Skip to content

How to configure custom nginx headers on gitlab community edition 15.0.0

Hello.

Could you help me please by teaching me how can I configure custom nginx headers in the embedded nginx of gitlab community edition 15.0.0. I need that because of the security department is asking me to configure them. What I did is creating a file with this configuration:

vim "/etc/gitlab/custom_configs/custom_nginx_configs.conf"

location / {
  add_header Set-Cookie "Path=/; HttpOnly; Secure; SameSite=strict";
}

location ~* .(?:css|js)$ {
  expires 1y;
  add_header Cache-Control "no-cache, no-store, must-revalidate";
  Pragma: "no-cache";
}

And I added in my gitlab.rb:

Enable custom nginx configs

nginx['custom_nginx_config'] = "include /etc/gitlab/custom_configs/custom_nginx_configs.conf;\n"

Then after restarting gitlab with "gitlab-ctl reconfigure" I checked the file "/var/opt/gitlab/nginx/conf/nginx.conf" and the file with the configuratios is included there; but the changes are not reflected straightforward in the url with the problem, I tested like this:

curl --insecure --head https://ip:8443/search?group_id&nav_source=navbar&project_id=61&repository_ref&scope=issues&search&search_code=false&snippets=false&utf8=%E2%9C%93

My gitlab configuration is this one (changed the confidential information)

external_url 'https://myurl:8443'
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_sync_worker_cron'] = "0 */1 * * *"
gitlab_rails['ldap_servers'] = {
'main' => {
  'label' => 'HPC User',
  'host' =>  '192.168.20.226',
  'port' => 389,
  'uid' => 'cn',
  'verify_certificates' => false,
  'bind_dn' => 'cn=admin,dc=myurl,dc=com',
  'password' => 'mypasswordtest',
  'encryption' => 'plain',
  'tls_options' => {
    'ca_file' => '',
    'ssl_version' => '',
    'ciphers' => '',
    'cert' => '',
    'key' => ''
  },
  'timeout' => 10,
  'active_directory' => true,
  'allow_username_or_email_login' => true,
  'block_auto_created_users' => false,
  'base' => 'dc=quinde,dc=com',
  'user_filter' => '',
  'attributes' => {
    'username' => ['uid', 'userid', 'cn'],
    'name' => 'cn',
    'email' => 'mail',
    'first_name' => 'givenName',
    'last_name' => 'sn'
  },
  'lowercase_usernames' => false,
  }
}
gitlab_rails['backup_path'] = "/respaldos_git/"
git_data_dirs({
   "default" => {
   "path" => "/mnt/ap4200/git-data",
   "failure_count_threshold" => 10,
   "failure_wait_time" => 30,
   "failure_reset_time" => 1800,
   "storage_timeout" => 30
  }
})
gitlab_rails['extra_google_analytics_id'] = 'UA-68031487-3'
puma['worker_processes'] = 0
puma['per_worker_max_memory_mb'] = 1024
sidekiq['concurrency'] = 10
nginx['enable'] = true
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 8765
nginx['ssl_ciphers'] = "HIGH:!aNULL:!MD5:!3DES"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_certificate'] = "/etc/gitlab/ssl/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/private.key"
nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"
gitlab_rails['content_security_policy'] = {
    enabled: true,
    report_only: false
}
nginx['proxy_set_headers'] = { 'X-GitLab-Show-Login-Captcha' => '1' }
nginx['custom_nginx_config'] = "include /etc/gitlab/custom_configs/custom_nginx_configs.conf;\n"
logging['udp_log_shipping_host'] = '192.168.20.244'
logging['udp_log_shipping_hostname'] = 'srvgitmm-produccion'
logging['udp_log_shipping_port'] = 514
prometheus_monitoring['enable'] = false