为了防止内网渗透,将gitlab服务的访问添加了ssl,具体步骤如下:
-
修改配置文件
[xieshuang@VM_177_101_centos gitlab]$ sudo vim /etc/gitlab/gitlab.rb #13行的 http >> https
external_url 'https://ip:port' #修改nginx配置 810行
nginx['redirect_http_to_https'] =true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/server.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/server.key" -
生成秘钥与证书
#秘钥脚本,将以下内容保存为shell脚本,然后运行
#出现提示输入信息的地方输入信息,先输入域名然后4次证书密码,任意密码,四次保持一致。 #!/bin/sh # create self-signed server certificate: read -p "Enter your domain [139.199.125.93]: " DOMAIN echo "Create server key..." openssl genrsa -des3 -out $DOMAIN.key 1024 echo "Create server certificate signing request..." SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN" openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr echo "Remove password..." mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key echo "Sign SSL certificate..." openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt echo "TODO:"
echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"
echo "Add configuration in nginx:"
echo "server {"
echo " ..."
echo " listen 443 ssl;"
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN.crt;"
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"
echo "}" #执行成功后生成文件如下:
[xieshuang@VM_177_101_centos src]$ ls
139.199.125.93.crt 139.199.125.93.origin.key nginx-1.7.12 vim-7.3.tar.bz2
139.199.125.93.csr apache-tomcat-8.5.28.tar.gz ssl_genKey.sh vimcdoc-1.8.0
139.199.125.93.key gitlab-ce-10.0.0-ce.0.el7.x86_64.rpm vim73 vimcdoc-1.8.0.tar.gz #移动到相应的位置
sudo mkdir -p /etc/gitlab/ssl
sudo chmod 700 /etc/gitlab/ssl/ -R
su cp 139.199.125.93.crt /etc/gitlab/ssl/server.crt sudo cp 139.199.125.93.key /etc/gitlab/ssl/server.key -
重建配置:
sudo gitlab-ctl reconfigure
浏览器进行https访问: