Skip to content

G
gitlab-ce
Commit b1dd7574 authored by Achilleas Pipinellis's avatar Achilleas Pipinellis
Browse files
Options

Merge branch 'if-smartcard_omnibus_doc' into 'master' 

Document omnibus config for smartcard auth

See merge request gitlab-org/gitlab-ee!8795
parents b4136e17 942d0b5f
Show whitespace changes
Inline Side-by-side
Showing with 74 additions and 58 deletions
doc/administration/auth/smartcard.md
View file @ b1dd7574
...@@ -25,19 +25,38 @@ Certificate: ...@@ -25,19 +25,38 @@ Certificate:
Subject: CN=Gitlab User, emailAddress=gitlab-user@example.com Subject: CN=Gitlab User, emailAddress=gitlab-user@example.com
``` ```
## Configure NGINX to request a client side certificate ## Configure GitLab for smartcard authentication
**For Omnibus installations**
1. Edit `/etc/gitlab/gitlab.rb`:
```ruby
gitlab_rails['smartcard_enabled'] = true
gitlab_rails['smartcard_ca_file'] = "/etc/ssl/certs/CA.pem"
gitlab_rails['smartcard_client_certificate_required_port'] = 3444
```
1. Save the file and [reconfigure](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure)
GitLab for the changes to take effect.
---
**For installations from source**
1. Configure NGINX to request a client side certificate
In NGINX configuration, an **additional** server context must be defined with In NGINX configuration, an **additional** server context must be defined with
the same configuration except: the same configuration except:
- The additional NGINX server context must be configured to run on a different - The additional NGINX server context must be configured to run on a different
port: port:
``` ```
listen *:3444 ssl; listen *:3444 ssl;
``` ```
- The additional NGINX server context must be configured to require the client - The additional NGINX server context must be configured to require the client
side certificate: side certificate:
``` ```
...@@ -46,18 +65,18 @@ the same configuration except: ...@@ -46,18 +65,18 @@ the same configuration except:
ssl_verify_client on; ssl_verify_client on;
``` ```
- The additional NGINX server context must be configured to forward the client - The additional NGINX server context must be configured to forward the client
side certificate: side certificate:
``` ```
proxy_set_header X-SSL-Client-Certificate $ssl_client_escaped_cert; proxy_set_header X-SSL-Client-Certificate $ssl_client_escaped_cert;
``` ```
For example, the following is an example server context in an NGINX For example, the following is an example server context in an NGINX
configuration file (eg. in `/etc/nginx/sites-available/gitlab-ssl`): configuration file (eg. in `/etc/nginx/sites-available/gitlab-ssl`):
``` ```
server { server {
listen *:3444 ssl; listen *:3444 ssl;
# certificate for configuring SSL # certificate for configuring SSL
...@@ -83,12 +102,8 @@ server { ...@@ -83,12 +102,8 @@ server {
proxy_pass http://gitlab-workhorse; proxy_pass http://gitlab-workhorse;
} }
} }
``` ```
## Configure GitLab for smartcard authentication
**For installations from source**
1. Edit `config/gitlab.yml`: 1. Edit `config/gitlab.yml`:
...@@ -105,4 +120,5 @@ server { ...@@ -105,4 +120,5 @@ server {
client_certificate_required_port: 3444 client_certificate_required_port: 3444
``` ```
1. Save the file and restart GitLab for the changes to take effect. 1. Save the file and [restart](../administration/restart_gitlab.md#installations-from-source)
GitLab for the changes to take effect.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7