|
本文将介绍使用SSL证书保护GitLab服务器,我们可以在安装配置Gitlab CE后进行,也就是说访问GitLab将通过HTTPS协议。
前言 我们讨论了在Ubuntu、Debian、CentOS和Fedora Linux发行版上安装GitLab CE,本文我们将了解如何使用SSL证书保护GitLab服务器。 配置GitLab HTTPS访问的两种方案: 1、使用商业SSL证书保护GitLab服务器,例如DigiCert。 2、使用Let加密SSL证书保护GitLab服务器。
安装配置Gitlab CE参考文章 在CentOS 7/Fedora 29系统上安装Gitlab CE的步骤 在Ubuntu 18.04/Debian 9系统上安装Gitlab CE的步骤
使用商业SSL证书保护GitLab服务器 商业SSL证书是所有流行的Web浏览器都支持的DV(域验证)可信赖证书,你将从受信任的商业证书颁发机构(CA)(如Comodo,DigiCert,GeoTrust e.t.c)购买此证书。 购买证书后,下载证书文件并将其与私钥一起放入/etc/gitlab/ssl/目录: /etc/gitlab/ssl/git.example.com.key /etc/gitlab/ssl/git.example.com.crt 然后在/etc/gitlab/gitlab.rb文件上配置SSL设置。首先,将外部URL从http更改为https,如下: external_url 'https://git.example.com' 在## GitLab NGINX下,启用Nginx并提供SSL密钥和证书路径: nginx['enable'] = true nginx['client_max_body_size'] = '250m' nginx['redirect_http_to_https'] = true nginx['ssl_certificate'] = "/etc/gitlab/ssl/git.example.com.key" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/git.example.com.crt" nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2" 其他SSL设置已注释,你可以进行适当的更改。完成后,运行以下命令以使更改有效: sudo gitlab-ctl reconfigure 等待命令完成执行,然后访问URL地址https://git.example.com(请输入实际域名)以登录到你的GitLab仪表板。
使用Let加密SSL证书保护GitLab服务器 打开文件/etc/gitlab/gitlab.rb查找Let's Encrypt integration。 请注意,你需要一个带有Valid A记录的域名,该记录指向你的GitLab服务器以获取Let的加密证书,使用有效的A记录将服务器主机名设置为DNS名称: sudo hostnamectl set-hostname git.example.com --static 设置为: letsencrypt['enable'] = true letsencrypt['contact_emails'] = ['admin@example.com'] # This should be an array of email addresses to add as contacts letsencrypt['auto_renew'] = true 你还可以为证书指定自动恢复的小时和月中某天: letsencrypt['auto_renew_hour'] = 3 letsencrypt['auto_renew_day_of_month'] = "*/7" 完成后,运行以下命令以实现更改: sudo gitlab-ctl reconfigure 你的重新配置应该会使https成功返回到GitLab服务器,要验证GitLab设置,请运行以下命令: $ sudo gitlab-rake gitlab:check Checking GitLab Shell ... GitLab Shell version >= 8.4.1 ? ... OK (8.4.1) hooks directories in repos are links: ... can't check, you have no projects Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Reply by email is disabled in config/gitlab.yml Checking LDAP ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) Checking LDAP ... Finished Checking GitLab ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... can't check, you have no projects Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.4.5) Git version >= 2.9.5 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... 2 Checking GitLab ... Finished
相关主题 |
