GitLab CE community version of HTTPS mode configuration (yum)
last installed but not https now requires a universal https Span style= "font-size:19px;font-family: ' the song Body '; > Today we will configure https https access to the landing and git also not https
650) this.width=650; "src=" https://s5.51cto.com/wyfs02/M01/8C/D1/wKiom1h49uCzyV4LAAIOJE0C_W8696.png "title=" 1.png "alt=" Wkiom1h49uczyv4laaioje0c_w8696.png "/>
First back up our configuration and files in case we change the error fallback
Backup configuration executes directly, first into your own backup directory .
tar-zpcf$ (date "+etc-gitlab_%y%m%d_%h%m%s.tar.gz")/etc/gitlab
650) this.width=650; "src=" https://s5.51cto.com/wyfs02/M01/8C/CE/wKioL1h49w_xfGybAAEPxfRMCUI146.png "title=" 2.png "alt=" Wkiol1h49w_xfgybaaepxfrmcui146.png "/>
backup files, Default in /var/opt/gitlab/backup directory does not know can see configuration file
gitlab_rails[' backup_path ']= "/var/opt/gitlab/backups" of the Properties
If the problem is directly restored to the original
Recovery: Stop database service execution restore specified file number
Gitlab-ctl Stop Unicorngitlab-ctl stop sidekiqgitlab-rake gitlab:backup:restore backup=1484296250
input Yes It's all Right.
then restart the service: gitlab-ctl Restart It's all Right.
650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M00/8C/D1/wKiom1h49y_Ac9hsAALIvBTnBqk052.png "title=" 3.png "alt=" Wkiom1h49y_ac9hsaalivbtnbqk052.png "/>
To generate a certificate:
Because I'm playing it myself, without the certificate of the browser trust authority, I command to generate a certificate, which is also encrypted only the browser does not recognize.
To establish a certificate and set permissions, this permission must be:
Mkdir-p/etc/gitlab/ssl && chmod 700/etc/gitlab/ssl && Cd/etc/gitlab/ssl
650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M02/8C/D1/wKiom1h490mzw4KsAAGa0glJFR0055.png "title=" 4.png "alt=" Wkiom1h490mzw4ksaaga0gljfr0055.png "/>
Create a server private key, and the command will let you enter a password: ( It is best not to enter the password, as if not input, I enter 1234 and then use the command to cancel the password )
OpenSSL genrsa-des3-out Server.key 1024
650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M02/8C/CE/wKioL1h496ySwgaTAAI9cVW4JUg534.png "title=" 5.png "alt=" Wkiol1h496yswgataai9cvw4jug534.png "/>
Create a certificate for the signing request ( CSR ):
OpenSSL Req-new-key server.key-out SERVER.CSR
Need to enter the password just now, National province City domain name mailbox and other information
finally, two files were Generated.
650) this.width=650; "src=" https://s5.51cto.com/wyfs02/M00/8C/CE/wKioL1h493riOjaUAAOUfSD51hc116.png "title=" 6.png "alt=" Wkiol1h493riojauaaoufsd51hc116.png "/>
in the Load SSL supported by Nginx and use the above private key when you want to remove the password you just set:
just back up the CSR file
CP server.keyserver.key.org
removal command, directly covering the Server.key the
OpenSSL rsa-inserver.key.org-out Server.key
The last token certificate uses the above private key and CSR : (put CSR marked and converted into a CRT Nginx to use Key and the CRT files)
OpenSSL x509-req-days 365-in server.csr-signkey server.key-out server.crt
650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M00/8C/D1/wKiom1h4-OOSt0EzAAIDNQdEf7s073.png "title=" 7.png "alt=" Wkiom1h4-oost0ezaaidnqdef7s073.png "/>
Direct Modification Gitlab the configuration file is running Gitlab-ctl Reconfigure , this command will import the files you have configured into Nginx configuration file, Running this command will let Nginx configuration changes can be seen Below:
Vim/etc/gitlab/gitlab.rb
Configurations that need to be modified:
External_url "https://192.168.61.128" nginx[' Redirect_http_to_https ']= truenginx[' ssl_certificate ']= '/etc/gitlab/ SSL/SERVER.CRT "nginx[' Ssl_certificate_key ']="/etc/gitlab/ssl/server.key "
650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M02/8C/D1/wKiom1h4-hei5bp2AAKA87WGyqg411.png "title=" 12. PNG "alt=" wkiom1h4-hei5bp2aaka87wgyqg411.png "/>
650) this.width=650; "src=" https://s3.51cto.com/wyfs02/M00/8C/D1/wKiom1h5B66yrfVxAAO8-i0DafY556.png "title=" 17. PNG "alt=" wkiom1h5b66yrfvxaao8-i0dafy556.png "/>
Run Gitlab-ctl Reconfigure ( make configuration effective ) after Nginx configuration has changed to:
is automatically added HTTP80 Jump to 443 the configuration of the is not written by itself.
gitlab-ctlreconfigure The order is very cool.
650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M01/8C/D1/wKiom1h5CAngDUIbAAR646HgDBc717.png "title=" 18. PNG "alt=" wkiom1h5cangduibaar646hgdbc717.png "/>
Last Restart Service
when all of the above has been completed , Use gitlab-ctl Restart (to Restart all services) , Ready to use HTTPS Access GitLab , the certificate is at risk because our HTTPS is not issued by a certificate Authority.
After the reboot is complete, we need to look at Nginx configuration key and CRT path to No.
Here are the Effects:
650) this.width=650; "src=" https://s2.51cto.com/wyfs02/M00/8C/CE/wKioL1h4_I-Q-YYKAAG2r7WhSQg433.png "title=" 13. PNG "alt=" wkiol1h4_i-q-yykaag2r7whsqg433.png "/>
Reference:https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md
Http://serverfault.com/questions/665736/ssl-routinesssl23-writessl-handshake-failure-nginx-on-centos-7
According to the above way has implemented the configuration of our https, the following is the problem I Encountered.
Summary of Issues:
I've seen a lot of people's configuration before, and they're going to modify it themselves Nginx the configuration,
Configure First Nginx to support HTTPS
default configuration file directory /var/opt/gitlab/nginx/conf
gitlab-http.conf nginx.conf Both of these need to be configured
Configure First gitlab-http.conf Listen Port replaced by 443
Add Content To:
Listen *:443
SSL on;
ssl_certificate/etc/gitlab/ssl/server.crt;
ssl_certificate_key/etc/gitlab/ssl/server.key;
Ssl_protocols SSLv3 TLSv1;
ssl_ciphersall:!anull:! adh:!enull:! low:! exp:rc4+rsa:+high:+medium;
650) this.width=650; "src=" https://s2.51cto.com/wyfs02/M01/8C/CE/wKioL1h5AYujk_VZAALyhzz8lrg325.png "title=" 8.png "alt=" Wkiol1h5ayujk_vzaalyhzz8lrg325.png "/>
Add a configuration file to HTTP Jump HTTPS:
/var/opt/gitlab/nginx/conf/index.conf
server {
Listen *:80;
server_name 192.168.61.128;
Rewrite ^ (. *) $ Https://$host $ permanent;
}
650) this.width=650; "src=" https://s2.51cto.com/wyfs02/M02/8C/CE/wKioL1h5Aafwg8PwAAD00HXUDQw102.png "title=" 9.png "alt=" Wkiol1h5aafwg8pwaad00hxudqw102.png "/>
Last modified /var/opt/gitlab/nginx/conf/nginx.conf configuration file , Add the following to the content , to load the configuration file just now index.conf (need to put gzip off Close ; ) :
include/var/opt/gitlab/nginx/conf/index.conf;
650) this.width=650; "src=" https://s5.51cto.com/wyfs02/M01/8C/CE/wKioL1h5AcjRWxWMAAHZgwtqjEk613.png "title=" 10. PNG "alt=" wkiol1h5acjrwxwmaahzgwtqjek613.png "/>
This configuration is complete before you modify the gitlab.rb files Run after Gitlab-ctl Reconfigure
after the order, we add the above-mentioned Nginx the configuration was flushed Out.
This is the only way to Run:
git lab-ctl Stop Nginx stops Nginx
Gitlab-ctl start Nginx
This will never run the Gitlab-ctl reconfigure Command. That's not a good way. The way I use it the Most.
There is one more question:
When you use git to command clone,
git clone https://192.168.61.128/root/test.git error occurred: fatal:destination path ' test ' already exists and is not an empty Direc Tory.git Config--global http.sslverify false off can clone, is our certificate is not the reason why the certification authority git Config--global http.sslverify true to open
650) this.width=650; "src=" https://s3.51cto.com/wyfs02/M02/8C/CE/wKioL1h5A7LS_ZAVAAC1lT97nsA570.png "title=" 16. PNG "alt=" wkiol1h5a7ls_zavaac1lt97nsa570.png "/>
Today's https is even done here. It's late, January 14, 2017, 00:45:39 to Bed.
GitLab CE community version of HTTPS mode configuration (yum)