  sed 's/{{HSTS_MAX_AGE}}/'"${HSTS_MAX_AGE}"'/' -i /etc/nginx/sites-enabled/gitlab
+else
+  sed '/{{HSTS_MAX_AGE}}/d' -i /etc/nginx/sites-enabled/gitlab
+fi
+
 # configure relative_url_root
 if [ -n "${GITLAB_RELATIVE_URL_ROOT}" ]; then
   sed 's,{{GITLAB_RELATIVE_URL_ROOT}},'"${GITLAB_RELATIVE_URL_ROOT}"',' -i /etc/nginx/sites-enabled/gitlab