Commit 841cf468 authored by Sheogorath's avatar Sheogorath 😴

gitlab: Enable GitLab's own CSP integration

Using GitLab's own CSP generation allows the usage of proper nonces and
alike, which drops the requirement for `unsafe inline` and `unsafe-eval`
in the CSP. This boosts security.

The current setup of this role disables the integration of recaptcha and
Google Cloud for K8s intentionally as on SI-GitLab it's not used anyway.
If you use this role to deploy it on your own infrastructure, the
default configs should provide you with the needed rules that you put
into the config of your ansible group.

For upstream reference, see the configs:
https://docs.gitlab.com/omnibus/settings/configuration.html#content-security-policy
https://gitlab.com/gitlab-org/gitlab-foss/-/blob/12-8-stable/config/gitlab.yml.example#L53
parent 9608960b
......@@ -20,6 +20,12 @@ gitlab_email_reply_to: "{{ gitlab_smtp_user_name }}"
gitlab_libravatar_plain: "cdn.libravatar.org"
gitlab_libravatar_ssl: "seccdn.libravatar.org"
gitlab_csp:
img_src: 'https:'
#frame_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
#script_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
#
# gitlab_saml:
# label: "SAML"
# groups_attribute: "roles"
......
......@@ -15,6 +15,22 @@ services:
prometheus_monitoring['enable'] = false
# CSP config
gitlab_rails['content_security_policy'] = {
enabled: true,
report_only: false,
directives: {
default_src: "'self' {{ gitlab_csp.default_src | default(omit) }}",
script_src: "'self' {{ gitlab_csp.script_src | default(omit) }}",
frame_ancestor: "'self'",
frame_src: "'self' {{ gitlab_csp.frame_src | default(omit) }}",
img_src: "'self' https://{{ gitlab_libravatar_ssl }} {{ gitlab_csp.img_src | default(omit) }} data: blob:",
style_src: "'self' 'unsafe-inline'",
worker_src: "'self' blob:",
object_src: "'none'"
}
}
#Mail settings
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "{{ gitlab_smtp_address }}"
......@@ -124,7 +140,6 @@ services:
# traefik V1
- "traefik.frontend.rule=Host:{{ gitlab_domain }};PathPrefix:/"
- "traefik.frontend.headers.STSSeconds=63072000"
- "traefik.frontend.headers.contentSecurityPolicy=object-src 'none'; worker-src 'self' blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data: blob:; frame-src 'self'; frame-ancestors 'self'; connect-src 'self'"
# traefik V2
- "traefik.http.routers.gitlab.rule=Host(`{{ gitlab_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.gitlab.entrypoints=websecure"
......@@ -135,8 +150,6 @@ services:
- "traefik.http.services.gitlab.loadbalancer.server.port=80"
- "traefik.http.middlewares.gitlab.headers.sslredirect=true"
- "traefik.http.middlewares.gitlab.headers.stsSeconds=63072000"
- "traefik.http.middlewares.gitlab.headers.contentSecurityPolicy=object-src 'none'; worker-src 'self' blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data: blob:; frame-src 'self'; frame-ancestors 'self'; connect-src 'self'"
- "traefik.port=80"
- "traefik.enable=true"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment