Nginx设置Https反向代理,指向Docker Gitlab11.3.9 Https服务

首先确保机器已经安装好Docker,执行以下命令安装GitLab11.3.9:

# Pull image > git clone https://github.com/idoall/docker.git > cd gitlab-ce/11.3.9-ce.0 # 启动 Gitlab 容器 > docker stack deploy -c docker-compose.3.6.yml mshk_gitlab

Gitlab 容器是以 stack 方法运行的,可以自行修改配置文件

root 帐号的密码默认是 MySuperSecretAndSecurePass0rd!

Gitlab 内部的一些配置,可以直接修改 gitlab.rb

运行docker service ls命令,可以看到 GitLab 的服务已经在运行:

> docker service ls ID NAME MODE REPLICAS IMAGE PORTS qnh3srwc3qjo mshk_gitlab_mshk_gitlab replicated 1/1 idoall/gitlab-ce:11.3.9-ce.0 *:20050->80/tcp, *:20051->443/tcp, *:20052->22/tcp

在阿里云申请后,会有两个文件gitlab-ce.mshk.top.pemgitlab-ce.mshk.top.crt,下载到本地。

将下载的gitlab-ce.mshk.top.pemgitlab-ce.mshk.topcrt证书文件,放到容器的/etc/gitlab/ssl/目录下面。

下面是我的docker.gitlab.ce.yml文件配置:

version: "3.6" # https://docs.docker.com/compose/compose-file/ # support Docker version 17.05.0-ce services: #################################### gitlab_ce ###################################################### gitlab_ce: image: idoall/gitlab-ce:11.3.9-ce.0 hostname: gitlab_ce ports: - "20042:22" - "20040:80" - "20041:443" dns: - 114.114.114.114 - 9.9.9.9 volumes: - /home/work/_app/_gitlab_ce/gitlab_data:/var/opt/gitlab - /home/work/_app/_gitlab_ce/gitlab_logs:/var/log/gitlab - /home/work/_app/_gitlab_ce/gitlab_config:/etc/gitlab networks: - mshk-top environment: GITLAB_OMNIBUS_CONFIG: "from_file('/omnibus_config.rb')" configs: - source: gitlab target: /omnibus_config.rb deploy: replicas: 1 update_config: delay: 1s restart_policy: condition: on-failure configs: gitlab: file: ./docker.gitlab.ce.rb # 统一网络设置 networks: mshk-top: driver: overlay

下面是我的docker.gitlab.ce.rb文件配置:

external_url 'https://gitlab-ce.mshk.top' nginx['redirect_http_to_https'] = true nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab-ce.mshk.top.pem" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab-ce.mshk.top.key" gitlab_rails['gitlab_shell_ssh_port'] = 20042 # 使用QQ企业邮件发邮件 gitlab_rails['smtp_enable'] = true gitlab_rails['smtp_address'] = "smtp.exmail.qq.com" gitlab_rails['smtp_port'] = 465 gitlab_rails['smtp_user_name'] = "noreply@mshk.top" gitlab_rails['smtp_password'] = "*******" gitlab_rails['smtp_authentication'] = "login" gitlab_rails['smtp_enable_starttls_auto'] = true gitlab_rails['smtp_tls'] = true gitlab_rails['gitlab_email_from'] = 'noreply@mshk.top' gitlab_rails['smtp_domain'] = "exmail.qq.com" # 与Crowd结合,统一登录认证 gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = true gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_providers'] = [ { "name" => "crowd", "args" => { "crowd_server_url" => "http://crowd.mshk.top/crowd", "application_name" => "gitlab", "application_password" => "******" } } ]

调整好配置后,执行下面的命令,重启 Gitlab:

# 获取容器名称,赋值到一个变量中 CONTAINERNAME=`docker ps --format "{{.Names}}" | grep mshk_gitlab_mshk_gitlab.1` # 停止服务 docker exec $CONTAINERNAME sh -c 'gitlab-ctl stop' # 更新权限 docker exec $CONTAINERNAME update-permissions # 重新设置gitlab配置 docker exec $CONTAINERNAME sh -c 'gitlab-ctl reconfigure' # 启动服务 docker exec $CONTAINERNAME sh -c 'gitlab-ctl start'

这里有一点注意,配置证书的时候,Https服务设置的反向代理端口,是我们刚才设置的20041.

完整的Nginx的配置文件gitlab-ce.mshk.top.conf的格式如下:

## 将HTTP请求全部重定向至HTTPS server { listen 80; server_name gitlab-ce.mshk.top; charset utf-8; access_log logs/gitlab.access.log; error_log logs/gitlab.error.log; rewrite ^ https://gitlab-ce.mshk.top; } ## 请求转发到GitLab容器 server { listen 443 ssl; server_name gitlab-ce.mshk.top; charset utf-8; access_log logs/gitlab.access.log; error_log logs/gitlab.error.log; ssl on; # 服务的证书 ssl_certificate /usr/local/nginx/cert/gitlab-ce.mshk.top.pem; # 服务端key ssl_certificate_key /usr/local/nginx/cert/gitlab-ce.mshk.top.key; # session超时时间 ssl_session_timeout 5m; # 加密算法 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; # 允许SSL协议 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # 启动加密算法 ssl_prefer_server_ciphers on; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_pass https://localhost:20041; } location ~ .*\.(js|css|png)$ { proxy_pass https://localhost:20041; } }

最后重新载入Nginx配置,就可以生效了:

> nginx -s reload

下面是最终生效的截图:

假设您认为这篇文章对您有帮助,可以通过以下方式进行捐赠,谢谢!

比特币地址:1KdgydfKMcFVpicj5w4vyn3T88dwjBst6Y
以太坊地址:0xbB0a92d634D7b9Ac69079ed0e521CC2e0a97c420

原文链接:https://blog.csdn.net/dianbutang4605/article/details/102232335

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享