nginx: modernise TLS config

Review changes
Download
Patches
Plain diff

Jörg Behrmann requested to merge behrmann/gitlab:modernizenginxtls into master Jul 02, 2021

Overview 20
Commits 1
Pipelines 6
Changes 3

What does this MR do?

This MR modernises the TLS settings in gitlab-ssl, gitlab-pages-ssl and registry-ssl.

Having just installed GitLab from source on Debian bullseye, I noticed that nginx -t was throwing a warning because ssl on; is deprecated on sufficiently new nginx installations and is superfluous because it is already listed after listen. Looking at the git blame output I saw that the SSL config hasn't been touched in several years, so this MR updates it to use the intermediate settings from Mozilla's SSL Configuration Generator targeting Debian buster, although this should work for even older servers (which are probably not supported anymore)

SSL session tickets are disabled, since the timeout is increased and renegotiating a session should be cheap enough. TLSv1 and TLSv1.1 are disabled and TLSv1.3 is enabled and more modern ciphers are chosen, since the reason of old Java IDEs is probably outdated nowadays and even if not, shouldn't hold back everybody else.

Sections for dh_params and HSTS are added were missing and HSTS times are bumped to two years instead of one, since that is what Mozilla recommend

Somewhat beside the point of this MR, but http2 support, that is already in gitlab-pages-ssl and registry-ssl should probably be added to gitlab-ssl, too.

This MR should probably be looked at by the security team as well, so /cc @gitlab-com/gl-security/appsec

Does this MR meet the acceptance criteria?

Conformity

I have included changelog trailers, or none are needed. (Does this MR need a changelog?)
I have added/updated documentation, or it's not needed. (Is documentation required?)
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?)
I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?)
I have self-reviewed this MR per code review guidelines.
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines)
I have followed the style guides.
This change is backwards compatible across updates, or this does not apply.

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Merge request reports

Assignee

Reviewers

Request review from

Time tracking