Docker Compose安装Gitlab并使用外置Nginx,启用https

Arthit 于 2024-03-26 发布

前情提要

我的 nginx 用 docker 安装的,和 gitlab 不同的服务器,操作用户是 root。

安装 gitlab

创建挂载文件目录

mkdir gitlab
cd gitlab

创建 docker-compose 文件

touch docker-compose.yml

使用 vi 命令把以下内容复制到 docker-compose 文件

version: '3.6'
services:
  gitlab-ce:
    hostname: gitlab.example.com
    ports:
      - '9080:9080'
      - '9081:22'
    container_name: gitlab
    restart: always
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        # 改为自己的域名
        external_url 'https://gitlab.example.com'
        # 不使用gitlab自带的nginx
        nginx['enable'] = false
        # 设置非捆绑 Web 服务器用户的用户名
        web_server['external_users'] = ['root', 'nginx', 'www-data']
        # 将非捆绑的 Web 服务器添加到受信任代理列表中,我自己的nginx服务器ip地址
        gitlab_rails['trusted_proxies'] = ['nginx服务器ip地址']
        # 监听自定义端口,监听的端口要和暴露的端口要一致
        gitlab_workhorse['listen_network'] = "tcp"
        gitlab_workhorse['listen_addr'] = "0.0.0.0:9080"
        # 减少gitlab使用内存
        gitlab_rails['rack_attack_git_basic_auth'] = {
          'enabled' => true,
          'ip_whitelist' => ["127.0.0.1"],
          'maxretry' => 10,
          'findtime' => 60,
          'bantime' => 3600
        }
        gitlab_rails['env'] = {
          'GITLAB_RAILS_RACK_TIMEOUT' => 300
        }
        puma['worker_processes'] = 2
        puma['min_threads'] = 1
        puma['max_threads'] = 8
        puma['per_worker_max_memory_mb'] = 1200
        sidekiq['concurrency'] = 9
        postgresql['shared_buffers'] = "512MB"
        postgresql['max_worker_processes'] = 8
        # 邮箱配置,我用的阿里云企业邮箱
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = "smtp.qiye.aliyun.com"
        gitlab_rails['smtp_port'] = 465
        gitlab_rails['smtp_user_name'] = "gitlab@example.com"
        gitlab_rails['smtp_password'] = "邮箱密码"
        gitlab_rails['smtp_domain'] = "gitlab.example.com"
        gitlab_rails['smtp_authentication'] = "login"
        gitlab_rails['smtp_enable_starttls_auto'] = false
        gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
        gitlab_rails['smtp_tls'] = true
        gitlab_rails['gitlab_email_from'] = "gitlab@example.com"
        gitlab_rails['gitlab_email_reply_to'] = "gitlab@example.com"
        user["git_user_email"] = "gitlab@example.com"
    volumes:
      - './config:/etc/gitlab'
      - './logs:/var/log/gitlab'
      - './data:/var/opt/gitlab'
    privileged: true
    image: gitlab/gitlab-ce

启动容器

docker-compose up -d

查看默认密码

等待容器启动大约五分钟后,再执行下面的命令查看默认密码

docker exec -it gitlab grep 'Password:' /etc/gitlab/initial_root_password

默认用户名为root,记得登录后及时修改密码。密码文件将在 24 小时后的第一次容器重启删除。

配置 nginx

安装 nginx

关于如何使用 docker 安装 nginx,请看我自己写的这篇文章

gitlab 的 nginx 配置文件

新建一个 nginx 的配置文件,放在 nginx 的 conf.d 目录下,文件名可以自己定义,我这里定义为 gitlab.conf

注意: 以下配置中的 stream 模块部分,需要从这个文件剪切出来,并粘贴到你的主 nginx.conf 文件中(通常在 http 模块之外),否则 Nginx 会启动失败。

server {
  listen *:80;
  server_name  gitlab.example.com;
  server_tokens off; ### Don't show the nginx version number, a security best practice
  return 301 https://$http_host$request_uri;
  access_log  /var/log/nginx/gitlab_registry_access.log;
  error_log   /var/log/nginx/gitlab_registry_error.log;
}

server {
  # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-foss/blob/8-8-stable/config/gitlab.yml.example#L182,
  # it should be declared here as well
  listen *:443 ssl;
  server_name  gitlab.example.com;
  server_tokens off; ### Don't show the nginx version number, a security best practice

  client_max_body_size 0;
  chunked_transfer_encoding on;

  ### Strong SSL Security
  ### https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl_certificate /etc/nginx/cert/cert-j76op8xez670x42z/fullchain.cer;
  ssl_certificate_key /etc/nginx/cert/cert-j76op8xez670x42z/cert.key;

  ssl_session_timeout 1d;
  #ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  # These settings are in line with the modern settings from https://ssl-config.mozilla.org/
  # and are supported by all still-supported browsers since 2019. If you have specific needs
  # for older settings, please consult the intermediate settings there.
  ssl_protocols TLSv1.3;
  ssl_prefer_server_ciphers off;

  ### [Optional] Enable HTTP Strict Transport Security
  # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

  access_log  /var/log/nginx/gitlab_registry_access.log;
  error_log   /var/log/nginx/gitlab_registry_error.log;

  location / {
    proxy_pass          http://ip:9080;
    client_max_body_size 1024m;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
    # 为 Websocket 连接添加以下行
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}
stream {
    upstream gitlab_ssh {
        hash   $remote_addr consistent;
        server ip:9081;
    }
    server {
        listen 9081;
        proxy_connect_timeout   30s;
        proxy_timeout   300s;
        proxy_pass gitlab_ssh;
    }
}

大功搞成

访问 https://gitlab.example.com 即可访问你的 Gitlab 。 博主的 Gitlab 👉 https://gitlab.iarthit.com

升级 Gitlab

docker compose down
docker compose pull
docker compose up -d

备份 Gitlab - 2025-07-13

# 进入容器
docker exec -it gitlab /bin/bash
# 备份命令,备份文件默认存储在容器内的 /var/opt/gitlab/backups 目录中
gitlab-backup create
# 备份配置文件和密钥文件(可选),备份 /etc/gitlab 目录下的配置文件,备份文件默认存储在容器内的 /etc/gitlab/config_backup 目录中
gitlab-ctl backup-etc

设置备份保留时间(可选)

# 编辑 GitLab 配置文件 /etc/gitlab/gitlab.rb
gitlab_rails['backup_keep_time'] = 604800  # 7 天
# 应用配置
gitlab-ctl reconfigure

配置 cron 定时任务,定时备份 创建一个 shell 脚本(例如 backup.sh)来执行备份操作。脚本内容如下:

#!/bin/bash
CONTAINER_NAME="gitlab"

# 备份数据
docker exec -t $CONTAINER_NAME gitlab-backup create

# 备份配置文件
docker exec -t $CONTAINER_NAME gitlab-ctl backup-etc

# 清理旧的配置文件备份(受 backup_keep_time 限制)
docker exec -t $CONTAINER_NAME gitlab-ctl backup-etc --delete-old-backups

确保脚本具有执行权限

chmod +x ./backup.sh

编辑 crontab 文件

sudo crontab -e

添加以下行以每天凌晨 2 点执行备份

0 2 * * * /bin/bash /root/gitlab/backup.sh CRON=1

验证

crontab -l

补充

unicorn['worker_timeout'] has been deprecated since 13.10 and was removed in 14.0. Starting with GitLab 14.0, Unicorn is no longer supported and users must switch to Puma, following https://docs.gitlab.com/ee/administration/operations/puma.html.

那么就请打开这个网址,里面说的很清楚。

从 GitLab 13.0 开始,Puma 是默认 Web 服务器,Unicorn 已被禁用。在 GitLab 14.0 中,Unicorn 已从 Linux 软件包中删除 ,不再受支持。

所以使用 unicorn 参数配置时,请删除。改用 puma 参数配置。