Git克隆故障转移https whith gitlab背后的证书保护apache

时间:2014-03-18 10:52:58

标签: git apache ssl certificate gitlab

我有一台运行gitlab的服务器。对此服务器的所有访问都必须通过apache https,客户端必须提供由CA签署的有效证书,该证书也颁发了服务器证书。

经过大量研究,我已经能够从浏览器访问gitlab界面。但是我无法克隆存储库。我似乎能够在apache级别提供正确的证书,但后来我得到了#34; 401 Unauthorized"。我想用ssh公钥/私钥对的git身份验证失败了。

在控制台或askpass GUI中多次输入证书密码后,我得到以下输出:

$ GIT_SSL_CERT=~/.ssh/cert.pem git clone https://host/gitlab/xxx/yyy.git
Cloning into 'yyy'...
* Couldn't find host host.domain in the .netrc file; using defaults
* About to connect() to host.domain port 443 (#0)
*   Trying 123.456.789.012...
* Connected to host.domain (123.456.789.012) port 443 (#0)
* Connected to host.domain (123.456.789.012) port 443 (#0)
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: C=FR; O=xyz; OU=Technique; CN=host.domain
*        start date: 2014-03-11 12:53:46 GMT
*        expire date: 2019-03-11 12:53:46 GMT
*        issuer: C=FR; O=XYZ; OU=0002 775685019; OU=AC; CN=XYZ 
*        SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /gitlab/xxx/yyy.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.8.1.5
Host: host.domain
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

* The requested URL returned error: 401 Unauthorized
* Closing connection #0
Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated.
Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated.
* Couldn't find host host.domain in the .netrc file; using defaults
* About to connect() to host.domain port 443 (#0)
*   Trying 123.456.789.012...
* Connected to host.domain (123.456.789.012) port 443 (#0)
* Connected to host.domain (123.456.789.012) port 443 (#0)
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL re-using session ID
* SSL connection using DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: C=FR; O=xyz; OU=Technique; CN=host.domain
*        start date: 2014-03-11 12:53:46 GMT
*        expire date: 2019-03-11 12:53:46 GMT
*        issuer: C=FR; O=XYZ; OU=0002 775685019; OU=AC; CN=XYZ 
*        SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /gitlab/xxx/yyy.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.8.1.5
Host: host.domain
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

< HTTP/1.1 401 Unauthorized
< Date: Tue, 18 Mar 2014 10:38:35 GMT
< Status: 401 Unauthorized
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 0
< WWW-Authenticate: Basic realm=""
< Cache-Control: no-cache
< X-Request-Id: 74f54f7b-b9b3-41c2-a55f-8e4c0f90b1e6
< X-Runtime: 0.003925
< Connection: close
< 
* Closing connection #0
* Issue another request to this URL: 'https://host.domain/gitlab/xxx/yyy.git/info/refs?service=git-upload-pack'
* Couldn't find host host.domain in the .netrc file; using defaults
* About to connect() to host.domain port 443 (#0)
*   Trying 123.456.789.012...
* Connected to host.domain (123.456.789.012) port 443 (#0)
* Connected to host.domain (123.456.789.012) port 443 (#0)
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL re-using session ID
* SSL connection using DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: C=FR; O=xyz; OU=Technique; CN=host.domain
*        start date: 2014-03-11 12:53:46 GMT
*        expire date: 2019-03-11 12:53:46 GMT
*        issuer: C=FR; O=XYZ; OU=0002 775685019; OU=AC; CN=XYZ 
*        SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user 'PASSWORDINCLEAR'
> GET /gitlab/xxx/yyy.git/info/refs?service=git-upload-pack HTTP/1.1
Authorization: Basic xxxxx
User-Agent: git/1.8.1.5
Host: host.domain
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

< HTTP/1.1 401 Unauthorized
< Date: Tue, 18 Mar 2014 10:38:44 GMT
< Status: 401 Unauthorized
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 0
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm=""
< Cache-Control: no-cache
< X-Request-Id: 9fc67b79-180d-4b8a-8c42-95fd472a31a7
< X-Runtime: 0.005070
< Connection: close
* The requested URL returned error: 401
* Closing connection #0
fatal: Authentication failed

apache ssl.conf文件是:

# SSLRequireString is an environment variable defined like that: "%{SSL_CLIENT_S_DN_CN} =~ m/XXX/"

<VirtualHost _default_:443>
  SSLProxyEngine on

  ProxyPreserveHost On
  ProxyRequests Off
  ProxyPass /gitlab/ http://127.0.0.1:8080/
  ProxyPassReverse /gitlab/ http://127.0.0.1:8080/
  ProxyPass         /assets/ http://127.0.0.1:8080/gitlab/assets/
  ProxyPassReverse  /assets/ http://127.0.0.1:8080/gitlab/assets/

  ProxyPass /redmine/ http://127.0.0.1:80/redmine/
  ProxyPassReverse /redmine/ http://127.0.0.1:80/redmine/

  ProxyPass /buildbot/ http://127.0.0.1:8010/
  ProxyPassReverse /buildbot/ http://127.0.0.1:8010/

  ProxyPass /unit-tests/ http://127.0.0.1/unit-tests/
  ProxyPassReverse /unit-tests/ http://127.0.0.1/unit-tests/ 



  <Location /redmine/>
    ProxyPassReverse http://127.0.0.1:80/redmine/
    Order deny,allow
    Allow from all
    SSLRequire (    ${SSLRequireString} )
  </Location>

  <Location /gitlab/>
    ProxyPassReverse http://127.0.0.1:8080/
    Order deny,allow
    Allow from all
    SSLRequire (    ${SSLRequireString} )
  </Location>

  <Location /assets/>
    ProxyPassReverse http://127.0.0.1:8080/gitlab/assets/
    Order deny,allow
    Allow from all
    SSLRequire (    ${SSLRequireString} )
  </Location>

  <Location /buildbot/>
    ProxyPassReverse http://127.0.0.1:8010/
    Order deny,allow
    Allow from all
    SSLRequire (    ${SSLRequireString} )
  </Location>

  <Location /unit-tests/>
    ProxyPassReverse http://127.0.0.1/unit-tests/
    Order deny,allow
    Allow from all
    SSLRequire (    ${SSLRequireString} )
  </Location>

  RewriteEngine on
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
  RewriteRule .*gitlab.* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
#  RewriteRule .*redmine.* http://127.0.0.1:80%{REQUEST_URI} [P,QSA]
  RequestHeader set X_FORWARDED_PROTO 'https'

ServerName host.domain:443

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/server.pem
SSLCertificateKeyFile /etc/pki/tls/private/server.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCACertificateFile /etc/pki/tls/certs/server-bundle.pem
SSLVerifyClient require
SSLVerifyDepth  10
<Location />
SSLRequire (    ${SSLRequireString} )
</Location>

〜/ .ssh / config是:

Host * Compression yes ForwardX11 yes Ciphers arcfour,blowfish-cbc

Host host.domain
        Hostname host.domain
        User git
        IdentityFile ~/.ssh/id_rsa4

有几个步骤会导致某些事情失败,而且现在,我已经陷入困境。我不知道在哪里搜索。

更新 通过发布

克隆是成功的 
GIT_SSL_CERT=~/.ssh/cert.pem git clone https://host.domain/gitlab/xxx/xxx.git

然后输入pem密码短语一次,在打开的两个ssh-askpass对话框中输入gitlab用户名和密码,然后再次输入pem密码短语三次。

在这个过程中,我进入了日志:

/var/log/httpd/ssl_access_log-20140318
ww.xx.yy.zz - - [24/Mar/2014:16:08:15 +0100] "GET /gitlab/xxx/yyy.git/info/refs?service=git-upload-pack HTTP/1.1" 401 -
ww.xx.yy.zz - - [24/Mar/2014:16:08:18 +0100] "GET /gitlab/xxx/yyy.git/info/refs?service=git-upload-pack HTTP/1.1" 200 282
ww.xx.yy.zz - - [24/Mar/2014:16:08:21 +0100] "POST /gitlab/xxx/yyy.git/git-upload-pack HTTP/1.1" 200 18482648

/home/git/gitlab/log/production.log
Started GET "/gitlab/xxx/yyy.git/info/refs?service=git-upload-pack" for 127.0.0.1 at 2014-03-24 16:07:59 +0100
Started GET "/gitlab/xxx/yyy.git/info/refs?service=git-upload-pack" for 127.0.0.1 at 2014-03-24 16:08:15 +0100
Started GET "/gitlab/xxx/yyy.git/info/refs?service=git-upload-pack" for 127.0.0.1 at 2014-03-24 16:08:18 +0100
Started POST "/gitlab/xxx/yyy.git/git-upload-pack" for 127.0.0.1 at 2014-03-24 16:08:21 +0100

所以克隆有点起作用但不太方便。我应该关闭这个问题并开一个新问题吗?

P.S。:服务器和客户端在GNU / Linux下(分别是Scientific Linux 6.5和Mageia 3)。 Gitlab版本包括:GitLab 6.5.1,GitLab Shell 1.8.0,GitLab API v3,Ruby 1.9.3p194,Rails 4.0.2。

2 个答案:

答案 0 :(得分:0)

您是否使用127.0.0.1:8080从服务器尝试本地克隆而不通过apache??

另外,检查日志以了解401是来自gitlab还是apache。

无论如何,如果您是通过HTTP,请不要使用ssh密钥,因此ssh配置无关紧要。它似乎正在使用登录/密码,因为您可以在Server auth using Basic with user 'PASSWORDINCLEAR'行看到,但这应该是那里的用户,而不是密码,因此您的客户端配置可能存在问题。

答案 1 :(得分:0)

我终于成功了,并为同事写了以下说明:

您可以事先使用以下配置进行克隆:

# This is the certificate in PEM format to authenticate. 
git config --global http.sslCert <path to your X.509 (pem) certificate>
# This is the same certificate as above, this time to make git accept a self-signed certificate
git config --global http.sslCAInfo <path to your X.509 (pem) certificate>
# This allows to input the certificate password only once
git config --global http.sslCertPasswordProtected 1

您可能还想避免设置类似的全局选项,因为它会对其他存储库产生不必要的副作用。然后,您必须通过命令行使用以下参数克隆本地选项:

git clone -c http.sslCAInfo=<path to your X.509 (pem) certificate> \
              -c http.sslCert=<path to your X.509 (pem) certificate> \
              -c http.sslCertPasswordProtected=1 \
     https://host.domain/path/to/repository.git

要发出git命令,要避免过多的交互式输入,请在URL中包含gitlab用户名:

git clone 'https://user@host.domain/path/to/repository.git'

使用此设置,您应该被问两次“SSH密码短语”:第一次输入您的证书密码,第二次输入您的gitlab密码。

相关问题
最新问题