Gitlab使用或替换外部Nginx方法说明

运维

Gitlab 版本没更新就会导致依赖的组件库版本没更新,如果Nginx有漏洞,则需要升级Gitlab,或者第二个选择就是使用外部的Nginx作为服务容器。

升级步骤

** 请勿直接在生产或者线上主机上执行。

具体操作步骤如下:

  1. 备份配置文件 cp /etc/gitlab/gitlab.rb /etc/gitlab/gitlab.rb.20230822.bak
  2. 禁用捆绑的 NGINX,在 /etc/gitlab/gitlab.rb 中设置:
1
nginx['enable'] = false
  1. 下载正确的网络服务器配置,访问地址: GitLab recipes repository

下面以http的Nginx为例说明,把配置文件放入/etc/nginx/conf.d(默认):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
upstream gitlab-workhorse {
  # On GitLab versions before 13.5, the location is
  # `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
  # accordingly.
  server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket;
}

## Normal HTTP host
server {
  ## Either remove "default_server" from the listen line below 如果遇到问题可以删除 default_server
  ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
  ## to be served if you visit any address that your server responds to, eg.
  ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
  listen 0.0.0.0:8088 default_server; # 修改你需要监听的端口
  listen [::]:8088 default_server;
  server_name localhost; ## Replace this with something like gitlab.example.com # 修改配置的域名
  server_tokens off; ## Don't show the nginx version number, a security best practice
  root /opt/gitlab/embedded/service/gitlab-rails/public; # 默认位置就是这里

  ## See app/controllers/application_controller.rb for headers set

  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

  location / {
    client_max_body_size 0;
    gzip off;

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;

    proxy_pass http://gitlab-workhorse;
  }
}

  1. 执行 sudo gitlab-ctl reconfigure 命令以使更改生效。

  2. 启动 nginx。

遇到的问题

  1. 权限不够,界面返回502。解决办法是修改nginx配置文件的启动用户为root或者授权给对应用户。
  2. 出现如下错误:
1
connect() to unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket failed (13:Permission denied) while connecting to upstream

选择以下选项之一进行修复:

  • 更新到 14.3 或更高版本,其中包含更新的 SELinux 策略。
  • 手动获取和更新策略:
1
2
wget https://gitlab.com/gitlab-org/omnibus-gitlab/-/raw/a9d6b020f81d18d778fb502c21b2c8f2265cabb4/files/gitlab-selinux/rhel/7/gitlab-13.5.0-gitlab-shell.pp
semodule -i gitlab-13.5.0-gitlab-shell.pp

参考