坑已踩平—gitlab-ce容器开启https访问
介绍下已有的环境
gitlab-ce 版本是14.6
443端口未启用,只启用了22、80端口,分别映射到本地1008、1002端口。
使用compose安装的,所以直接看yml文件更清晰点
version: '2'
services:
gitlab:
image: 'gitlab/gitlab-ce:14.6.0-ce.0'
container_name: 'gitlab'
hostname: 'mygitlab'
restart: unless-stopped
privileged: true
volumes:
- /opt/gitlab-data/config:/etc/gitlab
- /opt/gitlab-data/logs:/var/log/gitlab
- /opt/gitlab-data/data:/var/opt/gitlab
ports:
- "1002:22"
- "1008:80"
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'http://172.20.150.239'
gitlab_rails['initial_root_password'] = "123456"
开启https访问,首先要开启443端口映射,所以要更新一下容器
version: '2'
services:
gitlab:
image: 'gitlab/gitlab-ce:14.6.0-ce.0'
container_name: 'gitlab'
hostname: 'mygitlab'
restart: unless-stopped
privileged: true
volumes:
- /opt/gitlab-data/config:/etc/gitlab
- /opt/gitlab-data/logs:/var/log/gitlab
- /opt/gitlab-data/data:/var/opt/gitlab
ports:
- "1002:22"
- "1008:80"
- "1443:443" # 1443端口映射到gitlab-ce容器的443端口
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'http://172.20.150.239'
gitlab_rails['initial_root_password'] = "Passw0rd"
# 更新容器配置
docker-compose -f gitlab_compose.yml up -d
创建自签名证书
# 在网上找到个shell脚本生成证书文件
#!/bin/sh
# create self-signed server certificate:
read -p "Enter your hostname or IP : " DOMAIN
echo "Create server key..."
openssl genrsa -des3 -out $DOMAIN.key 1024
echo "Create server certificate signing request..."
SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"
openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr
echo "Remove password..."
mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key
echo "Sign SSL certificate..."
openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
echo "TODO:"
echo "Copy $DOMAIN.crt to /home/data/Gitlab/config/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /home/data/Gitlab/config/ssl/$DOMAIN.key"
echo "Add nginx configuration in /home/data/Gitlab/config/gitlab.rb"
# sh 执行脚本
# 第一步要求输入域名或IP地址
# 第二步要求输入密码,至少四位
# 后面会要求确认输入密码
开启配置启用https
# 我这里是将/etc/gitlab挂载到本地的/opt/gitlab-data/config目录
# 先在这个路径下创建一个ssl目录
cd /opt/gitlab-data/config/
mkdir ssl
# 然后将脚本生成的证书文件拷贝到ssl目录下
ll /opt/gitlab-data/config/ssl/
total 16
-rw-r--r-- 1 root root 883 Jul 23 15:37 172.20.150.239.crt
-rw-r--r-- 1 root root 668 Jul 23 15:37 172.20.150.239.csr
-rw-r--r-- 1 root root 887 Jul 23 15:37 172.20.150.239.key
-rw-r--r-- 1 root root 963 Jul 23 15:37 172.20.150.239.origin.key
# 修改gitlab.rb文件
vim /opt/gitlab-data/config/gitlab.rb
external_url 'https://172.20.150.239:1443'
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
nginx['ssl_certificate'] = "/etc/gitlab/ssl/172.20.150.229.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/172.20.150.229.key"
nginx['listen_port'] = 443
external_url : 如果是域名填入域名地址,我这里填的是宿主机IP地址,1443端口也是宿主机映射容器的443端口
nginx[‘redirect_http_to_https’]:http跳转到https
nginx[‘redirect_http_to_https_port’]:http跳转到https的监听端口为80,前提是开启了80端口,我这里就是将容器的80端口映射到宿主机的1008端口
nginx[‘ssl_certificate’]:crt证书地址
nginx[‘ssl_certificate_key’]: key证书地址
nginx[‘listen_port’]:监听容器的443端口,不是宿主机的1443端口!
# 配置生效
docker exec -it gitlab gitlab-ctl hup nginx
docker exec -it gitlab gitlab-ctl reconfigure
测试http访问gitlab是否跳转到https
# 测试一下clone、push
# 因为使用的是没有经过机构认证的ssl证书,所以git需要忽略ssl证书错误
git config --global http.sslVerify "false"