GitLab CE community version of HTTPS mode configuration (yum)

Source: Internet
Author: User
Tags openssl rsa openssl x509

GitLab CE community version of HTTPS mode configuration (yum)

last installed but not https now requires a universal https Span style= "font-size:19px;font-family: ' the song Body '; > Today we will configure https https access to the landing and git also not https

650) this.width=650; "src=" https://s5.51cto.com/wyfs02/M01/8C/D1/wKiom1h49uCzyV4LAAIOJE0C_W8696.png "title=" 1.png "alt=" Wkiom1h49uczyv4laaioje0c_w8696.png "/>

First back up our configuration and files in case we change the error fallback

Backup configuration executes directly, first into your own backup directory .

tar-zpcf$ (date "+etc-gitlab_%y%m%d_%h%m%s.tar.gz")/etc/gitlab


650) this.width=650; "src=" https://s5.51cto.com/wyfs02/M01/8C/CE/wKioL1h49w_xfGybAAEPxfRMCUI146.png "title=" 2.png "alt=" Wkiol1h49w_xfgybaaepxfrmcui146.png "/>

backup files, Default in /var/opt/gitlab/backup directory does not know can see configuration file

gitlab_rails[' backup_path ']= "/var/opt/gitlab/backups" of the Properties

If the problem is directly restored to the original

Recovery: Stop database service execution restore specified file number

Gitlab-ctl Stop Unicorngitlab-ctl stop sidekiqgitlab-rake gitlab:backup:restore backup=1484296250


input Yes It's all Right.

then restart the service: gitlab-ctl Restart It's all Right.

650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M00/8C/D1/wKiom1h49y_Ac9hsAALIvBTnBqk052.png "title=" 3.png "alt=" Wkiom1h49y_ac9hsaalivbtnbqk052.png "/>

To generate a certificate:

Because I'm playing it myself, without the certificate of the browser trust authority, I command to generate a certificate, which is also encrypted only the browser does not recognize.

To establish a certificate and set permissions, this permission must be:

Mkdir-p/etc/gitlab/ssl && chmod 700/etc/gitlab/ssl && Cd/etc/gitlab/ssl


650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M02/8C/D1/wKiom1h490mzw4KsAAGa0glJFR0055.png "title=" 4.png "alt=" Wkiom1h490mzw4ksaaga0gljfr0055.png "/>

Create a server private key, and the command will let you enter a password: ( It is best not to enter the password, as if not input, I enter 1234 and then use the command to cancel the password )

OpenSSL genrsa-des3-out Server.key 1024

650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M02/8C/CE/wKioL1h496ySwgaTAAI9cVW4JUg534.png "title=" 5.png "alt=" Wkiol1h496yswgataai9cvw4jug534.png "/>

Create a certificate for the signing request ( CSR ):

OpenSSL Req-new-key server.key-out SERVER.CSR

Need to enter the password just now, National province City domain name mailbox and other information

finally, two files were Generated.

650) this.width=650; "src=" https://s5.51cto.com/wyfs02/M00/8C/CE/wKioL1h493riOjaUAAOUfSD51hc116.png "title=" 6.png "alt=" Wkiol1h493riojauaaoufsd51hc116.png "/>


in the Load SSL supported by Nginx and use the above private key when you want to remove the password you just set:

just back up the CSR file

CP server.keyserver.key.org


removal command, directly covering the Server.key the

OpenSSL rsa-inserver.key.org-out Server.key


The last token certificate uses the above private key and CSR : (put CSR marked and converted into a CRT Nginx to use Key and the CRT files)

OpenSSL x509-req-days 365-in server.csr-signkey server.key-out server.crt


650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M00/8C/D1/wKiom1h4-OOSt0EzAAIDNQdEf7s073.png "title=" 7.png "alt=" Wkiom1h4-oost0ezaaidnqdef7s073.png "/>

Direct Modification Gitlab the configuration file is running Gitlab-ctl Reconfigure , this command will import the files you have configured into Nginx configuration file, Running this command will let Nginx configuration changes can be seen Below:

Vim/etc/gitlab/gitlab.rb


Configurations that need to be modified:

External_url "https://192.168.61.128" nginx[' Redirect_http_to_https ']= truenginx[' ssl_certificate ']= '/etc/gitlab/ SSL/SERVER.CRT "nginx[' Ssl_certificate_key ']="/etc/gitlab/ssl/server.key "


650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M02/8C/D1/wKiom1h4-hei5bp2AAKA87WGyqg411.png "title=" 12. PNG "alt=" wkiom1h4-hei5bp2aaka87wgyqg411.png "/>

650) this.width=650; "src=" https://s3.51cto.com/wyfs02/M00/8C/D1/wKiom1h5B66yrfVxAAO8-i0DafY556.png "title=" 17. PNG "alt=" wkiom1h5b66yrfvxaao8-i0dafy556.png "/>

Run Gitlab-ctl Reconfigure ( make configuration effective ) after Nginx configuration has changed to:

is automatically added HTTP80 Jump to 443 the configuration of the is not written by itself.

gitlab-ctlreconfigure The order is very cool.


650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M01/8C/D1/wKiom1h5CAngDUIbAAR646HgDBc717.png "title=" 18. PNG "alt=" wkiom1h5cangduibaar646hgdbc717.png "/>


Last Restart Service

when all of the above has been completed , Use gitlab-ctl Restart (to Restart all services) , Ready to use HTTPS Access GitLab , the certificate is at risk because our HTTPS is not issued by a certificate Authority.

After the reboot is complete, we need to look at Nginx configuration key and CRT path to No.

Here are the Effects:


650) this.width=650; "src=" https://s2.51cto.com/wyfs02/M00/8C/CE/wKioL1h4_I-Q-YYKAAG2r7WhSQg433.png "title=" 13. PNG "alt=" wkiol1h4_i-q-yykaag2r7whsqg433.png "/>

Reference:https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md

Http://serverfault.com/questions/665736/ssl-routinesssl23-writessl-handshake-failure-nginx-on-centos-7

According to the above way has implemented the configuration of our https, the following is the problem I Encountered.

Summary of Issues:


I've seen a lot of people's configuration before, and they're going to modify it themselves Nginx the configuration,

Configure First Nginx to support HTTPS

default configuration file directory /var/opt/gitlab/nginx/conf

gitlab-http.conf nginx.conf Both of these need to be configured

Configure First gitlab-http.conf Listen Port replaced by 443

Add Content To:

Listen *:443

SSL on;

ssl_certificate/etc/gitlab/ssl/server.crt;

ssl_certificate_key/etc/gitlab/ssl/server.key;

Ssl_protocols SSLv3 TLSv1;

ssl_ciphersall:!anull:! adh:!enull:! low:! exp:rc4+rsa:+high:+medium;


650) this.width=650; "src=" https://s2.51cto.com/wyfs02/M01/8C/CE/wKioL1h5AYujk_VZAALyhzz8lrg325.png "title=" 8.png "alt=" Wkiol1h5ayujk_vzaalyhzz8lrg325.png "/>

Add a configuration file to HTTP Jump HTTPS:

/var/opt/gitlab/nginx/conf/index.conf

server {

Listen *:80;

server_name 192.168.61.128;

Rewrite ^ (. *) $ Https://$host $ permanent;

}

650) this.width=650; "src=" https://s2.51cto.com/wyfs02/M02/8C/CE/wKioL1h5Aafwg8PwAAD00HXUDQw102.png "title=" 9.png "alt=" Wkiol1h5aafwg8pwaad00hxudqw102.png "/>

Last modified /var/opt/gitlab/nginx/conf/nginx.conf configuration file , Add the following to the content , to load the configuration file just now index.conf (need to put gzip off Close ; ) :

include/var/opt/gitlab/nginx/conf/index.conf;

650) this.width=650; "src=" https://s5.51cto.com/wyfs02/M01/8C/CE/wKioL1h5AcjRWxWMAAHZgwtqjEk613.png "title=" 10. PNG "alt=" wkiol1h5acjrwxwmaahzgwtqjek613.png "/>

This configuration is complete before you modify the gitlab.rb files Run after Gitlab-ctl Reconfigure

after the order, we add the above-mentioned Nginx the configuration was flushed Out.

This is the only way to Run:

git lab-ctl Stop Nginx stops Nginx

Gitlab-ctl start Nginx

This will never run the Gitlab-ctl reconfigure Command. That's not a good way. The way I use it the Most.

There is one more question:

When you use git to command clone,

git clone https://192.168.61.128/root/test.git error occurred: fatal:destination path ' test ' already exists and is not an empty Direc Tory.git Config--global http.sslverify false off can clone, is our certificate is not the reason why the certification authority git Config--global http.sslverify true to open


650) this.width=650; "src=" https://s3.51cto.com/wyfs02/M02/8C/CE/wKioL1h5A7LS_ZAVAAC1lT97nsA570.png "title=" 16. PNG "alt=" wkiol1h5a7ls_zavaac1lt97nsa570.png "/>

Today's https is even done here. It's late, January 14, 2017, 00:45:39 to Bed.

GitLab CE community version of HTTPS mode configuration (yum)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.