From bceb605f6802f527d09e49737055191c6fe16a10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:11:20 +0200 Subject: [PATCH] [mod] roles:gitlab-and-nginx:tls mode --- roles/gitlab-and-nginx/defaults/main.json | 3 +- roles/gitlab-and-nginx/templates/conf.j2 | 125 ++++++++++++---------- roles/gitlab-and-nginx/vardef.json | 19 ++++ 3 files changed, 88 insertions(+), 59 deletions(-) create mode 100644 roles/gitlab-and-nginx/vardef.json diff --git a/roles/gitlab-and-nginx/defaults/main.json b/roles/gitlab-and-nginx/defaults/main.json index 6bffbd7..4f0da06 100644 --- a/roles/gitlab-and-nginx/defaults/main.json +++ b/roles/gitlab-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { "var_gitlab_and_nginx_domain": "element.example.org", - "var_gitlab_and_nginx_path": "/opt/element" + "var_gitlab_and_nginx_path": "/opt/element", + "var_gitlab_and_nginx_tls_mode": "enable" } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index 4208162..abbb012 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -1,64 +1,7 @@ -upstream gitlab-workhorse { - server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0; -} - -map $http_upgrade $connection_upgrade_gitlab_ssl { - default upgrade; - '' close; -} - -log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"'; - -map $request_uri $gitlab_ssl_temp_request_uri_1 { - default $request_uri; - ~(?i)^(?.*)(?[\?&]private[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; -} - -map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 { - default $gitlab_ssl_temp_request_uri_1; - ~(?i)^(?.*)(?[\?&]authenticity[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; -} - -map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri { - default $gitlab_ssl_temp_request_uri_2; - ~(?i)^(?.*)(?[\?&]feed[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; -} - -map $http_referer $gitlab_ssl_filtered_http_referer { - default $http_referer; - ~^(?.*)\? $temp; -} - -server { - listen 80 default_server; - listen [::]:80 ipv6only=on default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - return 301 https://$http_host$request_uri; - - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; - error_log /var/log/nginx/gitlab_error.log; -} - -server { - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2 default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +{% macro gitlab_common() %} real_ip_header X-Real-IP; real_ip_recursive off; - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; - error_log /var/log/nginx/gitlab_error.log; - location / { client_max_body_size 0; gzip off; @@ -90,5 +33,71 @@ server { root /home/git/gitlab/public; internal; } +{% endmacro %} + +upstream gitlab-workhorse { + server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0; } +map $http_upgrade $connection_upgrade_gitlab_ssl { + default upgrade; + '' close; +} + +log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"'; + +map $request_uri $gitlab_ssl_temp_request_uri_1 { + default $request_uri; + ~(?i)^(?.*)(?[\?&]private[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; +} + +map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 { + default $gitlab_ssl_temp_request_uri_1; + ~(?i)^(?.*)(?[\?&]authenticity[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; +} + +map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri { + default $gitlab_ssl_temp_request_uri_2; + ~(?i)^(?.*)(?[\?&]feed[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; +} + +map $http_referer $gitlab_ssl_filtered_http_referer { + default $http_referer; + ~^(?.*)\? $temp; +} + +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 80; + listen [::]:80 ipv6only=on; + +{% if var_gitlab_and_nginx_tls_mode == 'force' %} + return 301 https://$http_host$request_uri; +{% else %} + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + {{ gitlab_common() }} +{% endif %} +} + +{% if var_gitlab_and_nginx_tls_mode != 'disable' %} +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 443 ssl http2; + listen [::]:443 ipv6only=on ssl http2; + + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; + error_log /var/log/nginx/gitlab_error.log; + + {{ gitlab_common() }} +} +{% endif %} diff --git a/roles/gitlab-and-nginx/vardef.json b/roles/gitlab-and-nginx/vardef.json new file mode 100644 index 0000000..eff28cf --- /dev/null +++ b/roles/gitlab-and-nginx/vardef.json @@ -0,0 +1,19 @@ +{ + "domain": { + "mandatory": false, + "type": "string" + }, + "path": { + "mandatory": false, + "type": "string" + }, + "tls_mode": { + "mandatory": false, + "type": "string", + "options": [ + "disable", + "enable", + "force" + ] + } +}