CentOS7 gitlab支持https的改造

简单说明：

依据《CentOS7 gitlab安装搭建简单维护》部署安装Gitlab，执行以下操作进行https改造

改造过程：

1° 修改hosts文件，增加解析：

HOSTNAME=gitlab
hostnamectl set-hostname "$HOSTNAME"
echo "$HOSTNAME">/etc/hostname
echo "$(grep -E '127|::1' /etc/hosts)">/etc/hosts
echo "$(ip a|grep "inet "|grep -v 127|awk -F'[ /]' '{print $6}') $HOSTNAME gitlab.vincent.com">>/etc/hosts
# 最终以gitlab.vincent.com为访问域名

2° 配置生成密钥：

# 创建密钥证书目录
mkdir -p /etc/gitlab/ssl
cd /etc/gitlab/ssl

# 创建csr密钥
openssl genrsa -out "/etc/gitlab/ssl/gitlab.vincent.com.key" 2048

# 创建csr证书
openssl req -new \
-key "/etc/gitlab/ssl/gitlab.vincent.com.key" \
-out "/etc/gitlab/ssl/gitlab.vincent.com.csr"
# Country Name (2 letter code) [XX]:cn
# State or Province Name (full name) []:shanghai
# Locality Name (eg, city) [Default City]:shanghai
# Organization Name (eg, company) [Default Company Ltd]:vincent
# Organizational Unit Name (eg, section) []:vincent
# Common Name (eg, your name or your server's hostname) []:gitlab.vincent.com
# Email Address []:[email protected]
# A challenge password []:vincent
# An optional company name []:vincent

# 利用创建的csr证书和csr密钥创建crt签署证书
openssl x509 -req -days 365 \
-in "/etc/gitlab/ssl/gitlab.vincent.com.csr" \
-signkey "/etc/gitlab/ssl/gitlab.vincent.com.key" \
-out "/etc/gitlab/ssl/gitlab.vincent.com.crt"

# 创建pem证书
openssl dhparam -out /etc/gitlab/ssl/dhparams.pem 2048

# 修改证书文件权限
chmod 600 *

3° 编辑gitlab配置文件，集成证书：

sed -i "s|^external_url.*$|# &\n\
external_url 'https://gitlab.vincent.com'|g" /etc/gitlab/gitlab.rb

sed -i "s|^# nginx\['enable'\] = true$|\
nginx['redirect_http_to_https'] = true\n\
nginx['ssl_certificate'] = \"/etc/gitlab/ssl/gitlab.vincent.com.crt\"\n\
nginx['ssl_certificate_key'] = \"/etc/gitlab/ssl/gitlab.vincent.com.key\"\
\n&|g" /etc/gitlab/gitlab.rb

sed -i "s|^# nginx\['ssl_dhparam'\] = nil|\
# nginx\['ssl_dhparam'\] = /etc/gitlab/ssl/dhparams.pem|g" /etc/gitlab/gitlab.rb

# 重新初始化gitlab
gitlab-ctl reconfigure

4° 修改gitlab的nginx代理配置，将所有请求都重定向到https

sed -i 's|listen \*:80;$|&\nrewrite ^(.*)$ https://$host$1 permanent;|g' /var/opt/gitlab/nginx/conf/gitlab-http.conf
# 正规写法应该是在80端口下的 server_name gitlab.vincent.com; 这行之下添加 rewrite ^(.*)$ https://$host$1 permanent;

# 重启生效
gitlab-ctl restart

5° 测试：

修改windows的hosts文件，添加gitlab.vincent.com的静态解析
网页访问 gitlab.vincent.com 会自动跳转到https

[TOC]