Docker安装Gitlab并使用外置Nginx,启用https

Arthit 于 2024-03-26 发布

前情提要

我的 nginx 用 docker 安装的,和 gitlab 不同的服务器,操作用户是 root。

安装 gitlab

创建挂载文件目录

mkdir gitalb
cd gitalb

创建 docker-compose 文件

touch docker-compose.yml

使用 vi 命令把以下内容复制到 docker-compose 文件

version: '3.6'
services:
  gitlab-ce:
    hostname: gitlab.example.com
    ports:
      - '9080:9080'
      - '9081:22'
    container_name: gitlab
    restart: always
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        # 改为自己的域名
        external_url 'https://gitlab.example.com'
        # 不使用gitlab自带的nginx
        nginx['enable'] = false
        # 设置非捆绑 Web 服务器用户的用户名
        web_server['external_users'] = ['root', 'nginx', 'www-data']
        # 将非捆绑的 Web 服务器添加到受信任代理列表中,我自己的nginx服务器ip地址
        gitlab_rails['trusted_proxies'] = ['nginx服务器ip地址']
        # 监听自定义端口,监听的端口要和暴露的端口要一致
        gitlab_workhorse['listen_network'] = "tcp"
        gitlab_workhorse['listen_addr'] = "0.0.0.0:9080"
        # 减少gitlab使用内存
        gitlab_rails['rack_attack_git_basic_auth'] = {
          'enabled' => true,
          'ip_whitelist' => ["127.0.0.1"],
          'maxretry' => 10,
          'findtime' => 60,
          'bantime' => 3600
        }
        gitlab_rails['env'] = {
          'GITLAB_RAILS_RACK_TIMEOUT' => 300
        }
        puma['worker_processes'] = 2
        puma['min_threads'] = 1
        puma['max_threads'] = 8
        puma['per_worker_max_memory_mb'] = 1200
        sidekiq['concurrency'] = 9
        postgresql['shared_buffers'] = "512MB"
        postgresql['max_worker_processes'] = 8
        # 邮箱配置,我用的阿里云企业邮箱
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = "smtp.qiye.aliyun.com"
        gitlab_rails['smtp_port'] = 465
        gitlab_rails['smtp_user_name'] = "gitlab@example.com"
        gitlab_rails['smtp_password'] = "邮箱密码"
        gitlab_rails['smtp_domain'] = "gitlab.example.com"
        gitlab_rails['smtp_authentication'] = "login"
        gitlab_rails['smtp_enable_starttls_auto'] = false
        gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
        gitlab_rails['smtp_tls'] = true
        gitlab_rails['gitlab_email_from'] = "gitlab@example.com"
        gitlab_rails['gitlab_email_reply_to'] = "gitlab@example.com"
        user["git_user_email"] = "gitlab@example.com"
    volumes:
      - './config:/etc/gitlab'
      - './logs:/var/log/gitlab'
      - './data:/var/opt/gitlab'
    privileged: true
    image: gitlab/gitlab-ce

启动容器

docker-compose up -d

查看默认密码

等待容器启动大约五分钟后,再执行下面的命令查看默认密码

docker exec -it gitlab grep 'Password:' /etc/gitlab/initial_root_password

默认用户名为root,记得登录后及时修改密码。密码文件将在 24 小时后的第一次容器重启删除。

配置 nginx

安装 nginx

关于如何使用 docker 安装 nginx,请看我自己写的这篇文章

gitlab 的 nginx 配置文件

新建一个 nginx 的配置文件,放在 nginx 的 conf.d 目录下,文件名可以自己定义,我这里定义为 gitlab.conf

server {
  listen *:80;
  server_name  gitlab.example.com;
  server_tokens off; ### Don't show the nginx version number, a security best practice
  return 301 https://$http_host$request_uri;
  access_log  /var/log/nginx/gitlab_registry_access.log;
  error_log   /var/log/nginx/gitlab_registry_error.log;
}

server {
  # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-foss/blob/8-8-stable/config/gitlab.yml.example#L182,
  # it should be declared here as well
  listen *:443 ssl;
  server_name  gitlab.example.com;
  server_tokens off; ### Don't show the nginx version number, a security best practice

  client_max_body_size 0;
  chunked_transfer_encoding on;

  ### Strong SSL Security
  ### https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl_certificate /etc/nginx/cert/cert-j76op8xez670x42z/fullchain.cer;
  ssl_certificate_key /etc/nginx/cert/cert-j76op8xez670x42z/cert.key;

  ssl_session_timeout 1d;
  #ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  # These settings are in line with the modern settings from https://ssl-config.mozilla.org/
  # and are supported by all still-supported browsers since 2019. If you have specific needs
  # for older settings, please consult the intermediate settings there.
  ssl_protocols TLSv1.3;
  ssl_prefer_server_ciphers off;

  ### [Optional] Enable HTTP Strict Transport Security
  # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

  access_log  /var/log/nginx/gitlab_registry_access.log;
  error_log   /var/log/nginx/gitlab_registry_error.log;

  location / {
    proxy_pass          http://ip:9080;
    client_max_body_size 1024m;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
    # 为 Websocket 连接添加以下行
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}
stream {
    upstream gitlab_ssh {
        hash   $remote_addr consistent;
        server ip:9081;
    }
    server {
        listen 9081;
        proxy_connect_timeout   30s;
        proxy_timeout   300s;
        proxy_pass gitlab_ssh;
    }
}

大功搞成

访问 https://gitlab.example.com 即可访问你的 Gitlab 。 博主的 Gitlab 👉 https://gitlab.iarthit.com

升级 Gitlab

docker compose down
docker compose pull
docker compose up -d

补充

unicorn['worker_timeout'] has been deprecated since 13.10 and was removed in 14.0. Starting with GitLab 14.0, Unicorn is no longer supported and users must switch to Puma, following https://docs.gitlab.com/ee/administration/operations/puma.html.

那么就请打开这个网址,里面说的很清楚。

从 GitLab 13.0 开始,Puma 是默认 Web 服务器,Unicorn 已被禁用。在 GitLab 14.0 中,Unicorn 已从 Linux 软件包中删除 ,不再受支持。

所以使用 unicorn 参数配置时,请删除。改用 puma 参数配置。