Gitlab配置nginx服务【第二步】

使用主机的nginx访问gitlab

一般情况下一台主机不可能只要gitlab,这样我们就要服务器的nginx来启动gitlab了

方式一适用于服务器先装gitlab,再装nginx,如果是先装nginx再装gitlab(也就是说gitlab是后来装上的),方式一好像就不行,(仅代表个人观点), 请看方式二

方式一

1.打开配置文件

vi /etc/gitlab/gitlab.rb

2.修改配置

# 指定host地址
external_url 'http://gitlab.xxxxx.com'
# 修改时区
gitlab_rails['time_zone'] = 'PRC'
# 关闭附带的nginx
nginx['enable'] = false
# 修改端口,80可能被tomcat占用就+1吧
unicorn['port'] = 18080

3.重新加载配置和重启

gitlab-ctl reconfigure
gitlab-ctl restart

4.配置nginx服务(这里不做说明了)

方式二

1.打开配置文件

vi /etc/gitlab/gitlab.rb

2.修改配置

# 指定host地址
external_url 'http://gitlab.xxxxx.com'
# 修改时区
gitlab_rails['time_zone'] = 'PRC'
# 关闭附带的nginx
nginx['enable'] = false

3.增加nginx配置

upstream gitlab {
  # 7.x 版本在此位置
  # server unix:/var/opt/gitlab/gitlab-rails/tmp/sockets/gitlab.socket;
  # 8.0 位置
  server unix://var/opt/gitlab/gitlab-rails/sockets/gitlab.socket;
}

server {
  listen *:80;

  server_name gitlab.xxxxx.com;   # 请修改为你的域名

  server_tokens off;     # don't show the version number, a security best practice
  root /opt/gitlab/embedded/service/gitlab-rails/public;

  # Increase this if you want to upload large attachments
  # Or if you want to accept large git objects over http
  client_max_body_size 250m;

  # individual nginx logs for this gitlab vhost
  access_log  /var/log/gitlab/nginx/gitlab_access.log;
  error_log   /var/log/gitlab/nginx/gitlab_error.log;

  location / {
    # serve static files from defined root folder;.
    # @gitlab is a named location for the upstream fallback, see below
    try_files $uri $uri/index.html $uri.html @gitlab;
  }

  # if a file, which is not found in the root folder is requested,
  # then the proxy pass the request to the upsteam (gitlab unicorn)
  location @gitlab {
    # If you use https make sure you disable gzip compression 
    # to be safe against BREACH attack

    proxy_read_timeout 300; # Some requests take more than 30 seconds.
    proxy_connect_timeout 300; # Some requests take more than 30 seconds.
    proxy_redirect     off;

    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_set_header   Host              $http_host;
    proxy_set_header   X-Real-IP         $remote_addr;
    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header   X-Frame-Options   SAMEORIGIN;

    proxy_pass http://gitlab;
  }

  # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
  # WARNING: If you are using relative urls do remove the block below
  # See config/application.rb under "Relative url support" for the list of
  # other files that need to be changed for relative url support
  location ~ ^/(assets)/  {
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    # gzip_static on; # to serve pre-gzipped version
    expires max;
    add_header Cache-Control public;
  }

  error_page 502 /502.html;
}

4.重新加载配置和重启

gitlab-ctl reconfigure
gitlab-ctl restart

5.权限配置

访问会报502。原本是 nginx 用户无法访问gitlab用户的 socket 文件,用户权限配置,因人而异。粗暴地:

# 给 o+x 权限
sudo chmod -R o+x /var/opt/gitlab/gitlab-rails
# 或者给 777 权限
sudo chmod -R 777 /var/opt/gitlab/gitlab-rails

6.重新编译之后有可能回502,那么请重复5.权限配置

7.配置Https,编辑gitlab.rb

external_url "https://hostname.com"
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.hostname.com.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.hostname.com.key"

8.配置Https,修改nginx

listen 443;
  ssl on;
  ssl_certificate /etc/gitlab/ssl/gitlab.hostname.com.crt;
  ssl_certificate_key /etc/gitlab/ssl/gitlab.hostname.com.key;
  ssl_protocols SSLv3 TLSv1;
  ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

以下是启动不起来可能会遇到的坑

5.sass::syntaxError:File to import not found or unreadable...

# 先安装node,这里不做说明(然后切回到国内源)
cd /opt/gitlab/embedded/service/gitlab-rails
npm install
# 重启服务
gitlab-ctl restart

注意, npm一定要配置国内镜像仓库, 否则会执行很慢, 另外, 执行过程中, 可能会报一些错, 这个可以暂不理会, 是由于nodejs版本造成的

6.如果能访问你打开你的chrome看会不会有资源加载错误

# 配置nginx
location /assets {
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    index index.html;
}

这个时候, 我们的静态资源文件通过nginx去访问, rails仍然可以保留自己的安全策略

参考文章