From 76e96878aad0a281f8c32ef98a276b499e2581ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Chojnacki?= Date: Fri, 3 Mar 2017 11:05:24 +0000 Subject: [PATCH] Stop setting Strict-Transport-Securty header from within the app --- app/controllers/application_controller.rb | 4 ---- .../unreleased/3440-remove-hsts-header.yml | 4 ++++ doc/update/8.17-to-9.0.md | 24 +++++++++++++++++++ lib/support/nginx/gitlab-ssl | 3 +++ 4 files changed, 31 insertions(+), 4 deletions(-) create mode 100644 changelogs/unreleased/3440-remove-hsts-header.yml create mode 100644 doc/update/8.17-to-9.0.md diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 32484f810da..cc7b7f247e8 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -122,10 +122,6 @@ class ApplicationController < ActionController::Base headers['X-XSS-Protection'] = '1; mode=block' headers['X-UA-Compatible'] = 'IE=edge' headers['X-Content-Type-Options'] = 'nosniff' - # Enabling HSTS for non-standard ports would send clients to the wrong port - if Gitlab.config.gitlab.https && Gitlab.config.gitlab.port == 443 - headers['Strict-Transport-Security'] = 'max-age=31536000' - end end def validate_user_service_ticket! diff --git a/changelogs/unreleased/3440-remove-hsts-header.yml b/changelogs/unreleased/3440-remove-hsts-header.yml new file mode 100644 index 00000000000..0310e733f4e --- /dev/null +++ b/changelogs/unreleased/3440-remove-hsts-header.yml @@ -0,0 +1,4 @@ +--- +title: Stop setting Strict-Transport-Securty header from within the app +merge_request: +author: diff --git a/doc/update/8.17-to-9.0.md b/doc/update/8.17-to-9.0.md new file mode 100644 index 00000000000..7b934ecd87a --- /dev/null +++ b/doc/update/8.17-to-9.0.md @@ -0,0 +1,24 @@ +#### Nginx configuration + +Ensure you're still up-to-date with the latest NGINX configuration changes: + +```sh +cd /home/git/gitlab + +# For HTTPS configurations +git diff origin/8-17-stable:lib/support/nginx/gitlab-ssl origin/9-0-stable:lib/support/nginx/gitlab-ssl + +# For HTTP configurations +git diff origin/8-17-stable:lib/support/nginx/gitlab origin/9-0-stable:lib/support/nginx/gitlab +``` + +If you are using Strict-Transport-Security in your installation to continue using it you must enable it in your Nginx +configuration as GitLab application no longer handles setting it. + +If you are using Apache instead of NGINX please see the updated [Apache templates]. +Also note that because Apache does not support upstreams behind Unix sockets you +will need to let gitlab-workhorse listen on a TCP port. You can do this +via [/etc/default/gitlab]. + +[Apache templates]: https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache +[/etc/default/gitlab]: https://gitlab.com/gitlab-org/gitlab-ce/blob/9-0-stable/lib/support/init.d/gitlab.default.example#L38 diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl index 5661394058d..330031aaddc 100644 --- a/lib/support/nginx/gitlab-ssl +++ b/lib/support/nginx/gitlab-ssl @@ -82,6 +82,9 @@ server { ## # ssl_dhparam /etc/ssl/certs/dhparam.pem; + ## [Optional] Enable HTTP Strict Transport Security + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + ## Individual nginx logs for this GitLab vhost access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; -- GitLab