GitLab开启HTTPS模式, 证书在proxy代理层验证模式

生成证书

  1. 快速方式,docker进行快速生成

    version: "3"
    services:
    acme.sh:
        image: neilpang/acme.sh
        container_name: acme.sh
        restart: always
        network_mode: host
        # 使用阿里云的dnsapi方式
        environment:
        - Ali_Key=""
        - Ali_Secret=""
        volumes:
        - ./ssl:/acme.sh
        - ./html:/webroot
        command: daemon
    
  2. 手动生成

    curl  https://get.acme.sh | sh # 该命令会在当前用户下创建一个~/.acme.sh/
    
    acme.sh  --issue  -d mydomain.com -d www.mydomain.com  --webroot  /usr/share/nginx/html/
    
    

    注意,在使用acme.sh时,--issue第一个域名,会以此创建目录,存储后面所有此域名下的合并证书,建议第一个域名写自己的根域名

    如果采用http认证,需要将验证文件与acme中–webroot指定的目录一致,通过nginx代理http域名可以访问到此文件

        location ~ /.well-known {
        root   /usr/share/nginx/html;
        }
    
  3. 配置nginx,以下为gitlab为例

    upstream gitlab.mydomain.cn{
        server 192.168.1.100:80;
    }
    
    server {
        listen       80;
        server_name  gitlab.mydomain.cn;
    
        charset UTF-8;
    
        access_log  /var/log/nginx/gitlab.mydomain.cn.log  main;
    
        location ~ /.well-known {
            root   /usr/share/nginx/html;
        }
    
        location / {
            # root   /usr/share/nginx/html;
            rewrite ^(.*)$ https://$host$1 permanent;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
    }
    
    server {
        listen       443 ssl;
        server_name  gitlab.mydomain.cn;
        charset utf-8;
        access_log  /var/log/nginx/gitlab.mydomain.cn.log  main;
    
        # 复制acme.h生成的domain.cn目录下证书到/etc/nginx/ssl/mydomain.cn/目录下。
        # ssl on;
        ssl_certificate      /etc/nginx/ssl/mydomain.cn/mydomain.cn.cer;
        ssl_certificate_key  /etc/nginx/ssl/mydomain.cn/mydomain.cn.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_timeout 30m;
        ssl_prefer_server_ciphers on;
        # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
        ssl_session_cache shared:SSL:10m;
        # openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;
    
        # Improves TTFB by using a smaller SSL buffer than the nginx default
        ssl_buffer_size 8k;
    
        location / {
            proxy_pass http://gitlab.mydomain.cn;
            # root   /usr/share/nginx/html;
        }
    }
    
  4. 验证生成的证书

    域名已经指向nginx监听80端口的公网地址,执行acme.h命令, 此时需要将nginx 中的 443的配置注释,否则无法启动

  5. 下载gitlab,并安装,这里采用rpm、或者deb

    传送门

  6. 安装gitlab安装包

    rpm -ivh current_version.rpm
    dpkg -i current_version.deb
    
    1. 快速升级脚本 update.sh
    #!/bin/bash
    
    gitlab-ctl stop unicorn
    
    gitlab-ctl stop sidekiq
    
    gitlab-ctl stop nginx
    
    gitlab-rake gitlab:backup:create
    
    ls /var/opt/gitlab/backups/
    
    dpkg -i $1
    
    gitlab-ctl restart
    
    

    ./update.sh pwd/current_upgrade.deb

  7. 配置gitlab.rb启用https

    Supporting proxied SSL

    备份

    cp /etc/gitlab/gitlab.rb /etc/gitlab/gitlab.rb.backup 
    

    vi /etc/gitlab/gitlab.rb

    registry_external_url 'https://gitlab.mydoamin.cn'
    
    registry_nginx['listen_port'] = 80
    registry_nginx['listen_https'] = false
    
  8. 访问http://gitlab.mydomian.cn域名即可。正常访问

  9. 本地git访问时需要忽略证书不验证

    git config --global http.sslVerify false
    
  10. 配置gitlab-runner

    快速配置

    version: '3.6'
    
    services:
    gitlab-runner:
        container_name: gitlab-runner
        image: gitlab/gitlab-runner:alpine-v12.5.0
        restart: always
        network_mode: "host"
        volumes:
        - /var/run/docker.sock:/var/run/docker.sock
        - ./config.toml:/etc/gitlab-runner/config.toml
        environment:
        GIT_SSL_NO_VERIFY: "true"
    

    在config.toml

    concurrent = 8
    check_interval = 10
    log_level = "info"
    
    [session_server]
    session_timeout = 1800
    
    [[runners]]
    limit = 5
    
    name = "gitlab-runner"
    url = "http://gitlab.domain.cn/"
    token = "**********注册生成token,不是gitlab管理端runner几面的密钥,需要使用gitlab-ci-multi-runner register生成的密钥**********"
    
    executor = "docker"
    builds_dir = "/gitlab/runner-builds"
    cache_dir = "/gitlab/runner-cache"
    environment = [
            "GIT_SSL_NO_VERIFY=true",
    ]
    [runners.docker]
        tls_verify = false
        image = "docker:latest"
        dns = ["-.-.-.-."]
        privileged = true
        disable_entrypoint_overwrite = false
        oom_kill_disable = false
        disable_cache = false
        volumes = ["/home/*/deploy/gitlab-runner/maven.xml:/usr/local/maven/default-maven/conf/settings.xml"]
        pull_policy = "if-not-present"
        shm_size = 0
    [runners.cache]
        [runners.cache.s3]
        [runners.cache.gcs]
    

    这句好是重点

    // 走http,在nginx上信任这个地址
    url = "http://gitlab.domain.cn/" 
    
    // 在拉取代码的时候忽略https的证书验证
    environment = [
            "GIT_SSL_NO_VERIFY=true",
    ]
    
  11. nginx 配置gitlab pipline的ws相关

    在https配置中增加一下配置,用于增加ws

        location ~ ^/(.*){
            proxy_pass http://gitlab.mydomain.cn;
            proxy_set_header REMOTE_ADDR $remote_addr;
            proxy_set_header Host $http_host;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }