给GitLab设置中转机

Pros: 优化链路，实际例子中拥有一个高配的机器跑GitLab，但路由绕美不理想，用直连线路机器中转。

Cons: 中转机器的ssh将无法跑在22端口上，需要一个新的端口。

0x0 gitlab机器设置

1. 关闭gitlab自带的nginx

vim /etc/gitlab/gitlab.rb

# 关闭 nginx
nginx['enable'] = false

# 分配用户组
web_server['external_users'] = ['www-data']

# 关闭 Let's Encrypt 自动证书
letsencrypt['enable'] = false

# 设置 external_url 为最终站点链接
external_url = 'https://git.public.domain'

2. 配置一个自己的nginx

apt install nginx
vim /etc/nginx/sites-available/git.public.domain

upstream gitlab-workhorse {
    server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
}

server {
    server_name git.public.domain;
    server_tokens off;
    root /opt/gitlab/embedded/service/gitlab-rails/public;

    access_log  /var/log/nginx/gitlab_access.log;
    error_log   /var/log/nginx/gitlab_error.log;

    set_real_ip_from <proxy-server-ip>;

    # 自定义端口
    listen GITLAB_PORT;

    location / {
        client_max_body_size 0;
        gzip off;

        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;

        proxy_http_version 1.1;

        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-Ssl     on;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_pass http://gitlab-workhorse;
    }
}

3. 配置工作站点的防火墙

ufw allow ssh
ufw allow ufw allow from <proxy-server-ip> to any port <GITLAB_PORT>
ufw enable

0x1 中转机设置

1. nginx转发http流量

apt install nginx
vim /etc/nginx/sites-available/git.public.domain

server {
    server_name git.public.domain;
    listen 127.0.0.1:8082 proxy_protocol;
    listen 127.0.0.1:8083 proxy_protocol http2;

    location / {
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $proxy_protocol_addr;
        proxy_set_header    X-Forwarded-Ssl     on;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        client_max_body_size 0;
        gzip off;
        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_pass http://<gitlab-server-ip>:<GITLAB_PORT>;
    }
}

2. 前级SNI分流

（略）。懂的都懂。

3. 更改ssh端口

vim /etc/ssh/sshd_config

Port <new-ssh-port>

ufw allow <new-ssh-port>
systemctl restart sshd

4. ufw转发ssh端口流量

vim /etc/default/ufw

DEFAULT_FORWARD_POLICY = "ACCEPT"

vim /etc/ufw/sysctl.conf

net.ipv4.ip_forward=1

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i eth0 -d <proxy-server-ip> -p tcp --dport 22 -j DNAT --to-destination <gitlab-server-ip>:22
-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

systemctl restart ufw
# 检查设置
iptables -t nat -L -n -v

5. 验证ssh连接

ssh -T git@git.public.domain
# Output
Welcome to GitLab, @user!