使用已有的 nginx 为gitlab提供 https 访问

[felix-cao]

安装方法参考 gitlab 安装指南，本文是在此基础上的补充，SSL 证书请在阿里云申请免费的证书，并下载到服务器.

一、修改 gitlab 配置文件

$ vi /etc/gitlab/gitlab.rb

修改为如下内容

#nginx['listen_port'] = 9000
nginx['enable'] = false
external_url 'https://git.56512.com'
web_server['external_users'] = ['www']
gitlab_rails['trusted_proxies'] = ['127.0.0.1']

git_data_dirs({
   "default" => {
       "path" => "/home/git/git-data",
       "failure_count_threshold" => 10,
       "failure_wait_time" => 30,
       "failure_rest_time" => 1800,
       "storage_timeout" => 30
    }
})

• nginx['enable'] = false, 禁用 gitlab 内置的 nginx
• web_server['external_users'] = ['www'] 设置现有 nginx 的用户名
• gitlab_rails['trusted_proxies'] = ['127.0.0.1'] 设置现有Nginx的受信代理

内容参考 官网 configuration

二、nginx 配置

$ vi /usr/local/nginx/conf/vhost/git.56512.com.conf

配置内容如下

upstream gitlab-workhorse {
        # 域名对应 gitlab配置中的 external_url
        # 端口对应 gitlab 配置中的 nginx['listen_port']
        #server  127.0.0.1:9000;
        #server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
        server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
}
server {
        listen 80;
        server_name git.56512.com;
        return 301 https://$http_host$request_uri;
        #rewrite ^/.*$ https://$host$request_uri? permanent;
        access_log  /home/wwwlogs/git.56512.access.80.log;
        error_log  /home/wwwlogs/git.56512.error.80.log;
}

server {
        listen 443 ssl;
        server_tokens off;
        server_name git.56512.com;
        root /opt/gitlab/embedded/service/gitlab-rails/public;

        ssl_certificate /home/wwwroot/ssh/git.56512.com.crt;
        ssl_certificate_key /home/wwwroot/ssh/git.56512.com.key;

        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;

        location / {
                client_max_body_size 0;
                gzip off;

                proxy_read_timeout      300;
                proxy_connect_timeout   300;
                proxy_redirect          off;

                proxy_http_version 1.1;

                proxy_set_header    Host                $http_host;
                proxy_set_header    X-Real-IP           $remote_addr;
                proxy_set_header    X-Forwarded-Ssl     on;
                proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
                proxy_set_header    X-Forwarded-Proto   $scheme;
                proxy_pass http://gitlab-workhorse;
        }
        access_log  /home/wwwlogs/git.56512.access.443.log;
        error_log  /home/wwwlogs/git.56512.error.443.log;
}

• 两处访问呢及错误日志，443和80端口都设有错误及访问日志，目的是为了排错

问题： 这样仍然没有解决掉 https 下免密拉取代码！ 内容参考 官网 Vhost (server block)

[felix-cao]

• 在日志中找到错误

  connect() to unix:/var/opt/gitlab/gitlab-workhorse/socket failed (13: Permission denied) while connecting to upstream，

  解决方案： 把安装 nginx 时创建的 www 用户加到用户组 git 和 gitlab-www

  usermod -aG git www
  usermod -aG gitlab-www www

  从官方的 issue 找到解决方案

[felix-cao]

• 从日志中找到错误：

  connect() to unix:/var/opt/gitlab/gitlab-workhorse/socket failed (2: No such file or directory) while connecting to upstream

  解决方案：将配置文件中的 /var/opt/gitlab/gitlab-workhorse/socket 改为 server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket

从官方的 issue 找到解决方案