Pros: 优化链路,实际例子中拥有一个高配的机器跑GitLab,但路由绕美不理想,用直连线路机器中转。

Cons: 中转机器的ssh将无法跑在22端口上,需要一个新的端口。

0x0 gitlab机器设置

  1. 关闭gitlab自带的nginx
vim /etc/gitlab/gitlab.rb
# 关闭 nginx
nginx['enable'] = false

# 分配用户组
web_server['external_users'] = ['www-data']

# 关闭 Let's Encrypt 自动证书
letsencrypt['enable'] = false

# 设置 external_url 为最终站点链接
external_url = 'https://git.public.domain'
  1. 配置一个自己的nginx
apt install nginx
vim /etc/nginx/sites-available/git.public.domain
upstream gitlab-workhorse {
    server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
}

server {
    server_name git.public.domain;
    server_tokens off;
    root /opt/gitlab/embedded/service/gitlab-rails/public;

    access_log  /var/log/nginx/gitlab_access.log;
    error_log   /var/log/nginx/gitlab_error.log;

    set_real_ip_from <proxy-server-ip>;

    # 自定义端口
    listen GITLAB_PORT;

    location / {
        client_max_body_size 0;
        gzip off;

        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;

        proxy_http_version 1.1;

        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-Ssl     on;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_pass http://gitlab-workhorse;
    }
}
  1. 配置工作站点的防火墙
ufw allow ssh
ufw allow ufw allow from <proxy-server-ip> to any port <GITLAB_PORT>
ufw enable

0x1 中转机设置

  1. nginx转发http流量
apt install nginx
vim /etc/nginx/sites-available/git.public.domain
server {
    server_name git.public.domain;
    listen 127.0.0.1:8082 proxy_protocol;
    listen 127.0.0.1:8083 proxy_protocol http2;

    location / {
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $proxy_protocol_addr;
        proxy_set_header    X-Forwarded-Ssl     on;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        client_max_body_size 0;
        gzip off;
        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_pass http://<gitlab-server-ip>:<GITLAB_PORT>;
    }
}
  1. 前级SNI分流

(略)。懂的都懂。

  1. 更改ssh端口
vim /etc/ssh/sshd_config
Port <new-ssh-port>
ufw allow <new-ssh-port>
systemctl restart sshd
  1. ufw转发ssh端口流量
vim /etc/default/ufw
DEFAULT_FORWARD_POLICY = "ACCEPT"
vim /etc/ufw/sysctl.conf
net.ipv4.ip_forward=1
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i eth0 -d <proxy-server-ip> -p tcp --dport 22 -j DNAT --to-destination <gitlab-server-ip>:22
-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT
systemctl restart ufw
# 检查设置
iptables -t nat -L -n -v
  1. 验证ssh连接
ssh -T git@git.public.domain
# Output
Welcome to GitLab, @user!
上一篇 下一篇