gitlab启用https
为了防止内网渗透,将gitlab服务的访问添加了ssl,具体步骤如下:
-
修改配置文件
[xieshuang@VM_177_101_centos gitlab]$ sudo vim /etc/gitlab/gitlab.rb #13行的 http >> https external_url 'https://ip:port' #修改nginx配置 810行 nginx['redirect_http_to_https'] =true nginx['ssl_certificate'] = "/etc/gitlab/ssl/server.crt" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/server.key"
-
生成秘钥与证书
#秘钥脚本,将以下内容保存为shell脚本,然后运行 #出现提示输入信息的地方输入信息,先输入域名然后4次证书密码,任意密码,四次保持一致。 #!/bin/sh # create self-signed server certificate: read -p "Enter your domain [139.199.125.93]: " DOMAIN echo "Create server key..." openssl genrsa -des3 -out $DOMAIN.key 1024 echo "Create server certificate signing request..." SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN" openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr echo "Remove password..." mv $DOMAIN.key $DOMAIN.origin.key openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key echo "Sign SSL certificate..." openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt echo "TODO:" echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt" echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key" echo "Add configuration in nginx:" echo "server {" echo " ..." echo " listen 443 ssl;" echo " ssl_certificate /etc/nginx/ssl/$DOMAIN.crt;" echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;" echo "}" #执行成功后生成文件如下: [xieshuang@VM_177_101_centos src]$ ls 139.199.125.93.crt 139.199.125.93.origin.key nginx-1.7.12 vim-7.3.tar.bz2 139.199.125.93.csr apache-tomcat-8.5.28.tar.gz ssl_genKey.sh vimcdoc-1.8.0 139.199.125.93.key gitlab-ce-10.0.0-ce.0.el7.x86_64.rpm vim73 vimcdoc-1.8.0.tar.gz #移动到相应的位置 sudo mkdir -p /etc/gitlab/ssl sudo chmod 700 /etc/gitlab/ssl/ -R su cp 139.199.125.93.crt /etc/gitlab/ssl/server.crt sudo cp 139.199.125.93.key /etc/gitlab/ssl/server.key
-
重建配置:
sudo gitlab-ctl reconfigure
浏览器进行https访问: