GitLab开启HTTPS模式

GitLab开启HTTPS模式， 证书在proxy代理层验证模式

生成证书

1. 快速方式，docker进行快速生成

    1version: "3"
    2services:
    3acme.sh:
    4    image: neilpang/acme.sh
    5    container_name: acme.sh
    6    restart: always
    7    network_mode: host
    8    # 使用阿里云的dnsapi方式
    9    environment:
   10    - Ali_Key=""
   11    - Ali_Secret=""
   12    volumes:
   13    - ./ssl:/acme.sh
   14    - ./html:/webroot
   15    command: daemon
   

2. 手动生成

   1curl  https://get.acme.sh | sh # 该命令会在当前用户下创建一个~/.acme.sh/
   2
   3acme.sh  --issue  -d mydomain.com -d www.mydomain.com  --webroot  /usr/share/nginx/html/
   

   注意，在使用acme.sh时，--issue第一个域名，会以此创建目录，存储后面所有此域名下的合并证书，建议第一个域名写自己的根域名

   如果采用http认证,需要将验证文件与acme中–webroot指定的目录一致，通过nginx代理http域名可以访问到此文件

   1    location ~ /.well-known {
   2    root   /usr/share/nginx/html;
   3    }
   

3. 配置nginx，以下为gitlab为例

    1upstream gitlab.mydomain.cn{
    2    server 192.168.1.100:80;
    3}
    4
    5server {
    6    listen       80;
    7    server_name  gitlab.mydomain.cn;
    8
    9    charset UTF-8;
   10
   11    access_log  /var/log/nginx/gitlab.mydomain.cn.log  main;
   12
   13    location ~ /.well-known {
   14        root   /usr/share/nginx/html;
   15    }
   16
   17    location / {
   18        # root   /usr/share/nginx/html;
   19        rewrite ^(.*)$ https://$host$1 permanent;
   20    }
   21    error_page   500 502 503 504  /50x.html;
   22    location = /50x.html {
   23        root   /usr/share/nginx/html;
   24    }
   25}
   26
   27server {
   28    listen       443 ssl;
   29    server_name  gitlab.mydomain.cn;
   30    charset utf-8;
   31    access_log  /var/log/nginx/gitlab.mydomain.cn.log  main;
   32
   33    # 复制acme.h生成的domain.cn目录下证书到/etc/nginx/ssl/mydomain.cn/目录下。
   34    # ssl on;
   35    ssl_certificate      /etc/nginx/ssl/mydomain.cn/mydomain.cn.cer;
   36    ssl_certificate_key  /etc/nginx/ssl/mydomain.cn/mydomain.cn.key;
   37    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   38    ssl_session_timeout 30m;
   39    ssl_prefer_server_ciphers on;
   40    # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
   41    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
   42    ssl_session_cache shared:SSL:10m;
   43    # openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
   44    ssl_dhparam /etc/nginx/ssl/dhparams.pem;
   45
   46    # Improves TTFB by using a smaller SSL buffer than the nginx default
   47    ssl_buffer_size 8k;
   48
   49    location / {
   50        proxy_pass http://gitlab.mydomain.cn;
   51        # root   /usr/share/nginx/html;
   52    }
   53}
   

4. 验证生成的证书

   域名已经指向nginx监听80端口的公网地址，执行acme.h命令， 此时需要将nginx 中的 443的配置注释,否则无法启动

5. 下载gitlab，并安装，这里采用rpm、或者deb

   传送门

6. 安装gitlab安装包

   1rpm -ivh current_version.rpm
   2dpkg -i current_version.deb
   

   7. 快速升级脚本 update.sh

    1#!/bin/bash
    2
    3gitlab-ctl stop unicorn
    4
    5gitlab-ctl stop sidekiq
    6
    7gitlab-ctl stop nginx
    8
    9gitlab-rake gitlab:backup:create
   10
   11ls /var/opt/gitlab/backups/
   12
   13dpkg -i $1
   14
   15gitlab-ctl restart
   

   ./update.sh pwd/current_upgrade.deb

7. 配置gitlab.rb启用https

   Supporting proxied SSL

   备份

   1cp /etc/gitlab/gitlab.rb /etc/gitlab/gitlab.rb.backup 
   

   vi /etc/gitlab/gitlab.rb

   1registry_external_url 'https://gitlab.mydoamin.cn'
   2
   3registry_nginx['listen_port'] = 80
   4registry_nginx['listen_https'] = false
   

8. 访问http://gitlab.mydomian.cn域名即可。正常访问

9. 本地git访问时需要忽略证书不验证

   1git config --global http.sslVerify false
   

10. 配置gitlab-runner

    快速配置

     1version: '3.6'
     2
     3services:
     4gitlab-runner:
     5    container_name: gitlab-runner
     6    image: gitlab/gitlab-runner:alpine-v12.5.0
     7    restart: always
     8    network_mode: "host"
     9    volumes:
    10    - /var/run/docker.sock:/var/run/docker.sock
    11    - ./config.toml:/etc/gitlab-runner/config.toml
    12    environment:
    13    GIT_SSL_NO_VERIFY: "true"
    

    在config.toml

     1concurrent = 8
     2check_interval = 10
     3log_level = "info"
     4
     5[session_server]
     6session_timeout = 1800
     7
     8[[runners]]
     9limit = 5
    10
    11name = "gitlab-runner"
    12url = "http://gitlab.domain.cn/"
    13token = "**********注册生成token，不是gitlab管理端runner几面的密钥，需要使用gitlab-ci-multi-runner register生成的密钥**********"
    14
    15executor = "docker"
    16builds_dir = "/gitlab/runner-builds"
    17cache_dir = "/gitlab/runner-cache"
    18environment = [
    19        "GIT_SSL_NO_VERIFY=true",
    20]
    21[runners.docker]
    22    tls_verify = false
    23    image = "docker:latest"
    24    dns = ["-.-.-.-."]
    25    privileged = true
    26    disable_entrypoint_overwrite = false
    27    oom_kill_disable = false
    28    disable_cache = false
    29    volumes = ["/home/*/deploy/gitlab-runner/maven.xml:/usr/local/maven/default-maven/conf/settings.xml"]
    30    pull_policy = "if-not-present"
    31    shm_size = 0
    32[runners.cache]
    33    [runners.cache.s3]
    34    [runners.cache.gcs]
    

    这句好是重点

    1// 走http，在nginx上信任这个地址
    2url = "http://gitlab.domain.cn/" 
    3
    4// 在拉取代码的时候忽略https的证书验证
    5environment = [
    6        "GIT_SSL_NO_VERIFY=true",
    7]
    

11. nginx 配置gitlab pipline的ws相关

    在https配置中增加一下配置，用于增加ws

    1    location ~ ^/(.*){
    2        proxy_pass http://gitlab.mydomain.cn;
    3        proxy_set_header REMOTE_ADDR $remote_addr;
    4        proxy_set_header Host $http_host;
    5        proxy_http_version 1.1;
    6        proxy_set_header Connection "";
    7        proxy_set_header Upgrade $http_upgrade;
    8        proxy_set_header Connection "upgrade";
    9    }