正如标题所说,我正在尝试通过 nginx 反向代理为 Gitlab 提供服务,两个程序都运行在通过 docker 网络连接的单独 docker 容器中。以图片为例:
Linux Host
____________________________
| |
| Docker |
| __________________________|
| | |
| | Docker network (test-net)|
| | ________________________|
| | | |
| | | nginx gitlab | Only nginx has a port bound to the host (443).
| | | | | | | | TLS is terminated at nginx as well.
| | | | | --> | | | in my test, I have nginx running as localhost.
| | | |___| |___| | To access gitlab, hit https://localhost/git/
| | |________________________|
| |__________________________|
|____________________________|
nginx 使用以下 docker 命令运行:
docker run -dit --network=test-net --name=nginx -p 443:443 -v "$PWD/conf":/etc/nginx:ro nginx:alpine && docker logs -f nginx
nginx.conf
<Removed unnecessary config from here, very basic setup>
http {
keepalive_timeout 65;
server {
listen 443 ssl;
server_name localhost;
ssl_certificate localhost.crt;
ssl_certificate_key localhost.key;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location /git/ {
proxy_pass http://test/;
}
}
}
gitlab.rb
<only relevant parts added here>
external_url 'https://localhost'
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
"Host" => "$http_host_with_default",
"X-Real-IP" => "$remote_addr",
"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "http",
"Upgrade" => "$http_upgrade",
"X-Forwarded-Ssl" => "on",
"Connection" => "$connection_upgrade"
}
nginx['custom_error_pages'] = {
'404' => {
'title' => '404',
'header' => 'You\'ve been hit by !! You\'ve been struck by ! A false URL.',
'message' => 'Double check that URL! Is it correct?'
}
}
docker-compose.yml对于 gitlab:
version: '3.7'
services:
gitlab:
image: 'internal-docker-repo:1234/gitlab/gitlab-ce:11.8.3-ce.0'
restart: always
hostname: 'test'
container_name: test
volumes:
- './config:/etc/gitlab:rw'
networks:
- net
networks:
net:
external: true
name: test-net
在内部(对于 docker 网络),nginx 称为nginx,gitlab 称为test。我已确认可以使用容器名称从另一个容器内部 ping 每个容器。
就目前情况而言,几乎有效。当我访问https://localhost/git/我的 Linux 主机时,我收到来自 gitlab 的 404 错误页面,但没有登录屏幕。
我显然错过了某物但我不确定是什么问题。我很难判断这是 NGinx 配置问题还是 Gitlab 配置问题。
当我点击时记录输出https://localhost/git/
nginx log output:
172.19.0.1 - - [07/Jan/2020:21:28:35 +0000] "GET /git/ HTTP/1.1" 404 2289 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
gitlab log output:
test | ==> /var/log/gitlab/nginx/gitlab_access.log <==
test | 172.19.0.3 - - [07/Jan/2020:21:28:35 +0000] "GET / HTTP/1.0" 404 2289 "" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
test |
test | ==> /var/log/gitlab/gitlab-workhorse/current <==
test | 2020-01-07_21:28:35.10649 test 127.0.0.1:0 - - [2020/01/07:21:28:35 +0000] "GET / HTTP/1.1" 404 3108 "" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" 0.001
test |
答案1
我认为至少有一个问题(如果不是最重要的)是 gitlab 期望https://本地主机作为浏览器中的 URL。不幸的是,你没有提供这个,但是https://localhost/git,虽然请求显然到达了后端(即 gitlab 容器)。
将内部 nginx 上的外部 url 指令更改为“https://localhost/git“可能可以作为一种快速修复。显然你需要随后重新配置 gitlab:
sudo gitlab-ctl reconfig
不过,如果我是你,我会为 gitlab 使用专用域(因此在 nginx 中有一个单独的服务器块),因为这对我来说会更清晰。效果如下:
server {
listen 443 ssl;
server_name gitlab.example.com;
ssl_certificate localhost.crt;
ssl_certificate_key localhost.key;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://test/;
}
}
然后将 external_url 更改为 gitlab.example.com。
由于您无论如何都在使用本地主机,因此我认为在 /etc/hosts 中添加这个新域名不会有太大麻烦:127.0.0.1 gitlab.example.com
答案2
原因
无法连接的原因是由于Nginx与 gitlab.rb 中定义的 URLlocation不匹配。external_url
在你的 Nginx 配置中,你指定了location /git/,而在 Gitlab 配置中,你使用了https://localhost。这将导致错误:当客户端请求访问时,https://localhost/git它总是会在 URI 末尾加上“git/”,但是你的 Gitlab 配置为通过 访问https://localhost,因此它永远找不到该网页!
解决方案:
要么将 改为location /git/,location /要么将https://localhost改为https://localhost/git。
例子
这是我在 docker 上的完整配置,你可以将其作为参考:
*注:172.16.0.10是Gitlab服务器的IP,gitlab.drive.nr解析Nginx服务器的IP
Nginx docker:
$ cat nginx-r.sh
sudo docker run -itd --name=nginx-r \
--network=testenv \
--ip 172.16.0.3 \
--dns 172.16.0.2 \
-h rproxy.drive.nr \
-p 80:80 -p 443:443 \
-v nginx-config:/etc/nginx \
-v nginx-certs:/etc/ssl/private \
nginx:alpine
Gitlab docker:
$ cat gitlab.sh
sudo docker run --detach \
--hostname gitlab.drive.nr \
--name gitlab \
--restart always \
--network testenv \
--ip 172.16.0.10 \
--dns 172.16.0.2 \
--volume gitlab-config:/etc/gitlab \
--volume gitlab-logs:/var/log/gitlab \
--volume gitlab-data:/var/opt/gitlab \
gitlab/gitlab-ce:latest
Nginx 配置:
# cat conf.d/sites-enabled/gitlab.conf
server {
listen 80;
location / {
return 301 https://172.16.0.10;
}
}
server {
listen 443 ssl;
server_name gitlab.drive.nr;
ssl_certificate /etc/ssl/private/gitlab.crt;
ssl_certificate_key /etc/ssl/private/gitlab.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
location /git {
proxy_pass http://172.16.0.10;
}
}
Gitlab 配置:
# cat gitlab-config/gitlab.rb |grep -v ^#
external_url 'http://gitlab.drive.nr/git'
试驾
登录Nginx:
172.16.0.1 - - [14/Jan/2020:23:35:26 +0000] "GET /git HTTP/1.1" 302 102 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
172.16.0.1 - - [14/Jan/2020:23:35:26 +0000] "GET /git/users/sign_in HTTP/1.1" 302 150 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
172.16.0.1 - - [14/Jan/2020:23:35:26 +0000] "GET /git/users/password/edit?reset_password_token=ayjmm32J3Ry_gDR8JbzU HTTP/1.1" 200 9502 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
172.16.0.1 - - [14/Jan/2020:23:35:26 +0000] "GET /git/assets/application-aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b.css HTTP/1.1" 200 149097 "https://gitlab.drive.nr/git/users/password/edit?reset_password_token=ayjmm32J3Ry_gDR8JbzU" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
172.16.0.1 - - [14/Jan/2020:23:35:26 +0000] "GET /git/assets/print-74c3df10dad473d66660c828e3aa54ca3bfeac6d8bb708643331403fe7211e60.css HTTP/1.1" 200 382 "https://gitlab.drive.nr/git/users/password/edit?reset_password_token=ayjmm32J3Ry_gDR8JbzU" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
172.16.0.1 - - [14/Jan/2020:23:35:26 +0000] "GET /git/assets/webpack/runtime.ee78bc38.bundle.js HTTP/1.1" 200 2134 "https://gitlab.drive.nr/git/users/password/edit?reset_password_token=ayjmm32J3Ry_gDR8JbzU" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
172.16.0.1 - - [14/Jan/2020:23:35:26 +0000] "GET /git/assets/highlight/themes/white-3144068cf4f603d290f553b653926358ddcd02493b9728f62417682657fc58c0.css HTTP/1.1" 200 864 "https://gitlab.drive.nr/git/users/password/edit?reset_password_token=ayjmm32J3Ry_gDR8JbzU" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
172.16.0.1 - - [14/Jan/2020:23:35:26 +0000] "GET /git/assets/webpack/main.b91d0a07.chunk.js HTTP/1.1" 200 830262 "https://gitlab.drive.nr/git/users/password/edit?reset_password_token=ayjmm32J3Ry_gDR8JbzU" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
172.16.0.1 - - [14/Jan/2020:23:35:26 +0000] "GET /git/assets/webpack/default.ca6f81b2.chunk.js HTTP/1.1" 200 159 "https://gitlab.drive.nr/git/users/password/edit?reset_password_token=ayjmm32J3Ry_gDR8JbzU" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
172.16.0.1 - - [14/Jan/2020:23:35:27 +0000] "GET /git/assets/icons-e91700f3f1ecff110fc2c35aa62aec8f2aad69d1bfb35844186a11175a79e25f.svg HTTP/1.1" 200 25983 "https://gitlab.drive.nr/git/users/password/edit?reset_password_token=ayjmm32J3Ry_gDR8JbzU" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
172.16.0.1 - - [14/Jan/2020:23:35:27 +0000] "GET /git/assets/touch-icon-ipad-retina-8ebe416f5313483d9c1bc772b5bbe03ecad52a54eba443e5215a22caed2a16a2.png HTTP/1.1" 200 5662 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
172.16.0.1 - - [14/Jan/2020:23:35:27 +0000] "GET /git/assets/favicon-7901bd695fb93edb07975966062049829afb56cf11511236e61bcf425070e36e.png HTTP/1.1" 200 1611 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0" "-"
答案3
我正面临这里描述的确切问题。
以下设置使其工作。
GitLab Docker:
GITLAB_OMNIBUS_CONFIG: |
external_url 'http://<domain>/gitlab/'
[...]
ports:
- "8929:80"
NGINX:
location /gitlab/ {
# ## https://github.com/gitlabhq/gitlabhq/issues/694
# ## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://<domain>:8929/gitlab/;
}
答案4
我遇到了类似的问题(Gitlab 和 Nginx 都作为 Docker 容器运行)。
我的错误原因是https定义external_url设置时错误地使用了协议。
即它应该是:
external_url 'http://MY_DOMAIN'
而不是:
external_url 'https://MY_DOMAIN'
我的 Nginx 配置正在http -> https为我处理重定向。
我希望这能帮助遇到同样问题的人。