如何使用SSL证书保护Gitlab Server
时间:2020-02-23 14:38:59 来源:igfitidea点击:
如何使用SSL证书保护Gitlab Server。
访问Gitlab将通过HTTPS协议。
有两种方案,我们将考虑配置Gitlab HTTPS访问:使用商业SSL证书的安全Gitlab服务器 - 例如Digicert,Comodo 等Secure Gitlab Server带有Let的SSL证书
使用商业SSL证书安全的Gitlab服务器
商业SSL证书是所有流行Web浏览器支持的DV(域验证)值得信赖的证书。
我们将从可信任的商业证书颁发机构(CA)中购买此证书,例如Comodo,Digicert,Geotrust 等
购买证书后,下载证书文件并将其放在私钥上 /etc/gitlab/ssl/目录。
/etc/gitlab/ssl/git.example.com.key /etc/gitlab/ssl/git.example.com.crt
然后在情况下配置SSL设置 /etc/gitlab/gitlab.rb文件。
首先,更改外部URL http到 https
external_url 'https://git.example.com'
在下面 ## GitLab NGINX部分,启用nginx并提供SSL密钥和证书路径。
nginx['enable'] = true nginx['client_max_body_size'] = '250m' nginx['redirect_http_to_https'] = true nginx['ssl_certificate'] = "/etc/gitlab/ssl/git.example.com.key" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/git.example.com.crt" nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"
我们可以评论其他SSL设置,可以读取它们并更改我们适合部署。
完成后,运行以下命令使更改生效:
sudo gitlab-ctl reconfigure
等待命令完成执行,然后访问URL https://git.example.com登录Gitlab仪表板。
使用Let的Secure Gitlab Server加密SSL证书
打开文件 /etc/gitlab/gitlab.rb并寻找 Let's Encrypt integration部分。
请注意,我们需要一个具有有效记录指向Gitlab Server的域名以获取Let的加密证书的域名。
将服务器主机名设置为具有有效记录的DNS名称:
sudo hostnamectl set-hostname git.example.com --static
强制设置是:
letsencrypt['enable'] = true letsencrypt['contact_emails'] = ['Hyman@theitroad'] # This should be an array of email addresses to add as contacts letsencrypt['auto_renew'] = true
我们还可以指定证书的Autorenew小时和日期
letsencrypt['auto_renew_hour'] = 3 letsencrypt['auto_renew_day_of_month'] = "*/7"
完成后,运行以下命令使更改生效:
sudo gitlab-ctl reconfigure
重新配置应该返回成功 https在Gitlab服务器上工作。
要验证Gitlab设置,请运行命令:
$sudo gitlab-rake gitlab:check Checking GitLab Shell ... GitLab Shell version >= 8.4.1 ? ... OK (8.4.1) hooks directories in repos are links: ... can't check, you have no projects Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Reply by email is disabled in config/gitlab.yml Checking LDAP ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) Checking LDAP ... Finished Checking GitLab ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... can't check, you have no projects Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.4.5) Git version >= 2.9.5 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... 2 Checking GitLab ... Finished
