From e2c8ca3888194f558164cb5aaf23e0668888aeeb Mon Sep 17 00:00:00 2001
From: Sam Gleske <sag47@drexel.edu>
Date: Tue, 24 Sep 2013 14:15:03 -0400
Subject: [PATCH 1/2] More secure SSL and defined errordocuments

Now ErrorDocuments use GitLab error documents.  When the backend
service is down (i.e. Unicorn) then Apache will show a GitLab
maintenance page (error 503).  Other errors (404, 422, 500) are
also included in the rewrite.

Updated SSL ciphers so that only the strongest SSL ciphers are
allowed.  This is primarily a security update for allowed
encryption ciphers.
---
 web-server/apache/gitlab.conf | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/web-server/apache/gitlab.conf b/web-server/apache/gitlab.conf
index 6808114..fdc5a0e 100644
--- a/web-server/apache/gitlab.conf
+++ b/web-server/apache/gitlab.conf
@@ -16,7 +16,9 @@
 </VirtualHost>
 <VirtualHost *:443>
   SSLEngine on
-  SSLCipherSuite ALL:!ADH:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:-MEDIUM:!LOW:-SSLv2
+  #strong encryption ciphers only
+  #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
+  SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
   SSLCertificateFile    /etc/httpd/ssl.crt/gitlab.example.com.crt
   SSLCertificateKeyFile /etc/httpd/ssl.key/gitlab.example.com.key
   SSLCACertificateFile  /etc/httpd/ssl.crt/incommon-ca.crt
@@ -44,6 +46,12 @@
   # needed for downloading attachments
   DocumentRoot /home/git/gitlab/public
 
+  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
+  ErrorDocument 404 /404.html
+  ErrorDocument 422 /422.html
+  ErrorDocument 500 /500.html
+  ErrorDocument 503 /deploy.html
+
   <Location />
     Order deny,allow
     Allow from all

From 7b5ff94cfcda004430e772387a78b17d1e114329 Mon Sep 17 00:00:00 2001
From: Sam Gleske <sag47@drexel.edu>
Date: Tue, 24 Sep 2013 15:25:48 -0400
Subject: [PATCH 2/2] Modified CA to be more generic

---
 web-server/apache/gitlab.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-server/apache/gitlab.conf b/web-server/apache/gitlab.conf
index fdc5a0e..d8cdeab 100644
--- a/web-server/apache/gitlab.conf
+++ b/web-server/apache/gitlab.conf
@@ -21,7 +21,7 @@
   SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
   SSLCertificateFile    /etc/httpd/ssl.crt/gitlab.example.com.crt
   SSLCertificateKeyFile /etc/httpd/ssl.key/gitlab.example.com.key
-  SSLCACertificateFile  /etc/httpd/ssl.crt/incommon-ca.crt
+  SSLCACertificateFile  /etc/httpd/ssl.crt/your-ca.crt
 
   ServerName gitlab.example.com
   ServerSignature Off