X https draftly works

e5f914c6 · Kirill Smelkov · 8426aca3 · e5f914c6 · e5f914c6 · e5f914c6
Commit e5f914c6 authored Nov 13, 2015 by Kirill Smelkov
4 changed files
--- a/component/nginx/buildout.cfg
+++ b/component/nginx/buildout.cfg
@@ -19,6 +19,8 @@ md5sum = 27322fbb4b265c0e0cc548f5e6b7f201
 configure-options=
  --with-ipv6
  --with-http_ssl_module
+  --with-http_spdy_module
+  --with-http_gzip_static_module
  --with-mail
  --with-mail_ssl_module
  --with-ld-opt="-L ${openssl:location}/lib -L ${pcre:location}/lib -L ${zlib:location}/lib -Wl,-rpath=${openssl:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib"
@@ -36,6 +38,8 @@ mode = 0644
 configure-options =
  --with-ipv6
  --with-http_ssl_module
+  --with-http_spdy_module
+  --with-http_gzip_static_module
  --with-mail
  --with-mail_ssl_module
  --error-log-path=var/log/nginx.error.log

--- a/software/gitlab/gitlab-parameters.cfg
+++ b/software/gitlab/gitlab-parameters.cfg
@@ -90,10 +90,11 @@ configuration.nginx_redirect_http_to_https  = false

 # we don't need - we talk directly to frontend only
 configuration.nginx_ssl_ciphers             = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
-configuration.nginx_ssl_prefer_server_ciphers = no
+configuration.nginx_ssl_prefer_server_ciphers = on
 configuration.nginx_ssl_protocols           = TLSv1 TLSv1.1 TLSv1.2
 # the following is not default
 configuration.nginx_ssl_session_cache       = builtin:1000  shared:SSL:10m
+configuration.nginx_ssl_session_timeout     = 5m


 configuration.nginx_proxy_read_timeout      = 300

--- a/software/gitlab/instance-gitlab.cfg.in
+++ b/software/gitlab/instance-gitlab.cfg.in
@@ -26,8 +26,6 @@ parts =
    service-unicorn
    service-sidekiq

-    certificate-authority
-
    service-nginx
    service-postgresql
    service-redis
@@ -518,49 +516,50 @@ command-line    = ${gitlab-sidekiq:wrapper-path}
 #   Nginx frontend   #
 ######################

-# self-signed certificate, if we use https
-[ssl]
-recipe  = slapos.cookbook:mkdirectory
-ssl     = ${directory:srv}/ssl
-requests= ${:ssl}/requests
-private = ${:ssl}/private
-certs   = ${:ssl}/certs
-newcerts= ${:ssl}/newcerts
-crl     = ${:ssl}/crl
-
-[certificate-authority]
-recipe  = slapos.cookbook:certificate_authority
-wrapper = ${directory:service}/certificate_authority
-openssl-binary  = {{ openssl_bin }}
-ca-dir  = ${ssl:ssl}
-requests-directory      = ${ssl:requests}
-ca-private      = ${ssl:private}
-ca-certs        = ${ssl:certs}
-ca-newcerts     = ${ssl:newcerts}
-ca-crl          = ${ssl:crl}
-email           = ${instance-parameter:configuration.email_from}
-
-#[ca-nginx]
-#recipe  = slapos.cookbook:certificate_authority.request
-#key-file=
-#cert-file=
-
-name    = <domain-name>
-
-
 # srv/nginx/ prefix  +  etc/ log/ ...
-[nginx]
+[nginx-dir]
 recipe  = slapos.cookbook:mkdirectory
 srv     = ${directory:srv}/nginx
 etc     = ${directory:etc}/nginx
 log     = ${directory:log}/nginx

+[nginx-ssl-dir]
+recipe  = slapos.cookbook:mkdirectory
+ssl     = ${nginx-dir:etc}/ssl
+# contains https key
+mode    = 0700
+
+# self-signed certificate for https
+[nginx-generate-certificate]
+# NOTE there is slapos.cookbook:certificate_authority.request but it requires
+# to start whole service and has up to 60 seconds latency to generate
+# certificate. We only need to run 1 command to do it...
+recipe  = plone.recipe.command
+stop-on-error   = true
+cert_file   = ${nginx-ssl-dir:ssl}/gitlab_backend.crt
+key_file    = ${nginx-ssl-dir:ssl}/gitlab_backend.key
+
+update-command =
+command =
+    {{ openssl_bin }} req -newkey rsa -batch -new -x509 -days 3650 -nodes   \
+    -keyout ${:key_file} -out ${:cert_file}
+
+
+[nginx]
+srv     = ${nginx-dir:srv}
+etc     = ${nginx-dir:etc}
+log     = ${nginx-dir:log}
+ssl     = ${nginx-ssl-dir:ssl}
+
+cert_file   = ${nginx-generate-certificate:cert_file}
+key_file    = ${nginx-generate-certificate:key_file}
+
+
 [nginx-symlinks]
 # (nginx wants <prefix>/logs to be there from start - else it issues alarm to the log)
 recipe  = cns.recipe.symlink
 symlink = ${nginx:log}  = ${nginx:srv}/logs

-
 [service-nginx]
 recipe  = slapos.cookbook:wrapper
 wrapper-path    = ${directory:service}/nginx

--- a/software/gitlab/template/nginx-gitlab-http.conf.in
+++ b/software/gitlab/template/nginx-gitlab-http.conf.in
@@ -53,24 +53,22 @@ server {
  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl on;
-  {# TODO handle ssl certs: generate automatically (?)
-  ssl_certificate {{ cfg('ssl_certificate') }};
-  ssl_certificate_key <%= @ssl_certificate_key %>;
-  #}
-  {# TODO use from ca-certs
+  ssl_certificate {{ nginx.cert_file }};
+  ssl_certificate_key {{ nginx.key_file }};
+  {# we don't need - most root CA will be included by default
  {% if cfg_bool('ssl_client_certificate') %}
  ssl_client_certificate <%= @ssl_client_certificate%>;
  {% endif %}
  #}

  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
-  # XXX the above isnot relevant for us - we are begind frontend and clients
+  # XXX the above is not relevant for us - we are behind frontend and clients
  #     directly connects to frontend
  ssl_ciphers '{{ cfg("nginx_ssl_ciphers") }}';
  ssl_protocols  {{ cfg('nginx_ssl_protocols') }};
  ssl_prefer_server_ciphers {{ cfg('nginx_ssl_prefer_server_ciphers') }};
  ssl_session_cache  {{ cfg('nginx_ssl_session_cache') }};
-  ssl_session_timeout  {{ cfg('ssl_session_timeout') }};
+  ssl_session_timeout  {{ cfg('nginx_ssl_session_timeout') }};

  {# XXX do we need ssl_dharm ?
  {% if cfg_bool('ssl_dhparam') %}
@@ -92,7 +90,7 @@ server {
  location /uploads/ {
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg_https else ''}}
+    {{ 'gzip off' if cfg_https else ''}};

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
@@ -117,7 +115,7 @@ server {
  location @gitlab {
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg_https else ''}}
+    {{ 'gzip off' if cfg_https else ''}};

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
@@ -158,7 +156,7 @@ server {
  location @gitlab-git-http-server {
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg_https else ''}}
+    {{ 'gzip off' if cfg_https else ''}};

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
@@ -184,9 +182,7 @@ server {
  ## other files that need to be changed for relative url support
  location ~ ^/(assets)/ {
    root {{ gitlab_work.location }}/public;
-    {# TODO reenable after --with-http_gzip_static_module added to nginx
    gzip_static on; # to serve pre-gzipped version
-    #}
    expires max;
    add_header Cache-Control public;
  }