Commit 81136b97 authored by Evan Read's avatar Evan Read

Merge branch '30968-make-open-user-registration-setting-more-prominent-to-admins' into 'master'

Add documentation & helper text about securing a GitLab installation

See merge request gitlab-org/gitlab!18987
parents 9ba82eae f94170f6
...@@ -7,6 +7,8 @@ ...@@ -7,6 +7,8 @@
= f.check_box :signup_enabled, class: 'form-check-input' = f.check_box :signup_enabled, class: 'form-check-input'
= f.label :signup_enabled, class: 'form-check-label' do = f.label :signup_enabled, class: 'form-check-label' do
Sign-up enabled Sign-up enabled
.form-text.text-muted
= _("When enabled, any user visiting %{host} will be able to create an account.") % { host: "#{new_user_session_url(host: Gitlab.config.gitlab.host)}" }
.form-group .form-group
.form-check .form-check
= f.check_box :send_user_confirmation_email, class: 'form-check-input' = f.check_box :send_user_confirmation_email, class: 'form-check-input'
......
---
title: Add documentation & helper text information regarding securing a GitLab instance
merge_request: 18987
author:
type: changed
...@@ -87,3 +87,7 @@ the above methods, provided the cloud provider supports it. ...@@ -87,3 +87,7 @@ the above methods, provided the cloud provider supports it.
- [Install GitLab on DigitalOcean](https://about.gitlab.com/blog/2016/04/27/getting-started-with-gitlab-and-digitalocean/): Install Omnibus GitLab on DigitalOcean. - [Install GitLab on DigitalOcean](https://about.gitlab.com/blog/2016/04/27/getting-started-with-gitlab-and-digitalocean/): Install Omnibus GitLab on DigitalOcean.
- _Testing only!_ [DigitalOcean and Docker Machine](digitaloceandocker.md): - _Testing only!_ [DigitalOcean and Docker Machine](digitaloceandocker.md):
Quickly test any version of GitLab on DigitalOcean using Docker Machine. Quickly test any version of GitLab on DigitalOcean using Docker Machine.
## Securing your GitLab installation
After completing your installation, check out our [recommended practices to secure your GitLab instance](../security/README.md#securing-your-gitlab-installation).
...@@ -19,3 +19,9 @@ type: index ...@@ -19,3 +19,9 @@ type: index
- [Send email confirmation on sign-up](user_email_confirmation.md) - [Send email confirmation on sign-up](user_email_confirmation.md)
- [Security of running jobs](https://docs.gitlab.com/runner/security/) - [Security of running jobs](https://docs.gitlab.com/runner/security/)
- [Proxying images](asset_proxy.md) - [Proxying images](asset_proxy.md)
## Securing your GitLab installation
To make sure your GitLab instance is safe and secure, please consider implementing
[Sign up restrictions](../user/admin_area/settings/sign_up_restrictions.md) to avoid
malicious users creating accounts.
...@@ -4,20 +4,42 @@ type: reference ...@@ -4,20 +4,42 @@ type: reference
# Sign-up restrictions **(CORE ONLY)** # Sign-up restrictions **(CORE ONLY)**
You can use sign-up restrictions to require user email confirmation, as well as You can use sign-up restrictions to:
to blacklist or whitelist email addresses belonging to specific domains.
>**Note**: These restrictions are only applied during sign-up. An admin is - Disable new signups.
- Require user email confirmation.
- Blacklist or whitelist email addresses belonging to specific domains.
NOTE: **Note:**
These restrictions are only applied during sign-up from an external user. An admin is
able to add a user through the admin panel with a disallowed domain. Also able to add a user through the admin panel with a disallowed domain. Also
note that the users can change their email addresses after signup to note that the users can change their email addresses after signup to
disallowed domains. disallowed domains.
## Disable new signups
When this setting is enabled, any user visiting your GitLab domain will be able to sign up for an account.
![Disable signups](img/disable_signup_v12_7.png)
You can restrict new users from signing up by themselves for an account in your instance by disabling this setting.
### Recommendations
For customers running public facing GitLab instances, we highly recommend that you
consider disabling new signups if you do not expect public users to sign up for an
account.
Alternatively, you could also consider setting up a
[whitelist](#whitelist-email-domains) or [blacklist](#blacklist-email-domains) on
email domains to prevent malicious users from creating accounts.
## Require email confirmation ## Require email confirmation
You can send confirmation emails during sign-up and require that users confirm You can send confirmation emails during sign-up and require that users confirm
their email address before they are allowed to sign in. their email address before they are allowed to sign in.
![Email confirmation](img/email_confirmation.png) ![Email confirmation](img/email_confirmation_v12_7.png)
## Minimum password length limit ## Minimum password length limit
......
...@@ -20423,6 +20423,9 @@ msgstr "" ...@@ -20423,6 +20423,9 @@ msgstr ""
msgid "When a runner is locked, it cannot be assigned to other projects" msgid "When a runner is locked, it cannot be assigned to other projects"
msgstr "" msgstr ""
msgid "When enabled, any user visiting %{host} will be able to create an account."
msgstr ""
msgid "When enabled, users cannot use GitLab until the terms have been accepted." msgid "When enabled, users cannot use GitLab until the terms have been accepted."
msgstr "" msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment