Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/security
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-05-20 17:34:42 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2020-05-20 17:34:42 +0300
commit9f46488805e86b1bc341ea1620b866016c2ce5ed (patch)
treef9748c7e287041e37d6da49e0a29c9511dc34768 /doc/security
parentdfc92d081ea0332d69c8aca2f0e745cb48ae5e6d (diff)
Add latest changes from gitlab-org/gitlab@13-0-stable-ee
Diffstat (limited to 'doc/security')
-rw-r--r--doc/security/README.md4
-rw-r--r--doc/security/asset_proxy.md2
-rw-r--r--doc/security/crime_vulnerability.md24
-rw-r--r--doc/security/rack_attack.md28
-rw-r--r--doc/security/webhooks.md2
5 files changed, 21 insertions, 39 deletions
diff --git a/doc/security/README.md b/doc/security/README.md
index c21d99658b8..e2375c0f0b5 100644
--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -23,6 +23,4 @@ type: index
## Securing your GitLab installation
-To make sure your GitLab instance is safe and secure, please consider implementing
-[Sign up restrictions](../user/admin_area/settings/sign_up_restrictions.md) to avoid
-malicious users creating accounts.
+Consider access control features like [Sign up restrictions](../user/admin_area/settings/sign_up_restrictions.md) and [Authentication options](../topics/authentication/) to harden your GitLab instance and minimize the risk of unwanted user account creation.
diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md
index d042fb3efe7..91a35c2f2a9 100644
--- a/doc/security/asset_proxy.md
+++ b/doc/security/asset_proxy.md
@@ -63,6 +63,6 @@ For example, the following is a link to an image in Markdown:
The following is an example of a source link that could result:
-```text
+```plaintext
http://proxy.gitlab.example.com/f9dd2b40157757eb82afeedbf1290ffb67a3aeeb/68747470733a2f2f61626f75742e6769746c61622e636f6d2f696d616765732f70726573732f6c6f676f2f6a70672f6769746c61622d69636f6e2d7267622e6a7067
```
diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md
index 93edbc69eb0..2496029d93e 100644
--- a/doc/security/crime_vulnerability.md
+++ b/doc/security/crime_vulnerability.md
@@ -14,14 +14,14 @@ authenticated web session, allowing the launching of further attacks.
The TLS Protocol CRIME Vulnerability affects systems that use data compression
over HTTPS. Your system might be vulnerable to the CRIME vulnerability if you use
-SSL Compression (for example, gzip) or SPDY (which optionally uses compression).
+SSL Compression (for example, Gzip) or SPDY (which optionally uses compression).
-GitLab supports both gzip and [SPDY][ngx-spdy] and mitigates the CRIME
-vulnerability by deactivating gzip when HTTPS is enabled. The sources of the
+GitLab supports both Gzip and [SPDY](http://nginx.org/en/docs/http/ngx_http_spdy_module.html) and mitigates the CRIME
+vulnerability by deactivating Gzip when HTTPS is enabled. The sources of the
files are here:
-- [Source installation NGINX file][source-nginx]
-- [Omnibus installation NGINX file][omnibus-nginx]
+- [Source installation NGINX file](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/support/nginx/gitlab-ssl)
+- [Omnibus installation NGINX file](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb)
Although SPDY is enabled in Omnibus installations, CRIME relies on compression
(the 'C') and the default compression level in NGINX's SPDY module is 0
@@ -29,7 +29,7 @@ Although SPDY is enabled in Omnibus installations, CRIME relies on compression
## Nessus
-The Nessus scanner, [reports a possible CRIME vulnerability][nessus] in GitLab
+The Nessus scanner, [reports a possible CRIME vulnerability](https://www.tenable.com/plugins/index.php?view=single&id=62565) in GitLab
similar to the following format:
```plaintext
@@ -55,15 +55,9 @@ vulnerability.
## References
-- NGINX ["Module ngx_http_spdy_module"][ngx-spdy]
-- Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"][nessus]
-- Wikipedia contributors, ["CRIME"][wiki-crime] Wikipedia, The Free Encyclopedia
-
-[source-nginx]: https://gitlab.com/gitlab-org/gitlab/blob/master/lib/support/nginx/gitlab-ssl
-[omnibus-nginx]: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
-[ngx-spdy]: http://nginx.org/en/docs/http/ngx_http_spdy_module.html
-[nessus]: https://www.tenable.com/plugins/index.php?view=single&id=62565
-[wiki-crime]: https://en.wikipedia.org/wiki/CRIME
+- NGINX ["Module ngx_http_spdy_module"](http://nginx.org/en/docs/http/ngx_http_spdy_module.html)
+- Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"](https://www.tenable.com/plugins/index.php?view=single&id=62565)
+- Wikipedia contributors, ["CRIME"](https://en.wikipedia.org/wiki/CRIME) Wikipedia, The Free Encyclopedia
<!-- ## Troubleshooting
diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md
index 9ce2a9bb1ae..5d18746e4e0 100644
--- a/doc/security/rack_attack.md
+++ b/doc/security/rack_attack.md
@@ -36,27 +36,20 @@ will be enabled:
### Protected paths throttle
-NOTE: **Note:** Omnibus GitLab protected paths throttle is deprecated and is scheduled for removal in
-GitLab 13.0. Please refer to [Migrate settings from GitLab 12.3 and earlier](../user/admin_area/settings/protected_paths.md#migrate-settings-from-gitlab-123-and-earlier).
-
GitLab responds with HTTP status code `429` to POST requests at protected paths
that exceed 10 requests per minute per IP address.
By default, protected paths are:
-```ruby
-default['gitlab']['gitlab-rails']['rack_attack_protected_paths'] = [
- '/users/password',
- '/users/sign_in',
- '/api/#{API::API.version}/session.json',
- '/api/#{API::API.version}/session',
- '/users',
- '/users/confirmation',
- '/unsubscribes/',
- '/import/github/personal_access_token',
- '/admin/session'
-]
-```
+- `/users/password`
+- `/users/sign_in`
+- `/api/#{API::API.version}/session.json`
+- `/api/#{API::API.version}/session`
+- `/users`
+- `/users/confirmation`
+- `/unsubscribes/`
+- `/import/github/personal_access_token`
+- `/admin/session`
This header is included in responses to blocked requests:
@@ -141,9 +134,6 @@ taken in order to enable protection for your GitLab instance:
config.middleware.use Rack::Attack
```
-1. Copy `config/initializers/rack_attack.rb.example` to `config/initializers/rack_attack.rb`
-1. Open `config/initializers/rack_attack.rb`, review the
- `paths_to_be_protected`, and add any other path you need protecting
1. Restart GitLab:
```shell
diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md
index bd05cbff05e..27f79dbdf66 100644
--- a/doc/security/webhooks.md
+++ b/doc/security/webhooks.md
@@ -78,7 +78,7 @@ will whitelist all ports on all IPs in that range.
Example:
-```text
+```plaintext
example.com;gitlab.example.com
127.0.0.1,1:0:0:0:0:0:0:1
127.0.0.0/8 1:0:0:0:0:0:0:0/124
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-16 05:08:13 +0300