Simplify the ssl setup file.

lib/support/nginx/gitlab

@@ -20,9 +20,9 @@ upstream gitlab {
 }
 
 server {
-  listen *:80 default_server;         # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea
-  server_name YOUR_SERVER_FQDN;     # e.g., server_name source.example.com;
-  server_tokens off;     # don't show the version number, a security best practice
+  listen *:80 default_server;
+  server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
+  server_tokens off; ## Don't show the nginx version number, a security best practice
   root /home/git/gitlab/public;
   
   # Increase this if you want to upload large attachments

lib/support/nginx/gitlab-ssl

@@ -3,33 +3,11 @@
 ##
 ## Modified from nginx http version
 ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
+## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
 ##
-## Lines starting with two hashes (##) are comments containing information
-## for configuration. One hash (#) comments are actual configuration parameters
-## which you can comment/uncomment to your liking.
-##
-###################################
-##        SSL configuration      ##
-###################################
-##
-## Optimal configuration is taken from:
-## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-## Make sure to read it and understand what each option does.
-##
-## [Optional] Generate a self-signed ssl certificate:
-##    mkdir /etc/nginx/ssl/
-##    cd /etc/nginx/ssl/
-##    sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
-##    sudo chmod o-r gitlab.key
-##
-## Edit `gitlab-shell/config.yml`:
-##  1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
-##  2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt`
-##  3) Set "self_signed_cert" to `true`
-## Edit `gitlab/config/gitlab.yml`:
-##  1) Define port for http "port: 443"
-##  2) Enable https "https: true"
-##  3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
+## Lines starting with two hashes (##) are comments with information.
+## Lines starting with one hash (#) are configuration parameters.
+## The last category can be commented/uncommented to your liking.
 ##
 ##################################
 ##        CHUNKED TRANSFER      ##
@@ -48,33 +26,41 @@
 ## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
 ## [1] https://github.com/agentzh/chunkin-nginx-module#status
 ## [2] https://github.com/agentzh/chunkin-nginx-module
-
+##
+###################################
+##        SSL file editing       ##
+###################################
+##
+## Edit `gitlab-shell/config.yml`:
+##  1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
+##  2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt`
+##  3) Set "self_signed_cert" to `true`
+## Edit `gitlab/config/gitlab.yml`:
+##  1) Define port for http "port: 443"
+##  2) Enable https "https: true"
+##  3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
+##
+###################################
+##        SSL configuration      ##
+###################################
+##
 
 upstream gitlab {
-
-  ## Uncomment if you have set up unicorn to listen on a unix socket (recommended).
   server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
-
-  ## Uncomment if unicorn is configured to listen on a tcp port.
-  ## Check the port number in /home/git/gitlab/config/unicorn.rb
-  # server 127.0.0.1:8080;
 }
 
 ## This is a normal HTTP host which redirects all traffic to the HTTPS host.
 server {
-  listen *:80;
-  ## Replace git.example.com with your FQDN.
-  server_name git.example.com;
-  server_tokens off;
-  ## root doesn't have to be a valid path since we are redirecting
-  root /nowhere;
+  listen *:80 default_server;
+  server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
   rewrite ^ https://$server_name$request_uri permanent;
 }
 
 server {
   listen 443 ssl;
-  ## Replace git.example.com with your FQDN.
-  server_name git.example.com;
+  server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
   server_tokens off;
   root /home/git/gitlab/public;
 
@@ -93,22 +79,7 @@ server {
   ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
   ssl_session_cache  builtin:1000  shared:SSL:10m;
 
-  ## Enable OCSP stapling to reduce the overhead and latency of running SSL.
-  ## Replace with your ssl_trusted_certificate. For more info see:
-  ## - https://medium.com/devops-programming/4445f4862461
-  ## - https://www.ruby-forum.com/topic/4419319
-  ssl_stapling on;
-  ssl_stapling_verify on;
-  ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
-  resolver 208.67.222.222 208.67.222.220 valid=300s;
-  resolver_timeout 10s;
-
   ssl_prefer_server_ciphers   on;
-  ## [Optional] Generate a stronger DHE parameter (recommended):
-  ##   cd /etc/ssl/certs
-  ##   openssl dhparam -out dhparam.pem 2048
-  ##
-  # ssl_dhparam /etc/ssl/certs/dhparam.pem;
 
   add_header Strict-Transport-Security max-age=63072000;
   add_header X-Frame-Options DENY;