為了防止內網滲透,將gitlab服務的訪問添加了ssl,具體步驟如下: 1. 修改配置文件 [xieshuang@VM_177_101_centos gitlab]$ sudo vim /etc/gitlab/gitlab.rb 13行的 http https external_url 'https ...
為了防止內網滲透,將gitlab服務的訪問添加了ssl,具體步驟如下:
修改配置文件
[xieshuang@VM_177_101_centos gitlab]$ sudo vim /etc/gitlab/gitlab.rb #13行的 http >> https external_url 'https://ip:port' #修改nginx配置 810行 nginx['redirect_http_to_https'] =true nginx['ssl_certificate'] = "/etc/gitlab/ssl/server.crt" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/server.key"生成秘鑰與證書
#秘鑰腳本,將以下內容保存為shell腳本,然後運行 #出現提示輸入信息的地方輸入信息,先輸入功能變數名稱然後4次證書密碼,任意密碼,四次保持一致。 #!/bin/sh # create self-signed server certificate: read -p "Enter your domain [139.199.125.93]: " DOMAIN echo "Create server key..." openssl genrsa -des3 -out $DOMAIN.key 1024 echo "Create server certificate signing request..." SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN" openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr echo "Remove password..." mv $DOMAIN.key $DOMAIN.origin.key openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key echo "Sign SSL certificate..." openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt echo "TODO:" echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt" echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key" echo "Add configuration in nginx:" echo "server {" echo " ..." echo " listen 443 ssl;" echo " ssl_certificate /etc/nginx/ssl/$DOMAIN.crt;" echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;" echo "}" #執行成功後生成文件如下: [xieshuang@VM_177_101_centos src]$ ls 139.199.125.93.crt 139.199.125.93.origin.key nginx-1.7.12 vim-7.3.tar.bz2 139.199.125.93.csr apache-tomcat-8.5.28.tar.gz ssl_genKey.sh vimcdoc-1.8.0 139.199.125.93.key gitlab-ce-10.0.0-ce.0.el7.x86_64.rpm vim73 vimcdoc-1.8.0.tar.gz #移動到相應的位置 sudo mkdir -p /etc/gitlab/ssl sudo chmod 700 /etc/gitlab/ssl/ -R su cp 139.199.125.93.crt /etc/gitlab/ssl/server.crt sudo cp 139.199.125.93.key /etc/gitlab/ssl/server.key重建配置:
sudo gitlab-ctl reconfigure瀏覽器進行https訪問:
