Add SSL client verification to all nginx configs

The option to verify a client through SSL certificates was only available for GitLab and GitLab CI. This commit adds the same option to Mattermost, Registry and GitLab Pages.

Add SSL client verification to all nginx configs
20f4e2b2 · Benoît Knecht · 12d452e9 · 20f4e2b2 · 20f4e2b2 · 20f4e2b2
Commit 20f4e2b2 authored 8 years ago by Benoît Knecht
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ are not the same (O Schwede) c4e83c5
 - Change default syntax for git_data_dirs ee831d9
 - Remove deprecated git-annex configuration 527b942
 - Expose GitLab Workhorse configuration file 835144e
+- Add option to verify clients with an SSL certificate to Mattermost, Registry and GitLab Pages
 - EE: Add a tracking database for GitLab Geo f1077d10
  
 8.17.3

--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@@ -915,6 +915,9 @@ external_url 'GENERATED_EXTERNAL_URL'
 # pages_nginx['redirect_http_to_https_port'] = 80
 # pages_nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
 # pages_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
+# pages_nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"
+# pages_nginx['ssl_verify_client'] = "off"
+# pages_nginx['ssl_verify_depth'] = "1"
 # pages_nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
 # pages_nginx['ssl_prefer_server_ciphers'] = "on"
  
@@ -1123,6 +1126,9 @@ external_url 'GENERATED_EXTERNAL_URL'
 # mattermost_nginx['redirect_http_to_https_port'] = 80
 # mattermost_nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
 # mattermost_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
+# mattermost_nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"
+# mattermost_nginx['ssl_verify_client'] = "off"
+# mattermost_nginx['ssl_verify_depth'] = "1"
 # mattermost_nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
 # mattermost_nginx['ssl_prefer_server_ciphers'] = "on"
  
@@ -1191,6 +1197,9 @@ external_url 'GENERATED_EXTERNAL_URL'
 # registry_nginx['ssl_prefer_server_ciphers'] = "on"
 # registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/certificate.pem"
 # registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/certificate.key"
+# registry_nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"
+# registry_nginx['ssl_verify_client'] = "off"
+# registry_nginx['ssl_verify_depth'] = "1"
  
 ##! **Override only if you use a reverse proxy**
 ##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port

--- a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-mattermost-http.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-mattermost-http.conf.erb
@@ -33,6 +33,14 @@ server {
  ssl on;
  ssl_certificate <%= @ssl_certificate %>;
  ssl_certificate_key <%= @ssl_certificate_key %>;
+  <% if @ssl_client_certificate %>
+  ssl_client_certificate <%= @ssl_client_certificate%>;
+  <% end %>
+  <% if @ssl_verify_client %>
+  ssl_verify_client <%= @ssl_verify_client%>;
+  ssl_verify_depth <%= @ssl_verify_depth%>;
+  <% end %>
+
  ssl_ciphers '<%= @ssl_ciphers %>';
  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
  ssl_protocols  <%= @ssl_protocols %>;

--- a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-pages-http.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-pages-http.conf.erb
@@ -42,6 +42,10 @@ server {
  <% if @ssl_client_certificate %>
  ssl_client_certificate <%= @ssl_client_certificate%>;
  <% end %>
+  <% if @ssl_verify_client %>
+  ssl_verify_client <%= @ssl_verify_client%>;
+  ssl_verify_depth <%= @ssl_verify_depth%>;
+  <% end %>
  
  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
  ssl_ciphers '<%= @ssl_ciphers %>';

--- a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-registry-http.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-registry-http.conf.erb
@@ -42,6 +42,10 @@ server {
  <% if @ssl_client_certificate %>
  ssl_client_certificate <%= @ssl_client_certificate%>;
  <% end %>
+  <% if @ssl_verify_client %>
+  ssl_verify_client <%= @ssl_verify_client%>;
+  ssl_verify_depth <%= @ssl_verify_depth%>;
+  <% end %>
  
  ssl_ciphers '<%= @ssl_ciphers %>';
  ssl_protocols  <%= @ssl_protocols %>;

--- a/spec/chef/recipes/nginx_spec.rb
+++ b/spec/chef/recipes/nginx_spec.rb
@@ -76,6 +76,13 @@ describe 'nginx' do
    }
  end
  
+  let(:http_conf) {{
+    "gitlab" => "/var/opt/gitlab/nginx/conf/gitlab-http.conf",
+    "mattermost" => "/var/opt/gitlab/nginx/conf/gitlab-mattermost-http.conf",
+    "registry" => "/var/opt/gitlab/nginx/conf/gitlab-registry.conf",
+    "pages" => "/var/opt/gitlab/nginx/conf/gitlab-pages.conf",
+  }}
+
  before do
    allow(Gitlab).to receive(:[]).and_call_original
  end
@@ -169,6 +176,102 @@ describe 'nginx' do
      expect(chef_run.node['gitlab']['registry-nginx']['proxy_set_headers']).to include(expect_headers)
      expect(chef_run.node['gitlab']['pages-nginx']['proxy_set_headers']).to include(expect_headers)
    end
+
+    it 'does not set ssl_client_certificate by default' do
+      http_conf.each_value do |conf|
+        expect(chef_run).to render_file(conf).with_content { |content|
+          expect(content).not_to include("ssl_client_certificate")
+        }
+      end
+    end
+
+    it 'does not set ssl_verify_client by default' do
+      http_conf.each_value do |conf|
+        expect(chef_run).to render_file(conf).with_content { |content|
+          expect(content).not_to include("ssl_verify_client")
+        }
+      end
+    end
+
+    it 'does not set ssl_verify_depth by default' do
+      http_conf.each_value do |conf|
+        expect(chef_run).to render_file(conf).with_content { |content|
+          expect(content).not_to include("ssl_verify_depth")
+        }
+      end
+    end
+
+    it 'sets the default ssl_verify_depth when ssl_verify_client is defined' do
+      verify_client = { "ssl_verify_client" => "on" }
+      stub_gitlab_rb(
+        "nginx" => verify_client,
+        "mattermost_nginx" => verify_client,
+        "registry_nginx" => verify_client,
+        "pages_nginx" => verify_client,
+      )
+      chef_run.converge('gitlab::default')
+      http_conf.each_value do |conf|
+        expect(chef_run).to render_file(conf).with_content { |content|
+          expect(content).to include("ssl_verify_depth 1")
+        }
+      end
+    end
+
+    it 'applies nginx verify client settings to gitlab-http' do
+      stub_gitlab_rb("nginx" => {
+        "ssl_client_certificate" => "/etc/gitlab/ssl/gitlab-http-ca.crt",
+        "ssl_verify_client" => "on",
+        "ssl_verify_depth" => "2",
+      })
+      chef_run.converge('gitlab::default')
+      expect(chef_run).to render_file(http_conf['gitlab']).with_content { |content|
+        expect(content).to include("ssl_client_certificate /etc/gitlab/ssl/gitlab-http-ca.crt")
+        expect(content).to include("ssl_verify_client on")
+        expect(content).to include("ssl_verify_depth 2")
+      }
+    end
+
+    it 'applies mattermost_nginx verify client settings to gitlab-mattermost-http' do
+      stub_gitlab_rb("mattermost_nginx" => {
+        "ssl_client_certificate" => "/etc/gitlab/ssl/gitlab-mattermost-http-ca.crt",
+        "ssl_verify_client" => "on",
+        "ssl_verify_depth" => "3",
+      })
+      chef_run.converge('gitlab::default')
+      expect(chef_run).to render_file(http_conf['mattermost']).with_content { |content|
+        expect(content).to include("ssl_client_certificate /etc/gitlab/ssl/gitlab-mattermost-http-ca.crt")
+        expect(content).to include("ssl_verify_client on")
+        expect(content).to include("ssl_verify_depth 3")
+      }
+    end
+
+    it 'applies registry_nginx verify client settings to gitlab-registry' do
+      stub_gitlab_rb("registry_nginx" => {
+        "ssl_client_certificate" => "/etc/gitlab/ssl/gitlab-registry-ca.crt",
+        "ssl_verify_client" => "off",
+        "ssl_verify_depth" => "5",
+      })
+      chef_run.converge('gitlab::default')
+      expect(chef_run).to render_file(http_conf['registry']).with_content { |content|
+        expect(content).to include("ssl_client_certificate /etc/gitlab/ssl/gitlab-registry-ca.crt")
+        expect(content).to include("ssl_verify_client off")
+        expect(content).to include("ssl_verify_depth 5")
+      }
+    end
+
+    it 'applies pages_nginx verify client settings to gitlab-pages' do
+      stub_gitlab_rb("pages_nginx" => {
+        "ssl_client_certificate" => "/etc/gitlab/ssl/gitlab-pages-ca.crt",
+        "ssl_verify_client" => "on",
+        "ssl_verify_depth" => "7",
+      })
+      chef_run.converge('gitlab::default')
+      expect(chef_run).to render_file(http_conf['pages']).with_content { |content|
+        expect(content).to include("ssl_client_certificate /etc/gitlab/ssl/gitlab-pages-ca.crt")
+        expect(content).to include("ssl_verify_client on")
+        expect(content).to include("ssl_verify_depth 7")
+      }
+    end
  end
  
  context 'when is enabled' do