Blink Chen
文章
12
分类
3
评论
0

给GitLab设置中转机

| 技术活儿
字数总计 3995 | 阅读时长 9分钟 | 阅读量 32

Pros: 优化链路,实际例子中拥有一个高配的机器跑GitLab,但路由绕美不理想,用直连线路机器中转。

Cons: 中转机器的ssh将无法跑在22端口上,需要一个新的端口。

0x0 gitlab机器设置

  1. 关闭gitlab自带的nginx
vim /etc/gitlab/gitlab.rb

# 关闭 nginx
nginx['enable'] = false

# 分配用户组
web_server['external_users'] = ['www-data']

# 关闭 Let's Encrypt 自动证书
letsencrypt['enable'] = false

# 设置 external_url 为最终站点链接
external_url = 'https://git.public.domain'
  1. 配置一个自己的nginx
apt install nginx
vim /etc/nginx/sites-available/git.public.domain

upstream gitlab-workhorse {
    server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
}

server {
    server_name git.public.domain;
    server_tokens off;
    root /opt/gitlab/embedded/service/gitlab-rails/public;

    access_log  /var/log/nginx/gitlab_access.log;
    error_log   /var/log/nginx/gitlab_error.log;

    set_real_ip_from <proxy-server-ip>;

    # 自定义端口
    listen GITLAB_PORT;

    location / {
        client_max_body_size 0;
        gzip off;

        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;

        proxy_http_version 1.1;

        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-Ssl     on;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_pass http://gitlab-workhorse;
    }
}
  1. 配置工作站点的防火墙
ufw allow ssh
ufw allow ufw allow from <proxy-server-ip> to any port <GITLAB_PORT>
ufw enable

0x1 中转机设置

  1. nginx转发http流量
apt install nginx
vim /etc/nginx/sites-available/git.public.domain

server {
    server_name git.public.domain;
    listen 127.0.0.1:8082 proxy_protocol;
    listen 127.0.0.1:8083 proxy_protocol http2;

    location / {
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $proxy_protocol_addr;
        proxy_set_header    X-Forwarded-Ssl     on;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        client_max_body_size 0;
        gzip off;
        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_pass http://<gitlab-server-ip>:<GITLAB_PORT>;
    }
}
  1. 前级SNI分流

(略)。懂的都懂。

  1. 更改ssh端口
vim /etc/ssh/sshd_config

Port <new-ssh-port>

ufw allow <new-ssh-port>
systemctl restart sshd
  1. ufw转发ssh端口流量
vim /etc/default/ufw

DEFAULT_FORWARD_POLICY = "ACCEPT"

vim /etc/ufw/sysctl.conf

net.ipv4.ip_forward=1

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i eth0 -d <proxy-server-ip> -p tcp --dport 22 -j DNAT --to-destination <gitlab-server-ip>:22
-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

systemctl restart ufw
# 检查设置
iptables -t nat -L -n -v
  1. 验证ssh连接
ssh -T git@git.public.domain
# Output
Welcome to GitLab, @user!
文章作者: Blink Chen
本文链接:
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 kingcyk's Blog
技术活儿 GitLab Linux
喜欢就支持一下吧