debian-mirror-gitlab/lib/support/nginx/registry-ssl
2023-05-27 22:25:52 +05:30

59 lines
2.3 KiB
Text

## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
###################################
## configuration ##
###################################
## Redirects all HTTP traffic to the HTTPS host
server {
listen *:80;
server_name registry.gitlab.example.com;
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$http_host$request_uri;
access_log /var/log/nginx/gitlab_registry_access.log gitlab_access;
error_log /var/log/nginx/gitlab_registry_error.log;
}
server {
# If a different port is specified in https://gitlab.com/gitlab-org/gitlab-foss/blob/8-8-stable/config/gitlab.yml.example#L182,
# it should be declared here as well
listen *:443 ssl http2;
server_name registry.gitlab.example.com;
server_tokens off; ## Don't show the nginx version number, a security best practice
client_max_body_size 0;
chunked_transfer_encoding on;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl_certificate /etc/gitlab/ssl/registry.gitlab.example.com.crt
ssl_certificate_key /etc/gitlab/ssl/registry.gitlab.example.com.key
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# These settings are in line with the modern settings from https://ssl-config.mozilla.org/
# and are supported by all still-supported browsers since 2019. If you have specific needs
# for older settings, please consult the intermediate settings there.
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
## [Optional] Enable HTTP Strict Transport Security
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
access_log /var/log/gitlab/nginx/gitlab_registry_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_registry_error.log;
location / {
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
proxy_pass http://localhost:5000;
}
}