add optional nginx configs to make more secure

author: Ben Bodenmiller <bbodenmiller@hotmail.com> 2014-09-08 10:17:37 +0400
committer: Ben Bodenmiller <bbodenmiller@hotmail.com> 2014-09-08 10:17:37 +0400
commit: a2b36858f537d0c580a3eb0d9164d6976767f15b (patch)
tree: a6587ff6212201e9b0d1de480ae80440e9eb2b25 /lib/support
parent: 1d04a6fda7e5768dfc71cdffd74ede8f924ec647 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl
index 9ab228b46d7..628439a0cf3 100644
--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
@@ -87,6 +87,23 @@ server {
   add_header X-Frame-Options SAMEORIGIN;
   add_header X-Content-Type-Options nosniff;
 
+  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
+  ## Replace with your ssl_trusted_certificate. For more info see:
+  ## - https://medium.com/devops-programming/4445f4862461
+  ## - https://www.ruby-forum.com/topic/4419319
+  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
+  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
+  # resolver_timeout 10s;
+
+  ## [Optional] Generate a stronger DHE parameter:
+  ##   cd /etc/ssl/certs
+  ##   sudo openssl dhparam -out dhparam.pem 4096
+  ##
+  # ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
   ## Individual nginx logs for this GitLab vhost
   access_log  /var/log/nginx/gitlab_access.log;
   error_log   /var/log/nginx/gitlab_error.log;
author	Ben Bodenmiller <bbodenmiller@hotmail.com>	2014-09-08 10:17:37 +0400
committer	Ben Bodenmiller <bbodenmiller@hotmail.com>	2014-09-08 10:17:37 +0400
commit	a2b36858f537d0c580a3eb0d9164d6976767f15b (patch)
tree	a6587ff6212201e9b0d1de480ae80440e9eb2b25 /lib/support
parent	1d04a6fda7e5768dfc71cdffd74ede8f924ec647 (diff)