gitlab docker nginx

Gitlab 私有化部署实践

Posted by hebicheng on April 15, 2021

Gitlab 私有化部署实践

(复用443端口作为网页和ssh端口,并使用https://ip/gitlab代理整个gitlab服务)

以OJ服务器为例

1 nginx 配置

配置原则:

  • 尽量不影响OJ容器的内的nginx服务和gitlab容器内的nginx服务
  • 复用443端口作为gitlab的ssh端口
  • 443端口同时要代理OJ和gitlab的Web服务

nginx.conf 文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

user nginx;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
error_log /var/log/nginx/nginx_error.log warn;
pcre_jit on;

events {
	worker_connections 1024;
}

stream {
    upstream ssh {
        server 127.0.0.1:10220;
    }
    upstream https {
        server 127.0.0.1:14430;
    }
    map $ssl_preread_protocol $upstream {
        default   ssh;
        "TLSv1.3" https;
        "TLSv1.2" https;
        "TLSv1.1" https;
        "TLSv1.0" https;
    }
    server {
        listen       443;
        ssl_preread  on;
        proxy_pass   $upstream;
    }
}


http {

	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	server_tokens off;
	keepalive_timeout 65;
	sendfile on;
	tcp_nodelay on;

	gzip on;
	gzip_vary on;
	gzip_types application/javascript text/css;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
			'$status $body_bytes_sent "$http_referer" '
			'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/nginx/nginx_access.log main;


    upstream gitlab {
		server 127.0.0.1:24430;
    }
    
    upstream oj {
		server 127.0.0.1:20800;
    }
    
    server {
        listen	80;
		return	301 https://$host$request_uri;
    }

    server {
	
		listen       14430 ssl;
		server_name  _;
		
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

		ssl_certificate /home/hebicheng/OnlineJudgeDeploy/data/backend/ssl/server.crt;
		ssl_certificate_key /home/hebicheng/OnlineJudgeDeploy/data/backend/ssl/server.key;
		location / {
			proxy_pass    http://oj;
			client_max_body_size 1000M;
		}
		
		location /gitlab {
			proxy_pass    https://gitlab/gitlab;
			client_max_body_size 1000M;
		}
    }

}

2 oj-backend容器配置

此时我们的ssl跳转和服务的代理均由宿主机的nginx完成,为了防止docker中的ssl重复使用,影响访问速度,考虑关闭oj-backend容器和gitlab容器的ssl,均采用http传输。gitlab默认不配置便不开启ssl,所以只需调整oj-backend的ssl配置:

docker-compose.yml文件

1
2
3
4
5
6
7
8
9
10
11
12

# 在oj-backend的配置中:
...
oj-backend:
	...
	environment:
		- POSTGRES_DB ...
		...
		# 注释掉强制HTTPS跳转
		#- FORCE_HTTPS = 1
	ports:
		# 只向宿主机映射http端口
		- 0.0.0.0:20800:8000

3 Gitlab配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

# 下载镜像
docker pullgitlab/gitlab-ce

#启动docker
docker run -d \
-p 10800:80 -p 10220:22 \
--name gitlab \
--restart always \
-v /home/gitlab/config:/etc/gitlab \
-v /home/gitlab/logs:/var/log/gitlab \
-v /home/gitlab/data:/var/opt/gitlab \
gitlab/gitlab-ce

# 或者使用docker-compose
version: "3"
services:

 gitlab:
    image: gitlab/gitlab-ce
    container_name: gitlab
    restart: always
    volumes:
      - ./config:/etc/gitlab
      - ./logs:/var/log/gitlab
      - ./data:/var/opt/gitlab
    ports:
      - "0.0.0.0:24430:443"
      - "0.0.0.0:10220:22"

根据nginx配置的端口,修改gitlab配置文件 gitlab:/etc/gitlab/gitlab.rb:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

# 访问地址配置
external_url 'https://127.0.0.1/gitlab'

# ssl
nginx['ssl_certificate'] = "/etc/gitlab/ssl/127.0.0.1.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/127.0.0.1.key"
nginx['redirect_http_to_https'] = true
nginx['proxy_set_headers'] = {
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on",
}

# ssh配置
#gitlab_rails['gitlab_ssh_host'] = 'acm.sicnu.edu.cn'
gitlab_rails['gitlab_shell_ssh_port'] = 443 # 此端口是run时22端口映射的443端口
gitlab_rails['gitlab_ssh_host'] = 'acm.sicnu.edu.cn'

# 邮箱配置
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.qq.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "xxxx@qq.com"
gitlab_rails['smtp_password'] = "xxxxxxx"
gitlab_rails['smtp_domain'] = "qq.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = true

user['git_user_email'] = "xxxx@qq.com"
gitlab_rails['gitlab_email_from'] = 'xxxx@qq.com'

原创作品,转载请注明来源 https://hebicheng.github.io

CATALOG
    FEATURED TAGS
    linux ssh nginx 大数据 docker gitlab go
    FRIENDS