X https draftly works

component/nginx/buildout.cfg

@@ -19,6 +19,8 @@ md5sum = 27322fbb4b265c0e0cc548f5e6b7f201
 configure-options=
   --with-ipv6
   --with-http_ssl_module
+  --with-http_spdy_module
+  --with-http_gzip_static_module
   --with-mail
   --with-mail_ssl_module
   --with-ld-opt="-L ${openssl:location}/lib -L ${pcre:location}/lib -L ${zlib:location}/lib -Wl,-rpath=${openssl:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${zlib:location}/lib"
@@ -36,6 +38,8 @@ mode = 0644
 configure-options =
   --with-ipv6
   --with-http_ssl_module
+  --with-http_spdy_module
+  --with-http_gzip_static_module
   --with-mail
   --with-mail_ssl_module
   --error-log-path=var/log/nginx.error.log

software/gitlab/gitlab-parameters.cfg

@@ -90,10 +90,11 @@ configuration.nginx_redirect_http_to_https  = false
 
 # we don't need - we talk directly to frontend only
 configuration.nginx_ssl_ciphers             = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
-configuration.nginx_ssl_prefer_server_ciphers = no
+configuration.nginx_ssl_prefer_server_ciphers = on
 configuration.nginx_ssl_protocols           = TLSv1 TLSv1.1 TLSv1.2
 # the following is not default
 configuration.nginx_ssl_session_cache       = builtin:1000  shared:SSL:10m
+configuration.nginx_ssl_session_timeout     = 5m
 
 
 configuration.nginx_proxy_read_timeout      = 300

software/gitlab/instance-gitlab.cfg.in

@@ -26,8 +26,6 @@ parts =
     service-unicorn
     service-sidekiq
 
-    certificate-authority
-
     service-nginx
     service-postgresql
     service-redis
@@ -518,49 +516,50 @@ command-line    = ${gitlab-sidekiq:wrapper-path}
 #   Nginx frontend   #
 ######################
 
-# self-signed certificate, if we use https
-[ssl]
-recipe  = slapos.cookbook:mkdirectory
-ssl     = ${directory:srv}/ssl
-requests= ${:ssl}/requests
-private = ${:ssl}/private
-certs   = ${:ssl}/certs
-newcerts= ${:ssl}/newcerts
-crl     = ${:ssl}/crl
-
-[certificate-authority]
-recipe  = slapos.cookbook:certificate_authority
-wrapper = ${directory:service}/certificate_authority
-openssl-binary  = {{ openssl_bin }}
-ca-dir  = ${ssl:ssl}
-requests-directory      = ${ssl:requests}
-ca-private      = ${ssl:private}
-ca-certs        = ${ssl:certs}
-ca-newcerts     = ${ssl:newcerts}
-ca-crl          = ${ssl:crl}
-email           = ${instance-parameter:configuration.email_from}
-
-#[ca-nginx]
-#recipe  = slapos.cookbook:certificate_authority.request
-#key-file=
-#cert-file=
-
-name    = <domain-name>
-
-
 # srv/nginx/ prefix  +  etc/ log/ ...
-[nginx]
+[nginx-dir]
 recipe  = slapos.cookbook:mkdirectory
 srv     = ${directory:srv}/nginx
 etc     = ${directory:etc}/nginx
 log     = ${directory:log}/nginx
 
+[nginx-ssl-dir]
+recipe  = slapos.cookbook:mkdirectory
+ssl     = ${nginx-dir:etc}/ssl
+# contains https key
+mode    = 0700
+
+# self-signed certificate for https
+[nginx-generate-certificate]
+# NOTE there is slapos.cookbook:certificate_authority.request but it requires
+# to start whole service and has up to 60 seconds latency to generate
+# certificate. We only need to run 1 command to do it...
+recipe  = plone.recipe.command
+stop-on-error   = true
+cert_file   = ${nginx-ssl-dir:ssl}/gitlab_backend.crt
+key_file    = ${nginx-ssl-dir:ssl}/gitlab_backend.key
+
+update-command =
+command =
+    {{ openssl_bin }} req -newkey rsa -batch -new -x509 -days 3650 -nodes   \
+    -keyout ${:key_file} -out ${:cert_file}
+
+
+[nginx]
+srv     = ${nginx-dir:srv}
+etc     = ${nginx-dir:etc}
+log     = ${nginx-dir:log}
+ssl     = ${nginx-ssl-dir:ssl}
+
+cert_file   = ${nginx-generate-certificate:cert_file}
+key_file    = ${nginx-generate-certificate:key_file}
+
+
 [nginx-symlinks]
 # (nginx wants <prefix>/logs to be there from start - else it issues alarm to the log)
 recipe  = cns.recipe.symlink
 symlink = ${nginx:log}  = ${nginx:srv}/logs
 
-
 [service-nginx]
 recipe  = slapos.cookbook:wrapper
 wrapper-path    = ${directory:service}/nginx

software/gitlab/template/nginx-gitlab-http.conf.in

@@ -53,24 +53,22 @@ server {
   ## Strong SSL Security
   ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
   ssl on;
-  {# TODO handle ssl certs: generate automatically (?)
-  ssl_certificate {{ cfg('ssl_certificate') }};
-  ssl_certificate_key <%= @ssl_certificate_key %>;
-  #}
-  {# TODO use from ca-certs
+  ssl_certificate {{ nginx.cert_file }};
+  ssl_certificate_key {{ nginx.key_file }};
+  {# we don't need - most root CA will be included by default
   {% if cfg_bool('ssl_client_certificate') %}
   ssl_client_certificate <%= @ssl_client_certificate%>;
   {% endif %}
   #}
 
   # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
-  # XXX the above isnot relevant for us - we are begind frontend and clients
+  # XXX the above is not relevant for us - we are behind frontend and clients
   #     directly connects to frontend
   ssl_ciphers '{{ cfg("nginx_ssl_ciphers") }}';
   ssl_protocols  {{ cfg('nginx_ssl_protocols') }};
   ssl_prefer_server_ciphers {{ cfg('nginx_ssl_prefer_server_ciphers') }};
   ssl_session_cache  {{ cfg('nginx_ssl_session_cache') }};
-  ssl_session_timeout  {{ cfg('ssl_session_timeout') }};
+  ssl_session_timeout  {{ cfg('nginx_ssl_session_timeout') }};
 
   {# XXX do we need ssl_dharm ?
   {% if cfg_bool('ssl_dhparam') %}
@@ -92,7 +90,7 @@ server {
   location /uploads/ {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg_https else ''}}
+    {{ 'gzip off' if cfg_https else ''}};
 
     ## https://github.com/gitlabhq/gitlabhq/issues/694
     ## Some requests take more than 30 seconds.
@@ -117,7 +115,7 @@ server {
   location @gitlab {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg_https else ''}}
+    {{ 'gzip off' if cfg_https else ''}};
 
     ## https://github.com/gitlabhq/gitlabhq/issues/694
     ## Some requests take more than 30 seconds.
@@ -158,7 +156,7 @@ server {
   location @gitlab-git-http-server {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg_https else ''}}
+    {{ 'gzip off' if cfg_https else ''}};
 
     ## https://github.com/gitlabhq/gitlabhq/issues/694
     ## Some requests take more than 30 seconds.
@@ -184,9 +182,7 @@ server {
   ## other files that need to be changed for relative url support
   location ~ ^/(assets)/ {
     root {{ gitlab_work.location }}/public;
-    {# TODO reenable after --with-http_gzip_static_module added to nginx
     gzip_static on; # to serve pre-gzipped version
-    #}
     expires max;
     add_header Cache-Control public;
   }