Question

我有一个Docker服务器，我从sameersbn/docker-gitlab安装 GitLab

我有一个监听443：433和80:80的nginx容器，我将使用这个来加载HTTP和HTTPs（带有签名证书）请求的负载

nginx.conf

worker_processes auto;

events { worker_connections 1024; }

http {

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;


    upstream gitlab {
        server gitlab:10080;
    }

    server {
        listen 80;
        listen 443 ssl;
        server_name www.domain.tld;

        ssl on;
        ssl_certificate         /usr/local/share/ca-certificates/domain.crt;
        ssl_certificate_key     /usr/local/share/ca-certificates/domain.key;
        ssl_trusted_certificate /usr/local/share/ca-certificates/GandiStandardSSLCA2.pem;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
        ssl_prefer_server_ciphers on;

        root /usr/share/nginx/html;

        location /git/ {
            proxy_pass http://gitlab;
            proxy_set_header X-Forwarded-Ssl on;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

没有SSL，访问gitlab的工作网址是http://www.domain.tld:10080/git

使用SSL，我希望网址为https://www.domain.tld/git

使用此nginx负载均衡器配置

当我继续http://www.domain.tld/git

时

400 Bad Request

The plain HTTP request was sent to HTTPS port

当我继续https://www.domain.tld/git

时

ERR_CONNECTION_REFUSED

这是我的第一个签名证书，这应该如何运作？

Answer 1

要解决此问题，需要执行两个步骤：

使Nginx将HTTP重定向到HTTPS
让Gitlab监听端口 80通过HTTP

为什么让Gitlab监听端口80？这种称为SSL卸载的技术可防止在上游和Web服务器之间发生冗余HTTPS加密/解密。它很少是必需的，只有在具有复杂安全要求的不同主机的情况下才有意义。

<强> Nginx的

server {
   listen         80;
   server_name    www.domain.tld;
   return         301 https://$server_name$request_uri;
}

server {
   listen         443 ssl;
   server_name    www.domain.tld;

   [....]

}

<强> Gitlab

vi ./gitlab/config.yml
gitlab_url: "http://server1.example.com" # http rather than https

Nginx配置SSL负载均衡器

1 个答案: