让网站使用https的方式访问

证书申请

关于证书申请,其实我们可以申请免费的证书即可,在阿里云或者腾讯云等地方都能申请到免费一年的证书,具体的申请步骤这里就就不细细描述了,因为比较简单。但这里指的提醒一下的是,二级域名与三级域名是要区别开来的,一个证书对应一个域名。

比如:cyblogs.comgitlab.cyblogs.com是需要单独申请的,我这里的话因为域名解析是在dnspod解析的,所以我也就在它那里申请了。

如果是在阿里云申请,而在其他地方做的域名解析,第一次需要单独配置一次解析才行。

http://static.cyblogs.com/QQ截图20191103175026.png

Nginx的安装技巧

gitlab.cyblogs.com.conf文件内容,之类把你的证书存放在你想放的位置,我这里是:/usr/local/nginx/ssl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

upstream gitlab {
server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket fail_timeout=0;
}

upstream gitlab-workhorse {
server unix://var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}

server {
listen 0.0.0.0:80;
server_name gitlab.cyblogs.com;
server_tokens off;
return 301 https://$server_name$request_uri;
access_log /usr/local/nginx/conf/logs/gitlab_access.log;
error_log /usr/local/nginx/conf/logs/gitlab_error.log;
}

server {
listen 0.0.0.0:443 ssl;
server_name gitlab.cyblogs.com;
server_tokens off;
root /opt/gitlab/embedded/service/gitlab-rails/public;

client_max_body_size 20m;

ssl_certificate /usr/local/nginx/ssl/gitlab.cyblogs.com_bundle.crt;
ssl_certificate_key /usr/local/nginx/ssl/gitlab.cyblogs.com.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;

access_log /usr/local/nginx/conf/logs/gitlab_access.log;
error_log /usr/local/nginx/conf/logs/gitlab_error.log;

location /uploads/ {
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass https://gitlab;
}

location @gitlab {
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://localhost:8081;
}

location ~ ^/[\w\.-]+/[\w\.-]+/gitlab-lfs/objects {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}

location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}

location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}

location ~ ^/api/v3/projects/.*/repository/archive {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}

location ~ ^/[\w\.-]+/[\w\.-]+/builds/download {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}

location ~ /ci/api/v1/builds/[0-9]+/artifacts {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}

location @gitlab-workhorse {
client_max_body_size 0;
gzip off;
proxy_buffering off;

proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;

proxy_http_version 1.1;

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}

location ~ ^/(assets)/ {
root /opt/gitlab/embedded/service/gitlab-rails/public;
gzip_static on;
expires max;
add_header Cache-Control public;
}

location ~ / {
root /opt/gitlab/embedded/service/gitlab-rails/public;
try_files $uri $uri/index.html $uri.html @gitlab;
}

error_page 502 /502.html;
}

SSH拉取OK,Http方式不行

http://static.cyblogs.com/QQ截图20191103175454.png

首先这里显示的还是http的方式,并不是https的方式。

1
2
3
4
5
6
➜  Desktop  git clone https://gitlab.cyblogs.com/root/testdemo.git
Cloning into 'cyblogs-blog'...
fatal: unable to access 'https://gitlab.cyblogs.com/root/testdemo.git/': The requested URL returned error: 502
➜ Desktop git clone https://gitlab.cyblogs.com/cyblogs/cyblogs-blog.git
Cloning into 'cyblogs-blog'...
fatal: unable to access 'https://gitlab.cyblogs.com/cyblogs/cyblogs-blog.git/': The requested URL returned error: 502

通过看日志分析,发现错误的日志信息:

1
2
3
4
[root@iZ94tq694y3Z logs]# less gitlab_error.log 
2019/10/18 16:30:13 [crit] 15450#0: *97 stat() "/opt/gitlab/embedded/service/gitlab-rails/public/uploads/-/system/user/avatar/2/avatar.png.html" failed (13: Permission denied), client: xxx.xx.xx.xx, server: gitlab.cyblogs.com, request: "GET /uploads/-/system/user/avatar/2/avatar.png?width=23 HTTP/1.1", host: "gitlab.cyblogs.com", referrer: "https://gitlab.cyblogs.com/testcase/config-repo"

2019/11/02 16:40:10 [crit] 1374#0: *24502 connect() to unix://var/opt/gitlab/gitlab-workhorse/socket failed (13: Permission denied) while connecting to upstream, client: 210.22.21.66, server: gitlab.cyblogs.com, request: "GET /root/testdemo.git/info/refs?service=git-upload-pack HTTP/1.1", upstream: "http://unix://var/opt/gitlab/gitlab-workhorse/socket:/root/testdemo.git/info/refs?service=git-upload-pack", host: "gitlab.cyblogs.com"

这里会一直报一个权限问题。unix://var/opt/gitlab/gitlab-workhorse/socket failed (13: Permission denied),然后我就各种搜索,真心地没有几篇文章说的很好的。还不如耐心的看gitlab的官网配置,还算比较详细。

https://docs.gitlab.com/omnibus/settings/nginx.html

看了大量的文章,最终得到解决步骤。

对于nginx启动配置

首先,自己的搭建的nginx启动的时候不要用root启动,需要创建一个用户。我这里就是nginx用户了。

1
2
3
[root@iZ94tq694y3Z ~]# groups nginx
nginx : nginx gitlab-www # 这里的gitlab-www是gitlab-ctl reconfigure后加入进去的
[root@iZ94tq694y3Z ~]#

需要在nginx.confuser该用户。

1
2
3
[root@iZ94tq694y3Z conf]# cat nginx.conf
user nginx nginx;
worker_processes 1;
对于gitlab.rb配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[root@iZ94tq694y3Z gitlab]# cat gitlab.rb | grep -v ^# 只要生效的配置
# 域名访问的配置
external_url 'https://gitlab.cyblogs.com'

gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.sina.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "chengcheng222e@sina.com"
gitlab_rails['smtp_password'] = "xxxxxx"
gitlab_rails['smtp_domain'] = "sina.com"
gitlab_rails['smtp_authentication'] = "plain"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false

# 配置gitlab_workhorse,nginx部分有用到这块
gitlab_workhorse['enable'] = true
gitlab_workhorse['ha'] = false
gitlab_workhorse['listen_network'] = "unix"
gitlab_workhorse['listen_umask'] = 000
gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/socket"
gitlab_workhorse['auth_backend'] = "http://localhost:8081"

# 修改端口号为8081端口
unicorn['port'] = 8081

#特别是web_server部分,需要把nginx启动启用加入权限
web_server['external_users'] = ['nginx']
web_server['username'] = 'nginx'
web_server['group'] = 'nginx'
web_server['home'] = '/usr/local/nginx'

nginx['enable'] = false
nginx['redirect_http_to_https'] = true
nginx['listen_port'] = 8081

如何定位错误,之类需要看nginx的日志与gitlab的日志

1
2
3
4
# 查看nginx
tailf /usr/local/nginx/conf/logs/gitlab_error.log
# 查看gitlab
gitlab-ctl tail

验证

1
2
3
4
5
6
7
8
# 回家切换成Windows系统了
Administrator@CHENYUAN MINGW64 ~/Desktop
$ git clone https://gitlab.cyblogs.com/root/testdemo.git
Cloning into 'testdemo'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.

参考地址:

如果大家喜欢我的文章,可以关注个人订阅号。欢迎随时留言、交流。

简栈文化服务订阅号