mtr*_*aut 3 apache https proxy reverse-proxy gitlab
我设法在我的服务器上使用 Apache 前端设置 Gitlab。由于默认的 SSL 端口已被占用,我添加了一个
Listen 444
到 Apache 端口和 VirtualHost 之类
<VirtualHost *:444>
ServerSignature Off
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:-MEDIUM:!LOW:-SSLv2
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://unicornservers%{REQUEST_URI} [P,QSA,L]
ProxyPreserveHost On
ProxyPass /uploads !
ProxyPass /error !
<Proxy balancer://unicornservers>
BalancerMember http://127.0.0.1:8081
ProxyPassReverse https://my.server.de:444/
</Proxy>
# needed for downloading attachments
DocumentRoot /home/git/gitlab/public
<Location />
Order deny,allow
Allow from all
</Location>
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/gitlab.error.log
CustomLog /var/log/apache2/gitlab.forwarded.log common_forwarded
CustomLog /var/log/apache2/gitlab.access.log combined env=!dontlog
CustomLog /var/log/apache2/gitlab.log combined
</VirtualHost>
目标是转发到本地独角兽(这是使用Gitlab的标准场景)。
打电话时
https:/my.server.de:444
我重定向到 /users/sign_in (如预期),但在 HTTP 标头位置中设置了“http”方案。我可以成功得到
https:/my.server.de:444/users/sign_in
手动,但在每个帖子中,重定向位置都会再次错过正确的方案。知道发生了什么事吗?ProxyPassReverse 不应该解决这个问题吗?
这里有一个示例配置,几天前更新了: https: //github.com/gitlabhq/gitlab-recipes/blob/master/web-server/apache/gitlab-ssl.conf
但它对我来说并没有真正起作用,我必须添加:
RequestHeader set X-Forwarded-Proto "https"
在配置中:
<VirtualHost *:8081>
SSLEngine on
#strong encryption ciphers only
#see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/cert.key
#SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt
ServerName gitlab.xy
ServerSignature Off
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
<Location />
Order deny,allow
Allow from all
ProxyPass http://127.0.0.1:8080
ProxyPassReverse http://127.0.0.1:8080
</Location>
#apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
# needed for downloading attachments
DocumentRoot /home/git/gitlab/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /deploy.html
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/logs/gitlab-ssl_error.log
CustomLog /var/log/apache2/logs/gitlab-ssl_forwarded.log common_forwarded
CustomLog /var/log/apache2/logs/gitlab-ssl_access.log combined env=!dontlog
CustomLog /var/log/apache2/logs/gitlab-ssl.log combined
</VirtualHost>
| 归档时间: |
|
| 查看次数: |
13137 次 |
| 最近记录: |