我不是服务器管理员,所以我不会每天配置 Apache 服务器。
但是我想在我们的服务器上使用带有 SSL 和 Apache 2.4.6 的 Gitlab。(CentOS 7 上的 httpd)。
到目前为止,我已经添加了证书(.pem
)并打开了 SSL。
head -30 /opt/gitlab/embedded/service/gitlab-rails/config/gitlab.yml
gitlab:
## Web server settings (note: host is the FQDN, do not include http://)
host: gitlab.my-domain.org
port: 443
https: true
# The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout.
# Default is 95% of the worker timeout
max_request_duration_seconds: 57
Apache 配置:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName gitlab.my-domain.org
ServerSignature Off
ProxyPreserveHost On
ProxyTimeout 60
AllowEncodedSlashes NoDecode
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/letsencrypt/live/some-original-domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/some-original-domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/some-original-domain/chain.pem
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
ProxyPassReverse http://127.0.0.1:8080
ProxyPassReverse https://gitlab.my-domain.org/
</Location>
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* https://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
# ErrorDocument 404 /404.html
# ErrorDocument 422 /422.html
# ErrorDocument 500 /500.html
# ErrorDocument 503 /deploy.html
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/httpd/gitlab.my-domain_error.log
CustomLog /var/log/httpd/gitlab.my-domain_forwarded.log common_forwarded
CustomLog /var/log/httpd/gitlab.my-domain_access.log combined env=!dontlog
CustomLog /var/log/httpd/gitlab.my-domain.log combined
</VirtualHost>
</IfModule>
肯定是某些配置错误,我只看到:
[proxy_http:error] [pid 18466] (103)Software caused connection abort: [client {IP}:32906] AH01102: error reading status line from remote server 127.0.0.1:8080
[proxy:error] [pid 18466] [client {IP}:32906] AH00898: Error reading from remote server returned by /
我不明白<location>
此配置的一部分在
还适用于wget http://localhost:8080/api/v3/internal/check在服务器上
{....} connection refused
ERROR 410: Gone.
最后gitlab-rake gitlab:check
:
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.7.0 ? ... OK (13.7.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
GitLab Instance / Monitoring ... yes
sdp-dev / sdp-services ... yes
sdp-dev / co2compass-app ... yes
sdp-dev / sdp-api ... yes
sdp-dev / sdp-ops ... yes
Redis version >= 4.0.0? ... yes
Ruby version >= 2.5.3 ? ... yes (2.6.6)
Git version >= 2.24.0 ? ... yes (2.28.0)
Git user has default SSH configuration? ... yes
Active users: ... 3
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
http
我认为这不是超时问题,因为从我的浏览器发出的整个请求大约需要 150 毫秒。我之前能够通过 Gitlab 实例访问。
任何想法?
编辑:netstat
为了澄清,Gitlab 是否应该在127.0.0.1:8080,我认为那里有这项服务。
netstat -tupln
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9229 0.0.0.0:* LISTEN 28566/gitlab-workho
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 6202/puma: cluster
tcp 0 0 127.0.0.1:9168 0.0.0.0:* LISTEN 28564/puma 4.3.5.gi
tcp 0 0 127.0.0.1:8082 0.0.0.0:* LISTEN 28846/sidekiq 5.2.9
tcp 0 0 127.0.0.1:9236 0.0.0.0:* LISTEN 28523/gitaly
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4950/httpd
tcp6 0 0 ::1:9168 :::* LISTEN 28564/puma 4.3.5.gi
答案1
我之前从未设置过 Gitlab 实例,但看起来您已将 Gitlab 配置为监听 127.0.0.1:443,而不是 apache 配置文件中配置的 127.0.0.1:8080。
您正在使用 apache 设置反向代理,网络流量如下:
GitLab (http://127.0.0.1:8080)-> Apache 反向代理->https://gitlab.my-domain.com/
因此,在你的 Gitlab 配置文件中,更改
port: 443
到
port: 8080
答案2
Apache 配置存在问题:
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
代替https://...
我做的另一个改变是添加
SSLCompression Off
但我完全不确定它的影响。