Linux,security,network,system,http,web

使用自签证书部署Gitlab提供https访问

获取安装包

部署环境为Ubuntu 18.04,最小化安装

$ wget https://packages.gitlab.com/gitlab/gitlab-ce/packages/ubuntu/xenial/gitlab-ce_11.11.5-ce.0_amd64.deb

安装

  • 安装前先配置一下系统语言环境
$ cat <<EOF | tee /etc/environment
LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8
EOF
  • 通过包管理器安装
$ dpkg -i gitlab-ce_11.11.5-ce.0_amd64.deb
  • 官方提供了较为便捷的安装方式
$ curl -s https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash

配置https

  • 生成证书
$ mkdir /etc/gitlab/ssl
$ openssl genrsa -out /etc/gitlab/ssl/gitlab.ccav.tech.key 2048
$ openssl req -new -key /etc/gitlab/ssl/gitlab.ccav.tech.key -out /etc/gitlab/ssl/gitlab.ccav.tech.csr
$ openssl x509 -req -days 3650 -in /etc/gitlab/ssl/gitlab.ccav.tech.csr -singkey /etc/gitlab/ssl/gitlab.ccav.tech.key -out /etc/gitlab/ssl/gitlab.ccav.tech.crt
$ openssl dhparam -out /etc/gitlab/ssl/dhparams.pem 2048
$ rm -f /etc/gitlab/ssl/gitlab.ccav.tech.csr
$ chmod 600 /etc/gitlab/ssl/*
  • 编辑Gitlab配置文件
$ vim /etc/gitlab/gitlab.rb
...
external_url 'https://gitlab.ccav.tech'
...
nginx['redirect_http_to_https'] = true
...
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.ccav.tech.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.ccav.tech.key"
...
nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"

配置smtp

$ vim /etc/gitlab/gitlab.rb
...
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.qq.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "122922679@qq.com"
gitlab_rails['smtp_password'] = "bgzruoxjrbeubhib"
gitlab_rails['smtp_domain'] = "qq.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = true

gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'admin@s4lm0x.com'
gitlab_rails['gitlab_email_display_name'] = 'Gitlab'
...
  • 更新Gitlab配置
$ gitlab-ctl reconfigure
  • 配置nginx
$ vim /var/opt/gitlab/nginx/conf/gitlab-http.conf
...
server {
  listen *:80;

  server_name gitlab.ccav.tech;
  server_tokens off;
  rewrite ^(.*)$  https://$host$1 permanent;

  location / {
    return 301 https://gitlab.ccav.tech:443$request_uri;
  }

}
...
  • 启动服务
$ gitlab-ctl start

管理员账号初始化

$ gitlab-rails console production
irb(main):001:0> u=User.where(id:1).first
irb(main):002:0> u.password='12345678'
irb(main):003:0> u.password_confirmation='12345678'
irb(main):005:0> u.save!
irb(main):006:0> exit

测试发送邮件

  • 进入控制台,然后发送邮件
$ gitlab-rails console

irb(main):001:0> Notify.test_email('122922679@qq.com', 'mail', 'send-mail-test').deliver_now

汉化

完全没必要的步骤

  • 获取汉化包
$ wget https://gitlab.com/xhang/gitlab/-/archive/v11.11.5-zh/gitlab-v11.11.5-zh.tar.bz2
$ tar xf gitlab-v11.11.5-zh.tar.bz2
  • 备份
$ gitlab-ctl stop
$ cp -a /opt/gitlab/embedded/service/gitlab-rails /data/gitlab-rails-bak
  • 替换
$ cp -rf gitlab-v11.11.5-zh/* /opt/gitlab/embedded/service/gitlab-rails
  • 重启服务
$ gitlab-ctl reconfigure
$ gitlab-ctl start

创建仓库测试

  • 将仓库clone下来
$ git -c http.sslverify=false clone https://gitlab.ccav.tech/root/test-repo.git
  • 将仓库push上去
$ git -c http.sslverify=false push -u origin master

每次都需要驱动去忽略证书,可以对某个仓库进行配置忽略,也可以配置全局忽略

  • 对某个仓库进行忽略
$ git config http.sslVerify "false"
  • 全局忽略
$ git config --global http.sslVerify "false"

Gitlab数据备份

gitlab-rake命令可备份数据,恢复数据,备份前需将sidekiqunicorn服务停了

  • 停服务
$ gitlab-ctl stop unicorn
$ gitlab-ctl stop sidekiq
  • 备份数据

    > 可在任意目录下执行备份命令,备份文件将存放于`/var/opt/gitlab/backups`目录下
    
$ gitlab-rake gitlab:backup:create
$ ll /var/opt/gitlab/backups
total 100K
-rw------- 1 git git 100K Jul 18 20:46 1563454019_2019_07_18_11.11.5_gitlab_backup.tar
  • 数据恢复
$ gitlab-rake gitlab:backup:restore BACKUP=1563454019_2019_07_18_11.11.5
微信扫一扫,向我赞赏

微信扫一扫,向我赞赏

微信扫一扫,向我赞赏

支付宝扫一扫,向我赞赏

回复

This is just a placeholder img.