让网站使用https的方式访问

证书申请

关于证书申请，其实我们可以申请免费的证书即可，在阿里云或者腾讯云等地方都能申请到免费一年的证书，具体的申请步骤这里就就不细细描述了，因为比较简单。但这里指的提醒一下的是，二级域名与三级域名是要区别开来的，一个证书对应一个域名。

比如：cyblogs.com、gitlab.cyblogs.com是需要单独申请的，我这里的话因为域名解析是在dnspod解析的，所以我也就在它那里申请了。

如果是在阿里云申请，而在其他地方做的域名解析，第一次需要单独配置一次解析才行。

Nginx的安装技巧

gitlab.cyblogs.com.conf文件内容，之类把你的证书存放在你想放的位置，我这里是：/usr/local/nginx/ssl。

upstream gitlab {
  server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket fail_timeout=0;
}

upstream gitlab-workhorse {
  server unix://var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}

server {
  listen 0.0.0.0:80;
  server_name gitlab.cyblogs.com;
  server_tokens off;
  return 301 https://$server_name$request_uri;
  access_log  /usr/local/nginx/conf/logs/gitlab_access.log;
  error_log   /usr/local/nginx/conf/logs/gitlab_error.log;
}

server {
  listen 0.0.0.0:443 ssl;
  server_name gitlab.cyblogs.com;
  server_tokens off;
  root /opt/gitlab/embedded/service/gitlab-rails/public;

  client_max_body_size 20m;

  ssl_certificate        /usr/local/nginx/ssl/gitlab.cyblogs.com_bundle.crt;
  ssl_certificate_key    /usr/local/nginx/ssl/gitlab.cyblogs.com.key;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;

  access_log  /usr/local/nginx/conf/logs/gitlab_access.log;
  error_log   /usr/local/nginx/conf/logs/gitlab_error.log;

  location /uploads/ {
    gzip off;
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;
    proxy_pass https://gitlab;
  }

  location @gitlab {
    gzip off;
        proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;
    proxy_pass http://localhost:8081;
  }

  location ~ ^/[\w\.-]+/[\w\.-]+/gitlab-lfs/objects {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
  }

  location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
  }

  location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
     }

  location ~ ^/api/v3/projects/.*/repository/archive {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
  }

  location ~ ^/[\w\.-]+/[\w\.-]+/builds/download {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
  }

  location ~ /ci/api/v1/builds/[0-9]+/artifacts {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
  }

  location @gitlab-workhorse {
    client_max_body_size 0;
    gzip off;
    proxy_buffering off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
     proxy_redirect          off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_pass http://gitlab-workhorse;
  }

  location ~ ^/(assets)/ {
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  location ~ / {
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    try_files $uri $uri/index.html $uri.html @gitlab;
  }

  error_page 502 /502.html;
}

SSH拉取OK，Http方式不行

首先这里显示的还是http的方式，并不是https的方式。

➜  Desktop  git clone https://gitlab.cyblogs.com/root/testdemo.git
Cloning into 'cyblogs-blog'...
fatal: unable to access 'https://gitlab.cyblogs.com/root/testdemo.git/': The requested URL returned error: 502
➜  Desktop  git clone https://gitlab.cyblogs.com/cyblogs/cyblogs-blog.git
Cloning into 'cyblogs-blog'...
fatal: unable to access 'https://gitlab.cyblogs.com/cyblogs/cyblogs-blog.git/': The requested URL returned error: 502

通过看日志分析，发现错误的日志信息：

[root@iZ94tq694y3Z logs]# less gitlab_error.log 
2019/10/18 16:30:13 [crit] 15450#0: *97 stat() "/opt/gitlab/embedded/service/gitlab-rails/public/uploads/-/system/user/avatar/2/avatar.png.html" failed (13: Permission denied), client: xxx.xx.xx.xx, server: gitlab.cyblogs.com, request: "GET /uploads/-/system/user/avatar/2/avatar.png?width=23 HTTP/1.1", host: "gitlab.cyblogs.com", referrer: "https://gitlab.cyblogs.com/testcase/config-repo"

2019/11/02 16:40:10 [crit] 1374#0: *24502 connect() to unix://var/opt/gitlab/gitlab-workhorse/socket failed (13: Permission denied) while connecting to upstream, client: 210.22.21.66, server: gitlab.cyblogs.com, request: "GET /root/testdemo.git/info/refs?service=git-upload-pack HTTP/1.1", upstream: "http://unix://var/opt/gitlab/gitlab-workhorse/socket:/root/testdemo.git/info/refs?service=git-upload-pack", host: "gitlab.cyblogs.com"

这里会一直报一个权限问题。unix://var/opt/gitlab/gitlab-workhorse/socket failed (13: Permission denied)，然后我就各种搜索，真心地没有几篇文章说的很好的。还不如耐心的看gitlab的官网配置，还算比较详细。

https://docs.gitlab.com/omnibus/settings/nginx.html

看了大量的文章，最终得到解决步骤。

对于nginx启动配置

首先，自己的搭建的nginx启动的时候不要用root启动，需要创建一个用户。我这里就是nginx用户了。

[root@iZ94tq694y3Z ~]# groups nginx
nginx : nginx gitlab-www # 这里的gitlab-www是gitlab-ctl reconfigure后加入进去的
[root@iZ94tq694y3Z ~]# 

需要在nginx.conf中user该用户。

[root@iZ94tq694y3Z conf]# cat nginx.conf
user  nginx nginx;
worker_processes  1;

对于gitlab.rb配置

[root@iZ94tq694y3Z gitlab]# cat gitlab.rb | grep -v ^# 只要生效的配置
# 域名访问的配置
external_url 'https://gitlab.cyblogs.com'

gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.sina.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "chengcheng222e@sina.com"
gitlab_rails['smtp_password'] = "xxxxxx"
gitlab_rails['smtp_domain'] = "sina.com"
gitlab_rails['smtp_authentication'] = "plain"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false

# 配置gitlab_workhorse，nginx部分有用到这块
gitlab_workhorse['enable'] = true
gitlab_workhorse['ha'] = false
gitlab_workhorse['listen_network'] = "unix"
gitlab_workhorse['listen_umask'] = 000
gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/socket"
gitlab_workhorse['auth_backend'] = "http://localhost:8081"

# 修改端口号为8081端口
unicorn['port'] = 8081

#特别是web_server部分，需要把nginx启动启用加入权限
web_server['external_users'] = ['nginx'] 
web_server['username'] = 'nginx'
web_server['group'] = 'nginx'
web_server['home'] = '/usr/local/nginx'

nginx['enable'] = false
nginx['redirect_http_to_https'] = true
nginx['listen_port'] = 8081

如何定位错误，之类需要看nginx的日志与gitlab的日志

# 查看nginx
tailf /usr/local/nginx/conf/logs/gitlab_error.log
# 查看gitlab
gitlab-ctl tail 

验证

# 回家切换成Windows系统了
Administrator@CHENYUAN MINGW64 ~/Desktop
$ git clone https://gitlab.cyblogs.com/root/testdemo.git
Cloning into 'testdemo'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.

参考地址：

• https://www.cnblogs.com/rysinal/p/7358758.html
• https://stackoverflow.com/questions/35327882/what-permissions-does-nginx-need-for-the-gitlab-workhorse-socket
• https://docs.gitlab.com/omnibus/settings/nginx.html