Merge branch 'if-smartcard_omnibus_doc' into 'master'

Document omnibus config for smartcard auth See merge request gitlab-org/gitlab-ee!8795

Merge branch 'if-smartcard_omnibus_doc' into 'master'
Document omnibus config for smartcard auth See merge request gitlab-org/gitlab-ee!8795
b1dd7574 · Achilleas Pipinellis · b4136e17 · 942d0b5f · b1dd7574
Commit b1dd7574 authored Dec 17, 2018 by Achilleas Pipinellis
Show whitespace changes
Inline Side-by-side

Showing with 74 additions and 58 deletions

doc/administration/auth/smartcard.md doc/administration/auth/smartcard.md +74 -58

No files found.
--- a/doc/administration/auth/smartcard.md
+++ b/doc/administration/auth/smartcard.md
@@ -25,19 +25,38 @@ Certificate:
        Subject: CN=Gitlab User, emailAddress=gitlab-user@example.com
 ```

-## Configure NGINX to request a client side certificate
+## Configure GitLab for smartcard authentication
+
+**For Omnibus installations**
+
+1. Edit `/etc/gitlab/gitlab.rb`:
+
+    ```ruby
+    gitlab_rails['smartcard_enabled'] = true
+    gitlab_rails['smartcard_ca_file'] = "/etc/ssl/certs/CA.pem"
+    gitlab_rails['smartcard_client_certificate_required_port'] = 3444
+    ```
+
+1. Save the file and [reconfigure](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure)
+   GitLab for the changes to take effect.
+
+---
+
+**For installations from source**
+
+1. Configure NGINX to request a client side certificate

-In NGINX configuration, an **additional** server context must be defined with
-the same configuration except:
+   In NGINX configuration, an **additional** server context must be defined with
+   the same configuration except:

- The additional NGINX server context must be configured to run on a different
+   - The additional NGINX server context must be configured to run on a different
     port:

     ```
     listen *:3444 ssl;
     ```

- The additional NGINX server context must be configured to require the client
+   - The additional NGINX server context must be configured to require the client
     side certificate:

     ```
@@ -46,18 +65,18 @@ the same configuration except:
     ssl_verify_client on;
     ```

- The additional NGINX server context must be configured to forward the client
+   - The additional NGINX server context must be configured to forward the client
     side certificate:

     ```
     proxy_set_header    X-SSL-Client-Certificate    $ssl_client_escaped_cert;
     ```

-For example, the following is an example server context in an NGINX
-configuration file (eg. in `/etc/nginx/sites-available/gitlab-ssl`):
+   For example, the following is an example server context in an NGINX
+   configuration file (eg. in `/etc/nginx/sites-available/gitlab-ssl`):

-```
-server {
+   ```
+   server {
       listen *:3444 ssl;

       # certificate for configuring SSL
@@ -83,12 +102,8 @@ server {

           proxy_pass http://gitlab-workhorse;
       }
-}
-```
-
-## Configure GitLab for smartcard authentication
-
-**For installations from source**
+   }
+   ```

 1. Edit `config/gitlab.yml`:

@@ -105,4 +120,5 @@ server {
     client_certificate_required_port: 3444
   ```

-1. Save the file and restart GitLab for the changes to take effect.
+1. Save the file and [restart](../administration/restart_gitlab.md#installations-from-source)
+   GitLab for the changes to take effect.