Commit be14c7a8 authored by Marin Jankovski's avatar Marin Jankovski

Add a comment on why we are using backward compatible ciphers.

parent 8ddb2be6
No related merge requests found
...@@ -19,7 +19,7 @@ ...@@ -19,7 +19,7 @@
## - installing an old version of Nginx with the chunkin module [2] compiled in, or ## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx. ## - using a newer version of Nginx.
## ##
## At the time of writing we do not know if either of these theoretical solutions works. ## At the time of writing we do not know if either of these theoretical solutions works.
## As a workaround users can use Git over SSH to push large files. ## As a workaround users can use Git over SSH to push large files.
## ##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 ## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
...@@ -42,7 +42,7 @@ server { ...@@ -42,7 +42,7 @@ server {
listen *:80 default_server; listen *:80 default_server;
server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice server_tokens off; ## Don't show the nginx version number, a security best practice
## Redirects all traffic to the HTTPS host ## Redirects all traffic to the HTTPS host
root /nowhere; ## root doesn't have to be a valid path since we are redirecting root /nowhere; ## root doesn't have to be a valid path since we are redirecting
rewrite ^ https://$server_name$request_uri? permanent; rewrite ^ https://$server_name$request_uri? permanent;
...@@ -65,6 +65,7 @@ server { ...@@ -65,6 +65,7 @@ server {
ssl_certificate /etc/nginx/ssl/gitlab.crt; ssl_certificate /etc/nginx/ssl/gitlab.crt;
ssl_certificate_key /etc/nginx/ssl/gitlab.key; ssl_certificate_key /etc/nginx/ssl/gitlab.key;
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...@@ -72,7 +73,7 @@ server { ...@@ -72,7 +73,7 @@ server {
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
## [WARNING] The following header states that the browser should only communicate ## [WARNING] The following header states that the browser should only communicate
## with your server over a secure connection for the next 24 months. ## with your server over a secure connection for the next 24 months.
add_header Strict-Transport-Security max-age=63072000; add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment