Merge branch 'modernizenginxtls' into 'master'

nginx: modernise TLS config

See merge request gitlab-org/gitlab!65345

lib/support/nginx/gitlab-pages-ssl

@@ -31,16 +31,16 @@ server {
 
   ## Strong SSL Security
   ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
-  ssl on;
   ssl_certificate /etc/nginx/ssl/gitlab-pages.crt;
   ssl_certificate_key /etc/nginx/ssl/gitlab-pages.key;
 
-  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_prefer_server_ciphers on;
+  ssl_session_timeout 1d;
   ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 5m;
+  ssl_session_tickets off;
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
 
   ## See app/controllers/application_controller.rb for headers set
 
@@ -58,6 +58,9 @@ server {
   ##
   # ssl_dhparam /etc/ssl/certs/dhparam.pem;
 
+  ## [Optional] Enable HTTP Strict Transport Security
+  # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+
   ## Individual nginx logs for GitLab pages
   access_log  /var/log/nginx/gitlab_pages_access.log;
   error_log   /var/log/nginx/gitlab_pages_error.log;

lib/support/nginx/gitlab-ssl

@@ -83,23 +83,23 @@ server {
 
 ## HTTPS host
 server {
-  listen 0.0.0.0:443 ssl;
-  listen [::]:443 ipv6only=on ssl default_server;
+  listen 0.0.0.0:443 ssl http2;
+  listen [::]:443 ipv6only=on ssl http2 default_server;
   server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
   server_tokens off; ## Don't show the nginx version number, a security best practice
 
   ## Strong SSL Security
   ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
-  ssl on;
   ssl_certificate /etc/nginx/ssl/gitlab.crt;
   ssl_certificate_key /etc/nginx/ssl/gitlab.key;
 
-  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_prefer_server_ciphers on;
+  ssl_session_timeout 1d;
   ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 5m;
+  ssl_session_tickets off;
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
 
   ## See app/controllers/application_controller.rb for headers set
 
@@ -120,7 +120,7 @@ server {
   # ssl_dhparam /etc/ssl/certs/dhparam.pem;
 
   ## [Optional] Enable HTTP Strict Transport Security
-  # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+  # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 
   ## Real IP Module Config
   ## http://nginx.org/en/docs/http/ngx_http_realip_module.html

lib/support/nginx/registry-ssl

@@ -27,15 +27,24 @@ server {
 
   ## Strong SSL Security
   ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
-  ssl on;
   ssl_certificate /etc/gitlab/ssl/registry.gitlab.example.com.crt
   ssl_certificate_key /etc/gitlab/ssl/registry.gitlab.example.com.key
 
-  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
-  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
-  ssl_prefer_server_ciphers on;
-  ssl_session_cache  builtin:1000  shared:SSL:10m;
-  ssl_session_timeout  5m;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_tickets off;
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+
+  ## [Optional] Generate a stronger DHE parameter:
+  ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
+  ##
+  # ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+  ## [Optional] Enable HTTP Strict Transport Security
+  # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 
   access_log  /var/log/gitlab/nginx/gitlab_registry_access.log gitlab_access;
   error_log   /var/log/gitlab/nginx/gitlab_registry_error.log;