本文記錄在VPS上安裝GitLab,為其配置SSL證書,並使用外部Nginx提供Web服務,實現https訪問。VPS系統是CentOS7.3,安裝的GitLab Community Edition版本為8.15.1

Introduction

對於GitLab,不多做介紹。GitLab對硬件、系統的要求可查閱Installation Requirements

官方建議的硬件配置為CPU至少2核心,內存至少4GB,硬盤7200轉機械硬盤或SSD。

Preparation

本文所有操作都在Digital Ocean的VPS上進行

item detail
OS Version CentOS Linux release 7.3.1611 (Core)
Kernel Version 3.10.0-514.2.2.el7.x86_64

以下是IP和域名信息

item detail
IP Address 138.197.80.35
Test Domian gitlab.lemptest.tech

Installation

按照官方文檔操作後,GitLab的安裝路徑是

1
/opt/gitlab

配置文件路徑是

1
2
/etc/gitlab/
/etc/gitlab/gitlab.rb

臨時文件路徑

1
/var/opt/gitlab/

安裝目錄結構

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
[[email protected] gitlab]# pwd
/opt/gitlab
[[email protected] gitlab]# tree -L 2
.
├── bin
│   ├── gitlab-ctl
│   ├── gitlab-psql
│   ├── gitlab-rails
│   └── gitlab-rake
├── embedded
│   ├── bin
│   ├── conf
│   ├── cookbooks
│   ├── etc
│   ├── html
│   ├── include
│   ├── lib
│   ├── libexec
│   ├── man
│   ├── nodes
│   ├── postgresql
│   ├── sbin
│   ├── selinux
│   ├── service
│   ├── share
│   └── ssl
├── etc
│   ├── gitlab-psql-rc
│   ├── gitlab-rails
│   ├── gitlab.rb.template
│   └── gitlab-workhorse
├── init
│   ├── gitlab-workhorse -> /opt/gitlab/embedded/bin/sv
│   ├── logrotate -> /opt/gitlab/embedded/bin/sv
│   ├── nginx -> /opt/gitlab/embedded/bin/sv
│   ├── postgresql -> /opt/gitlab/embedded/bin/sv
│   ├── redis -> /opt/gitlab/embedded/bin/sv
│   ├── sidekiq -> /opt/gitlab/embedded/bin/sv
│   └── unicorn -> /opt/gitlab/embedded/bin/sv
├── LICENSE
├── LICENSES
│   ├── bundler-LICENSE.md
│   ├── cacerts-index.815ca599c9df.txt
│   ├── chef-gem-LICENSE
│   ├── chef-zero-LICENSE
│   ├── config_guess-config.guess
│   ├── config_guess-config.sub
│   ├── gitlab-config-template-LICENSE
│   ├── gitlab-cookbooks-LICENSE
│   ├── gitlab-ctl-LICENSE
│   ├── gitlab-psql-LICENSE
│   ├── gitlab-rails-gitlab-gem-licenses
│   ├── gitlab-rails-LICENSE
│   ├── gitlab-scripts-LICENSE
│   ├── gitlab-selinux-LICENSE
│   ├── gitlab-shell-LICENSE
│   ├── gitlab-workhorse-LICENSE
│   ├── mattermost-GITLAB-MATTERMOST-COMPILED-LICENSE.txt
│   ├── mixlib-log-LICENSE
│   ├── ncurses-ncurses.faq.html
│   ├── ncurses-ncurses-license.html
│   ├── ohai-LICENSE
│   ├── omnibus-ctl-LICENSE
│   ├── package-scripts-LICENSE
│   ├── python-docutils-COPYING.txt
│   ├── rb-readline-LICENSE
│   ├── registry-LICENSE
│   └── rubygems-LICENSE.txt
├── service
│   ├── gitlab-workhorse -> /opt/gitlab/sv/gitlab-workhorse
│   ├── logrotate -> /opt/gitlab/sv/logrotate
│   ├── nginx -> /opt/gitlab/sv/nginx
│   ├── postgresql -> /opt/gitlab/sv/postgresql
│   ├── redis -> /opt/gitlab/sv/redis
│   ├── sidekiq -> /opt/gitlab/sv/sidekiq
│   └── unicorn -> /opt/gitlab/sv/unicorn
├── sv
│   ├── gitlab-workhorse
│   ├── logrotate
│   ├── nginx
│   ├── postgresql
│   ├── redis
│   ├── sidekiq
│   └── unicorn
├── var
│   └── unicorn
├── version-manifest.json
└── version-manifest.txt
41 directories, 43 files
[[email protected] gitlab]#

在下載頁面https://about.gitlab.com/downloads/有提示信息

Install a GitLab CE Omnibus package on

在下拉列表框中選擇對應的操作系統,此處選擇

1
CentOS 7 (and RedHat/Oracle/Scientific Linux 7)

頁面鏈接自動跳轉至

1
https://about.gitlab.com/downloads/#centos7

頁面列出具體的操作命令,主要分為4步驟

  1. Install and configure the necessary dependencies
  2. Add the GitLab package server and install the package
  3. Configure and start GitLab
  4. Browse to the hostname and login

Install and configure the necessary dependencies

GitLab官方給出的操作命令如下

1
2
3
4
5
6
7
8
sudo yum install curl policycoreutils openssh-server openssh-clients
sudo systemctl enable sshd
sudo systemctl start sshd
sudo yum install postfix
sudo systemctl enable postfix
sudo systemctl start postfix
sudo firewall-cmd --permanent --add-service=http
sudo systemctl reload firewalld

根據個人情況執行如下命令

1
2
3
4
5
6
7
sudo yum install -y curl policycoreutils openssh-server openssh-clients
sudo systemctl enable sshd
sudo systemctl start sshd
sudo yum install -y postfix
sudo systemctl enable postfix
sudo systemctl start postfix

Add the GitLab package server and install the package

GitLab官方給出的操作命令如下

1
2
3
4
5
curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash
sudo yum install gitlab-ce
#or
curl -LJO https://packages.gitlab.com/gitlab/gitlab-ce/packages/el/7/gitlab-ce-XXX.rpm/download
rpm -i gitlab-ce-XXX.rpm

根據個人情況執行如下命令

1
2
curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash
sudo yum install -y gitlab-ce

安裝完成後出現如下信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Running transaction
Installing : gitlab-ce-8.15.1-ce.0.el7.x86_64 1/1
*. *.
*** ***
***** *****
.****** *******
******** ********
,,,,,,,,,***********,,,,,,,,,
,,,,,,,,,,,*********,,,,,,,,,,,
.,,,,,,,,,,,*******,,,,,,,,,,,,
,,,,,,,,,*****,,,,,,,,,.
,,,,,,,****,,,,,,
.,,,***,,,,
,*,.
_______ __ __ __
/ ____(_) /_/ / ____ _/ /_
/ / __/ / __/ / / __ `/ __ \
/ /_/ / / /_/ /___/ /_/ / /_/ /
\____/_/\__/_____/\__,_/_.___/
gitlab: Thank you for installing GitLab!
gitlab: To configure and start GitLab, RUN THE FOLLOWING COMMAND:
sudo gitlab-ctl reconfigure
gitlab: GitLab should be reachable at http://lempstacker
gitlab: Otherwise configure GitLab for your system by editing /etc/gitlab/gitlab.rb file
gitlab: And running reconfigure again.
gitlab:
gitlab: For a comprehensive list of configuration options please see the Omnibus GitLab readme
gitlab: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md
gitlab:
gitlab: GitLab now ships with a newer version of PostgreSQL (9.6.1), and will be used
gitlab: as the default in the next major relase. To upgrade, RUN THE FOLLOWING COMMANDS:
sudo gitlab-ctl pg-upgrade
gitlab: For more details, please see:
gitlab: https://docs.gitlab.com/omnibus/settings/database.html#upgrade-packaged-postgresql-server
gitlab:
It looks like GitLab has not been configured yet; skipping the upgrade script.
Verifying : gitlab-ce-8.15.1-ce.0.el7.x86_64 1/1
Installed:
gitlab-ce.x86_64 0:8.15.1-ce.0.el7
Complete!

提示gitlab-ce的配置文件為

1
/etc/gitlab/gitlab.rb

完整配置選項清單可查閱

1
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md

如果要更新gitlab-ce,須執行

1
sudo gitlab-ctl pg-upgrade

執行命令

1
rpm -qi gitlab-ce

查詢gitlab-ce的包信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Name : gitlab-ce
Version : 8.15.1
Release : ce.0.el7
Architecture: x86_64
Install Date: Sat 24 Dec 2016 11:24:40 AM CST
Group : default
Size : 848622582
License : MIT
Signature : (none)
Source RPM : gitlab-ce-8.15.1-ce.0.el7.src.rpm
Build Date : Sat 24 Dec 2016 05:52:01 AM CST
Build Host : runner-bac0abb1-project-283-concurrent-0
Relocations : /
Packager : GitLab Inc. <[email protected]>
Vendor : Omnibus <[email protected]>
URL : https://about.gitlab.com/
Summary : GitLab Community Edition and GitLab CI (including NGINX, Postgres, Redis)
Description :
GitLab Community Edition and GitLab CI (including NGINX, Postgres, Redis)

Configure and start GitLab

GitLab官方給出的操作命令如下

1
sudo gitlab-ctl reconfigure

直接執行該操作,執行完成後出現如下信息

1
2
3
4
Running handlers:
Running handlers complete
Chef Client finished, 232/327 resources updated in 01 minutes 30 seconds
gitlab Reconfigured!

Browse to the hostname and login

GitLab官方給出如下信息

On your first visit, you’ll be redirected to a password reset screen to provide the password for the initial administrator account. Enter your desired password and you’ll be redirected back to the login screen.

The default account’s username is root. Provide the password you created earlier and login. After login you can change the username if you wish.

大致意思:第一次訪問gitlab頁面時,會自動跳轉至密碼重置頁面,為默認的管理員賬號設置密碼,默認的用戶名是root

但因為要為其配置SSL證書、域名,故而對對其配置文件進行修改。


Maintenance Commands

GitLab的維護命令,可參閱官方文檔 Maintenance commands

Get Service Status

安裝完成後,可通過執行

1
sudo gitlab-ctl status

獲取服務信息

1
2
3
4
5
6
7
run: gitlab-workhorse: (pid 23778) 1358s; run: log: (pid 23678) 1383s
run: logrotate: (pid 23698) 1375s; run: log: (pid 23697) 1375s
run: nginx: (pid 25983) 3s; run: log: (pid 23687) 1377s
run: postgresql: (pid 23528) 1423s; run: log: (pid 23527) 1423s
run: redis: (pid 23445) 1429s; run: log: (pid 23444) 1429s
run: sidekiq: (pid 23669) 1385s; run: log: (pid 23668) 1385s
run: unicorn: (pid 23638) 1387s; run: log: (pid 23637) 1387s

Starting And Stopping

GitLab組件的啟動、關閉可通過命令gitlab-ctl進行,支持對所有組件或單個組件進行控制。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Start all GitLab components
sudo gitlab-ctl start
# Stop all GitLab components
sudo gitlab-ctl stop
# Restart all GitLab components
sudo gitlab-ctl restart
# Restart Single GitLab Component
sudo gitlab-ctl restart sidekiq
# zero-downtime reload
sudo gitlab-ctl hup unicorn

重要:GitLab官方提示在單核心服務器上重啟UnicornSidekiq組件的過程須持續一分鐘左右,期間GitLab實例返回502報錯直至Unicorn啟動完畢。

Note that on a single-core server it may take up to a minute to restart Unicorn and Sidekiq. Your GitLab instance will give a 502 error until Unicorn is up again.

測試過程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#啟動
[[email protected] ~]# gitlab-ctl start
ok: run: gitlab-workhorse: (pid 23778) 1496s
ok: run: logrotate: (pid 23698) 1513s
ok: run: nginx: (pid 26218) 2s
ok: run: postgresql: (pid 23528) 1561s
ok: run: redis: (pid 23445) 1567s
ok: run: sidekiq: (pid 23669) 1523s
ok: run: unicorn: (pid 23638) 1525s
#停止
[[email protected] ~]# gitlab-ctl stop
ok: down: gitlab-workhorse: 0s, normally up
ok: down: logrotate: 0s, normally up
ok: down: nginx: 1s, normally up
ok: down: postgresql: 0s, normally up
ok: down: redis: 1s, normally up
ok: down: sidekiq: 0s, normally up
ok: down: unicorn: 0s, normally up
#重啟
[[email protected] ~]# gitlab-ctl restart
ok: run: gitlab-workhorse: (pid 26269) 0s
ok: run: logrotate: (pid 26275) 1s
ok: run: nginx: (pid 26281) 0s
ok: run: postgresql: (pid 26283) 1s
ok: run: redis: (pid 26291) 0s
ok: run: sidekiq: (pid 26295) 0s
ok: run: unicorn: (pid 26298) 1s
#重啟單個組件
[[email protected] ~]# gitlab-ctl restart sidekiq
ok: run: sidekiq: (pid 26813) 1s
[[email protected] ~]# gitlab-ctl hup unicorn
[[email protected] ~]#

Invoking Rake Tasks

執行如下命令

1
sudo gitlab-rake gitlab:check

可調用GitLab Rake task

測試過程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
[[email protected] ~]# gitlab-rake gitlab:check
Checking GitLab Shell ...
GitLab Shell version >= 4.1.1 ? ... OK (4.1.1)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:git?
default... no
User id for git: 991. Groupd id for git: 989
Try fixing it:
sudo chown -R git:git /var/opt/gitlab/git-data/repositories
For more information see:
doc/install/installation.md in section "GitLab Shell"
Please fix the error above and rerun the checks.
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ... can't check, you have no projects
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
Send ping to redis server: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... no
Try fixing it:
sudo -u git -H RAILS_ENV=production bin/background_jobs start
For more information see:
doc/install/installation.md in section "Install Init Script"
see log/sidekiq.log for possible errors
Please fix the error above and rerun the checks.
Checking Sidekiq ... Finished
Checking Reply by email ...
Reply by email is disabled in config/gitlab.yml
Checking Reply by email ... Finished
Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Git configured with autocrlf=input? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory setup correctly? ... skipped (no tmp uploads folder yet)
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ... can't check, you have no projects
Redis version >= 2.8.0? ... yes
Ruby version >= 2.1.0 ? ... yes (2.3.3)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 2.7.3 ? ... yes (2.8.4)
Active users: 1
Checking GitLab ... Finished
[[email protected] ~]#

至於gitlab-railsgitlab-psql等命令的使用,建議閱讀文檔Maintenance commands中的相關部分。


Configuration

具體參數設置參閱 Omnibus GitLab documentation

GitLab默認配置文件是

1
/etc/gitlab/gitlab.rb

重要:對該文件中參數進行修改後,須執行

1
sudo gitlab-ctl reconfigure

使更改生效。

執行如下命令備份配置文件

1
sudo cp -p /etc/gitlab/gitlab.rb{,.bak}

Non-Bundled Nginx Settings

gitlab-ce內嵌了Nginx作為Web服務器,安裝在/opt/gitlab/embedded/中。Nginx的配置文檔參見Nginx Setting,SSL證書配置參見Enable HTTPS,但其中大部分的內容都是針對內嵌的Nginx而言。

GitLab支持外部Nginx,此處討論的是如何使用安裝在VPS主機中的Nginx。具體參考文檔 Using a non-bundled web-server

Nginx配置文件示例參考 web-server configuration。默認是master分支,根據實際安裝的gitlab-ce版本切換到指定的分支。此處安裝的是8.15.1,則選擇8-1-stable分支。

By default, omnibus-gitlab installs GitLab with bundled Nginx. Omnibus-gitlab allows webserver access through user gitlab-www which resides in the group with the same name. To allow an external webserver access to GitLab, external webserver user needs to be added gitlab-www group. – https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server

修改配置文件/etc/gitlab/gitlab.rb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#line 11
external_url "https://gitlab.lemptest.tech/"
#line 22
gitlab_rails['time_zone'] = 'Asia/Shanghai'
# disable bundled nginx, line 708
nginx['enable'] = false
#set username of non-bundled web-server user, line 694
web_server['external_users'] = ['nginx']
#line 55
gitlab_rails['trusted_proxies'] = [ '138.197.80.35' ]

修改完成後,執行如下命令使更改生效

1
sudo gitlab-ctl reconfigure

執行如下命令,將用戶nginx加入git用戶組

Give nginx access to git group

1
2
#add user nginx to group git
sudo usermod -a -G git nginx

因為要配置SSL證書,此處選擇配置示例 gitlab-omnibus-ssl-nginx.conf

重要:此處使用Let’s Encrypt生成SSL證書,操作過程不作贅述,假設已經生成好相關證書及所需要的文件。具體操作參見本人Blog Secure Nginx With Let’s Encrypt Free SSL Certificate on GNU/Linux

根據個人情況修改配置示例,將修改後的內容寫入文件

1
/etc/nginx/conf.d/gitlabssl.conf

內容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
upstream gitlab {
server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket fail_timeout=0;
}
upstream gitlab-workhorse {
server unix:/var/opt/gitlab/gitlab-git-http-server/socket;
}
## Redirects all HTTP traffic to the HTTPS host
server {
listen 80;
# listen [::]:80 ipv6only=on default_server;
server_name gitlab.lemptest.tech;
server_tokens off;
return 301 https://$server_name$request_uri;
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
}
## HTTPS host
server {
listen 443 ssl;
# listen [::]:443 ipv6only=on ssl default_server;
server_name gitlab.lemptest.tech;
server_tokens off;
root /opt/gitlab/embedded/service/gitlab-rails/public;
## Increase this if you want to upload large attachments Or if you want to accept large git objects over http
client_max_body_size 20m;
## Strong SSL Security
ssl_certificate /etc/letsencrypt/live/lemptest.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lemptest.tech/privkey.pem;
#https://scotthelme.co.uk/doing-the-chacha-with-nginx/
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH DHE-RSA-CHACHA20-POLY1305 EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED !CAMELLIA";
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/ssl/ticket.key;
## See app/controllers/application_controller.rb for headers set
ssl_stapling on;
ssl_stapling_verify on; # Enables verification of OCSP responses by the server
#Let's Encrypt Root and Intermediate Certificates
ssl_trusted_certificate /etc/nginx/ssl/letsencrypt-ca-cert.pem;
# Google DNS, Open DNS, Dyn DNS
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
resolver_timeout 5s;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# add_header Strict-Transport-Security "max-age=63072000; preload";
add_header Content-Security-Policy 'default-src self';
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Public-Key-Pins 'pin-sha256="iUUgoZuZgkGIbQ9x1lUQbvCJh+87iT1avjyzKKu7K3k=";pin-sha256="F2gQEUpXylr1jmAr6f9WNlFAMxORt597saJMqGCcoks="; max-age=2592000; includeSubDomains';
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
## Serve static files from defined root folder.
## @gitlab is a named location for the upstream fallback, see below.
try_files $uri $uri/index.html $uri.html @gitlab;
}
## We route uploads through GitLab to prevent XSS and enforce access control.
location /uploads/ {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://gitlab;
}
## If a file, which is not found in the root folder is requested,
## then the proxy passes the request to the upsteam (gitlab unicorn).
location @gitlab {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://gitlab;
}
location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ {
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive {
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ ^/api/v3/projects/.*/repository/archive {
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}
# Build artifacts should be submitted to this location
location ~ ^/[\w\.-]+/[\w\.-]+/builds/download {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}
# Build artifacts should be submitted to this location
location ~ /ci/api/v1/builds/[0-9]+/artifacts {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}
location @gitlab-workhorse {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
# Do not buffer Git HTTP responses
proxy_buffering off;
# The following settings only work with NGINX 1.7.11 or newer
#
# # Pass chunked request bodies to gitlab-workhorse as-is
# proxy_request_buffering off;
# proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
## Enable gzip compression as per rails guide:
## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
## WARNING: If you are using relative urls remove the block below
## See config/application.rb under "Relative url support" for the list of
## other files that need to be changed for relative url support
location ~ ^/(assets)/ {
root /opt/gitlab/embedded/service/gitlab-rails/public;
gzip_static on; # to serve pre-gzipped version
expires max;
add_header Cache-Control public;
}
error_page 502 /502.html;
}

Nginx配置文件修改完成後,執行如下操作

1
2
3
4
5
#測試配置文件是否有語法錯誤
nginx -t
#重新載入Nginx配置文件,使修改生效
nginx -s reload

Initialization Root Password

在瀏覽器中輸入

1
gitlab.lemptest.tech

鏈接自動跳轉至

1
https://gitlab.lemptest.tech/users/password/edit?reset_password_token=4ecjCvsiH28yCcxEatJ4

出現密碼重置頁面。

上文有提到,第一次訪問gitlab頁面時,會自動跳轉至密碼重置頁面,為默認的管理員賬號設置密碼,默認的用戶名是root

執行如下命令生成15位隨機字符串

1
openssl rand -base64 15

輸出結果為

1
68GZIX8ELrG8iJx5nvVz

在密碼重置頁面輸入該字符串,點擊 Change your password 按鈕提交。

提交成功後,鏈接自動跳轉至

1
https://gitlab.lemptest.tech/users/sign_in

出現登錄界面。

輸入用戶名 root,密碼68GZIX8ELrG8iJx5nvVz,點擊 Sign in 按鈕登入。

頁面再次跳轉,跳轉到

1
https://gitlab.lemptest.tech/

界面如下

可以看到https綠色標誌變成了感歎號,並提示 Connection is not secure

F12功能鍵打開瀏覽器開發者工具,在 Console 中可看到如下信息

Loading mixed (insecure) display content “http://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=52&d=identicon“ on a secure page
Loading mixed (insecure) display content “https://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=52&d=identicon“ on a secure page

出現這種情況的原因是因為使用https的網站,瀏覽器默認不會為其加載通過http傳輸的文件,如css、js、img等,此稱之為mixed content,具體介紹見https://w3c.github.io/webappsec-mixed-content/。可通過在Nginx配置文件中設置Content-Security-Policy指令,添加白名單,此處不做詳細說明。具體可參閱如下資料

原因很明確,因為默認用戶的loto圖片使用的是如下鏈接

1
2
http://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=52&d=identicon
https://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=52&d=identicon

在Nginx中設置Content-Security-Policy過於麻煩,最簡單的方案是將該圖片替換掉。點擊右上角logo圖片,在下拉框中點擊 Profile Setting,跳轉至 Profile Setting 頁面,鏈接為

1
https://gitlab.lemptest.tech/profile

此處又遇到一個問題,圖片無法上傳,猜想可能是目錄讀寫權限問題。在設置將用戶nginx加入git用戶組時,官方文檔的要求是執行兩條命令

1
2
sudo usermod -a -G git nginx
sudo chmod g+rx /home/git/

本人只執行了第一條(第二條中的目錄/home/git/不存在)。查詢git用戶的家目錄位置

1
2
3
4
5
6
[[email protected] ~]# cat /etc/passwd | grep git
gitlab-www:x:992:990::/var/opt/gitlab/nginx:/bin/false
git:x:991:989::/var/opt/gitlab:/bin/sh
gitlab-redis:x:990:988::/var/opt/gitlab/redis:/bin/false
gitlab-psql:x:989:987::/var/opt/gitlab/postgresql:/bin/sh
[[email protected] ~]#

可看到git用戶的家目錄位置是/var/opt/gitlab,查看其相關信息

1
2
3
4
5
[[email protected] ~]# cd /var/opt/
[[email protected] opt]# ls -lh
total 4.0K
drwxr-xr-x 13 root root 4.0K Dec 24 15:26 gitlab
[[email protected] opt]#

更改其owner為git

1
2
3
4
5
[[email protected] opt]# chown git:root gitlab/
[[email protected] opt]# ls -lh
total 4.0K
drwxr-xr-x 13 git root 4.0K Dec 24 15:26 gitlab
[[email protected] opt]#

再次嘗試上傳圖片,成功上傳。

刷新頁面,https綠色標誌重新出現。


Web Page Overview

相關頁面截圖

Right Corner

Admin Area


Project Commit Test

如何配置SSH,此處不做贅述。創建project,提交代碼測試。

代碼提交過程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[email protected]:~$ cd /tmp/
[email protected]:/tmp$ git clone [email protected]:root/sunshine.git
Cloning into 'sunshine'...
The authenticity of host 'gitlab.lemptest.tech (138.197.80.35)' can't be established.
ECDSA key fingerprint is 20:80:df:69:ca:47:e0:b3:76:02:60:64:7b:20:56:a7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'gitlab.lemptest.tech' (ECDSA) to the list of known hosts.
warning: You appear to have cloned an empty repository.
Checking connectivity... done.
[email protected]:/tmp$ cd sunshine/
[email protected]:/tmp/sunshine$ ls
[email protected]:/tmp/sunshine$ touch README.md
[email protected]:/tmp/sunshine$ vim README.md
[email protected]:/tmp/sunshine$ git add *
[email protected]:/tmp/sunshine$ git commit -m 'add README'
[master (root-commit) d135bc7] add README
1 file changed, 10 insertions(+)
create mode 100644 README.md
[email protected]:/tmp/sunshine$ git push
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 368 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To [email protected]:root/sunshine.git
* [new branch] master -> master
[email protected]:/tmp/sunshine$


SSL Security Level

SSL安全等級測試


References


Change Logs

  • 2016.12.24 19:14 Sat Asia/Shanghai
    • 初稿完成