GitLab开启HTTPS模式, 证书在proxy代理层验证模式

生成证书

  1. 快速方式,docker进行快速生成

     1version: "3"
     2services:
     3acme.sh:
     4    image: neilpang/acme.sh
     5    container_name: acme.sh
     6    restart: always
     7    network_mode: host
     8    # 使用阿里云的dnsapi方式
     9    environment:
    10    - Ali_Key=""
    11    - Ali_Secret=""
    12    volumes:
    13    - ./ssl:/acme.sh
    14    - ./html:/webroot
    15    command: daemon
    
  2. 手动生成

    1curl  https://get.acme.sh | sh # 该命令会在当前用户下创建一个~/.acme.sh/
    2
    3acme.sh  --issue  -d mydomain.com -d www.mydomain.com  --webroot  /usr/share/nginx/html/
    

    注意,在使用acme.sh时,--issue第一个域名,会以此创建目录,存储后面所有此域名下的合并证书,建议第一个域名写自己的根域名

    如果采用http认证,需要将验证文件与acme中–webroot指定的目录一致,通过nginx代理http域名可以访问到此文件

    1    location ~ /.well-known {
    2    root   /usr/share/nginx/html;
    3    }
    
  3. 配置nginx,以下为gitlab为例

     1upstream gitlab.mydomain.cn{
     2    server 192.168.1.100:80;
     3}
     4
     5server {
     6    listen       80;
     7    server_name  gitlab.mydomain.cn;
     8
     9    charset UTF-8;
    10
    11    access_log  /var/log/nginx/gitlab.mydomain.cn.log  main;
    12
    13    location ~ /.well-known {
    14        root   /usr/share/nginx/html;
    15    }
    16
    17    location / {
    18        # root   /usr/share/nginx/html;
    19        rewrite ^(.*)$ https://$host$1 permanent;
    20    }
    21    error_page   500 502 503 504  /50x.html;
    22    location = /50x.html {
    23        root   /usr/share/nginx/html;
    24    }
    25}
    26
    27server {
    28    listen       443 ssl;
    29    server_name  gitlab.mydomain.cn;
    30    charset utf-8;
    31    access_log  /var/log/nginx/gitlab.mydomain.cn.log  main;
    32
    33    # 复制acme.h生成的domain.cn目录下证书到/etc/nginx/ssl/mydomain.cn/目录下。
    34    # ssl on;
    35    ssl_certificate      /etc/nginx/ssl/mydomain.cn/mydomain.cn.cer;
    36    ssl_certificate_key  /etc/nginx/ssl/mydomain.cn/mydomain.cn.key;
    37    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    38    ssl_session_timeout 30m;
    39    ssl_prefer_server_ciphers on;
    40    # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    41    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    42    ssl_session_cache shared:SSL:10m;
    43    # openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
    44    ssl_dhparam /etc/nginx/ssl/dhparams.pem;
    45
    46    # Improves TTFB by using a smaller SSL buffer than the nginx default
    47    ssl_buffer_size 8k;
    48
    49    location / {
    50        proxy_pass http://gitlab.mydomain.cn;
    51        # root   /usr/share/nginx/html;
    52    }
    53}
    
  4. 验证生成的证书

    域名已经指向nginx监听80端口的公网地址,执行acme.h命令, 此时需要将nginx 中的 443的配置注释,否则无法启动

  5. 下载gitlab,并安装,这里采用rpm、或者deb

    传送门

  6. 安装gitlab安装包

    1rpm -ivh current_version.rpm
    2dpkg -i current_version.deb
    
    1. 快速升级脚本 update.sh
     1#!/bin/bash
     2
     3gitlab-ctl stop unicorn
     4
     5gitlab-ctl stop sidekiq
     6
     7gitlab-ctl stop nginx
     8
     9gitlab-rake gitlab:backup:create
    10
    11ls /var/opt/gitlab/backups/
    12
    13dpkg -i $1
    14
    15gitlab-ctl restart
    

    ./update.sh pwd/current_upgrade.deb

  7. 配置gitlab.rb启用https

    Supporting proxied SSL

    备份

    1cp /etc/gitlab/gitlab.rb /etc/gitlab/gitlab.rb.backup 
    

    vi /etc/gitlab/gitlab.rb

    1registry_external_url 'https://gitlab.mydoamin.cn'
    2
    3registry_nginx['listen_port'] = 80
    4registry_nginx['listen_https'] = false
    
  8. 访问http://gitlab.mydomian.cn域名即可。正常访问

  9. 本地git访问时需要忽略证书不验证

    1git config --global http.sslVerify false
    
  10. 配置gitlab-runner

    快速配置

     1version: '3.6'
     2
     3services:
     4gitlab-runner:
     5    container_name: gitlab-runner
     6    image: gitlab/gitlab-runner:alpine-v12.5.0
     7    restart: always
     8    network_mode: "host"
     9    volumes:
    10    - /var/run/docker.sock:/var/run/docker.sock
    11    - ./config.toml:/etc/gitlab-runner/config.toml
    12    environment:
    13    GIT_SSL_NO_VERIFY: "true"
    

    在config.toml

     1concurrent = 8
     2check_interval = 10
     3log_level = "info"
     4
     5[session_server]
     6session_timeout = 1800
     7
     8[[runners]]
     9limit = 5
    10
    11name = "gitlab-runner"
    12url = "http://gitlab.domain.cn/"
    13token = "**********注册生成token,不是gitlab管理端runner几面的密钥,需要使用gitlab-ci-multi-runner register生成的密钥**********"
    14
    15executor = "docker"
    16builds_dir = "/gitlab/runner-builds"
    17cache_dir = "/gitlab/runner-cache"
    18environment = [
    19        "GIT_SSL_NO_VERIFY=true",
    20]
    21[runners.docker]
    22    tls_verify = false
    23    image = "docker:latest"
    24    dns = ["-.-.-.-."]
    25    privileged = true
    26    disable_entrypoint_overwrite = false
    27    oom_kill_disable = false
    28    disable_cache = false
    29    volumes = ["/home/*/deploy/gitlab-runner/maven.xml:/usr/local/maven/default-maven/conf/settings.xml"]
    30    pull_policy = "if-not-present"
    31    shm_size = 0
    32[runners.cache]
    33    [runners.cache.s3]
    34    [runners.cache.gcs]
    

    这句好是重点

    1// 走http,在nginx上信任这个地址
    2url = "http://gitlab.domain.cn/" 
    3
    4// 在拉取代码的时候忽略https的证书验证
    5environment = [
    6        "GIT_SSL_NO_VERIFY=true",
    7]
    
  11. nginx 配置gitlab pipline的ws相关

    在https配置中增加一下配置,用于增加ws

    1    location ~ ^/(.*){
    2        proxy_pass http://gitlab.mydomain.cn;
    3        proxy_set_header REMOTE_ADDR $remote_addr;
    4        proxy_set_header Host $http_host;
    5        proxy_http_version 1.1;
    6        proxy_set_header Connection "";
    7        proxy_set_header Upgrade $http_upgrade;
    8        proxy_set_header Connection "upgrade";
    9    }