gitlab 的版本是:11.9.8 (48528bc) gitlab 的 nginx 版本是:nginx/1.14.2 nginx 的 conf(gitlab) :
This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
user gitlab-www gitlab-www;
worker_processes 4;
error_log stderr;
pid nginx.pid;
daemon off;
events {
worker_connections 10240;
}
http {
log_format gitlab_access 'gitlab_access_log: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
log_format gitlab_mattermost_access '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent"';
server_names_hash_bucket_size 64;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json;
include /opt/gitlab/embedded/conf/mime.types;
proxy_cache_path proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2;
proxy_cache gitlab;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Remove private_token from the request URI
# In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
map $request_uri $temp_request_uri_1 {
default $request_uri;
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# Remove authenticity_token from the request URI
# In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
map $temp_request_uri_1 $temp_request_uri_2 {
default $temp_request_uri_1;
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# Remove rss_token from the request URI
# In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...
map $temp_request_uri_2 $filtered_request_uri {
default $temp_request_uri_2;
~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# A version of the referer without the query string
map $http_referer $filtered_http_referer {
default $http_referer;
~^(?<temp>.*)\? $temp;
}
# Enable vts status module.
vhost_traffic_status_zone;
upstream gitlab-workhorse {
server 127.0.0.1:8888;
}
include /var/opt/gitlab/nginx/conf/gitlab-http.conf;
include /var/opt/gitlab/nginx/conf/nginx-status.conf;
}
gitlab nginx http 配置是(gitlab-http.config):
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
## GitLab
## Modified from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl & https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
## CHUNKED TRANSFER ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
## At the time of writing we do not know if either of these theoretical solutions works.
## As a workaround users can use Git over SSH to push large files.
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module
##
###################################
## configuration ##
###################################
server {
listen *:80;
server_name git.local.com;
server_tokens off; ## Don't show the nginx version number, a security best practice
## Increase this if you want to upload large attachments
## Or if you want to accept large git objects over http
client_max_body_size 0;
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
## HSTS Config
## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=31536000";
## Individual nginx logs for this GitLab vhost
access_log /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_error.log;
if ($http_host = "") {
set $http_host_with_default "git.local.com";
}
if ($http_host != "") {
set $http_host_with_default $http_host;
}
gzip on;
gzip_static on;
gzip_comp_level 2;
gzip_http_version 1.1;
gzip_vary on;
gzip_disable "msie6";
gzip_min_length 10240;
gzip_proxied no-cache no-store private expired auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml application/rss+xml;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 3600;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host_with_default;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-Proto http;
location ~ (.git/git-receive-pack$|.git/info/refs?service=git-receive-pack$|.git/gitlab-lfs/objects|.git/info/lfs/objects/batch$) {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
proxy_request_buffering off;
}
location / {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
}
location /assets {
proxy_cache gitlab;
proxy_pass http://gitlab-workhorse;
}
error_page 404 /404.html;
error_page 500 /500.html;
error_page 502 /502.html;
location ~ ^/(404|500|502)(-custom)?\.html$ {
root /opt/gitlab/embedded/service/gitlab-rails/public;
internal;
}
location ^~ https:// {
deny all;
}
}
我的 gitlab.rb 配置文件的内容是:
....
####################
# GitLab Workhorse #
####################
# see https://gitlab.com/gitlab-org/gitlab-workhorse/blob/master/README.md
# gitlab_workhorse['enable'] = true
# gitlab_workhorse['ha'] = false
gitlab_workhorse['listen_network'] = "tcp"
# gitlab_workhorse['listen_umask'] = 000
gitlab_workhorse['listen_addr'] = "127.0.0.1:8888"
# gitlab_workhorse['auth_backend'] = "http://localhost:8080"
# gitlab_workhorse['auth_socket'] = "''" # the empty string is the default in gitlab-workhorse option parser
# gitlab_workhorse['pprof_listen_addr'] = "''" # put an empty string on the command line
# gitlab_workhorse['dir'] = "/var/opt/gitlab/gitlab-workhorse"
# gitlab_workhorse['log_directory'] = "/var/log/gitlab/gitlab-workhorse"
# gitlab_workhorse['proxy_headers_timeout'] = "1m0s"
# gitlab_workhorse['env'] = {
# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin"
# }
###############
# GitLab user #
###############
## see https://gitlab.com/gitlab-org/omnibus-gitlab/tree/master/README.md#changing-the-name-of-the-git-user-group
## Modify default git user.
################
# GitLab Nginx #
################
## see: https://gitlab.com/gitlab-org/omnibus-gitlab/tree/master/doc/settings/nginx.md
nginx['enable'] = true
# nginx['client_max_body_size'] = '250m'
# nginx['redirect_http_to_https'] = false
# nginx['redirect_http_to_https_port'] = 80
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
# nginx['ssl_prefer_server_ciphers'] = "on"
# nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
# nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
# nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem
# nginx['listen_addresses'] = ['*']
# nginx['listen_port'] = 80 # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
# nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
nginx['custom_gitlab_server_config'] = "location ^~ /b/zffOcb/ {\n deny all;\n}\n"
nginx['custom_gitlab_server_config'] = "location ^~ /h5/#/ {\n deny all;\n}\n"
nginx['custom_gitlab_server_config'] = "location ^~ /server/buy.html {\n deny all;\n}\n"
nginx['custom_gitlab_server_config'] = "location ^~ /login {\n deny all;\n}\n"
nginx['custom_gitlab_server_config'] = "location ^~ https://bo1api.com/ {\n deny all;\n}\n"
nginx['custom_gitlab_server_config'] = "location ^~ /kk/HelloBro/ {\n deny all;\n}\n"
nginx['custom_gitlab_server_config'] = "location ^~ /admin/ {\n deny all;\n}\n"
nginx['custom_gitlab_server_config'] = "location ^~ http:// {\n deny all;\n}\n"
nginx['custom_gitlab_server_config'] = "location ^~ https:// {\n deny all;\n}\n"
# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
# nginx['proxy_read_timeout'] = 300
# nginx['proxy_connect_timeout'] = 300
# nginx['proxy_set_headers'] = {
# "Host" => "$http_host",
# "X-Real-IP" => "$remote_addr",
# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
# "X-Forwarded-Proto" => "https",
# "X-Forwarded-Ssl" => "on"
# }
# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
# nginx['proxy_cache'] = 'gitlab'
# nginx['http2_enabled'] = true
# nginx['real_ip_trusted_addresses'] = [ '192.168.21.0/24' ]
# nginx['real_ip_header'] = nil
# nginx['real_ip_recursive'] = nil
## Advanced settings
nginx['dir'] = "/var/opt/gitlab/nginx"
nginx['log_directory'] = "/var/log/gitlab/nginx"
nginx['worker_processes'] = 4
nginx['worker_connections'] = 10240
nginx['log_format'] = 'gitlab_access_log: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
nginx['sendfile'] = 'on'
nginx['tcp_nopush'] = 'on'
nginx['tcp_nodelay'] = 'on'
nginx['gzip'] = "on"
nginx['gzip_http_version'] = "1.0"
nginx['gzip_comp_level'] = "2"
nginx['gzip_proxied'] = "any"
nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
nginx['keepalive_timeout'] = 65
nginx['cache_max_size'] = '5000m'
....
#############
# Logrotate #
#############
## see: https://gitlab.com/gitlab-org/omnibus-gitlab/tree/master/README.md#logrotate
## You can disable built in logrotate feature.
# logrotate['enable'] = true
#############################
# Users and groups accounts #
#############################
## Disable management of users and groups accounts.
## Set only if creating accounts manually
## See: http://doc.gitlab.com/omnibus/settings/configuration.html#disable-user-and-group-account-management
# manage_accounts['enable'] = false
#######################
# Storage directories #
#######################
## Disable managing storage directories
## Set only if the select directories are created manually
## See: http://doc.gitlab.com/omnibus/settings/configuration.html#disable-storage-directories-management
# manage_storage_directories['enable'] = false
#######
# Git #
#######
## Advanced setting for configuring git system settings for omnibus-gitlab internal git
## For multiple options under one header use array of comma separated values, eg.
## { "receive" => ["fsckObjects = true"], "alias" => ["st = status", "co = checkout"] }
# omnibus_gitconfig['system'] = { "receive" => ["fsckObjects = true"] }
#############
# GitLab CI #
#############
## see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/gitlab-ci/README.md
# gitlab_ci['gitlab_ci_all_broken_builds'] = true
# gitlab_ci['gitlab_ci_add_pusher'] = true
# gitlab_ci['builds_directory'] = '/var/opt/gitlab/gitlab-ci/builds'
# DEPRECATED
# ci_external_url 'http://ci.example.com'
#
....
但是,最近,在我的gitlab的nginx access.log中,发现了很多请求日志:
...
gitlab_access_log 217.79.189.251 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 2940 "-" "undefined"
gitlab_access_log 217.79.189.224 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 2940 "-" "undefined"
gitlab_access_log 217.79.189.215 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 302 99 "-" "undefined"
gitlab_access_log 217.79.189.249 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 2940 "-" "undefined"
gitlab_access_log 217.79.189.224 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 2940 "-" "undefined"
gitlab_access_log 217.79.189.224 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 302 99 "-" "undefined"
gitlab_access_log 89.163.146.16 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 302 99 "-" "undefined"
gitlab_access_log 217.79.189.214 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 2940 "-" "undefined"
gitlab_access_log 217.79.189.251 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 2940 "-" "undefined"
gitlab_access_log 217.79.189.215 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 302 99 "-" "undefined"
gitlab_access_log 217.79.189.251 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 302 99 "-" "undefined"
gitlab_access_log 217.79.189.215 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 2940 "-" "undefined"
gitlab_access_log 217.79.189.214 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 100 "-" "undefined"
gitlab_access_log 217.79.189.252 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 2352 "-" "undefined"
gitlab_access_log 217.79.189.214 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 647 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 408 0 "-" "-"
gitlab_access_log 217.79.189.252 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 1493 "-" "undefined"
gitlab_access_log 89.163.242.95 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 217.79.189.251 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 2940 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 502 2359 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
gitlab_access_log 89.163.146.41 - - [13/Jan/2021:00:33:36 +0800] "GET http://43.228.64.38 HTTP/1.1" 499 0 "-" "undefined"
...
我添加了配置选项:
nginx['custom_gitlab_server_config'] = "location ^~ http:// {\n deny all;\n}\n"
nginx['custom_gitlab_server_config'] = "location ^~ https:// {\n deny all;\n}\n"
拒绝第三个网站的请求
那么,我如何找到那些使用 gitlab-nginx 的请求? 并在 gitlab 显示 502 错误时保护我的 gitlab 服务?