系统:centos7.4
一、安装配置必要的依赖
1、安装ssh
sudo yum install -y curl policycoreutils-pythonopenssh-server
2、ssh设置开机启动
sudo systemctl enable sshd
3、启动ssh
sudo systemctl start sshd
4、添加http服务到firewalld,pemmanent表示永久生效,若不加--permanent系统下次启动后就会失效
sudo firewall-cmd --permanent --add-service=http
如果没有安装防火墙,则安装
yum install firewalld systemd -y
开启防火墙
service firewalld start
5、重启防火墙
sudo systemctl reload firewalld
6、接下来安装postfix以发送通知电子邮件。如果要使用其他解决方案发送电子邮件,请跳过此步骤,并在安装Gitlab后配置外部SMTP服务器
安装命令
sudo yum install postfix
7、设置postfix开机启动
sudo systemctl enable postfix
8、启动postfix
sudo systemctl start postfix
如果出现以下提示
修改 /etc/postfix/main.cf的设置inet_protocols = ipv4和inet_interfaces = all
vim /etc/postfix/main.cf
二、添加Gitlab包存储库并安装包
1、添加gitlab镜像
wget --content-disposition https://packages.gitlab.com/gitlab/gitlab-ce/packages/el/7/gitlab-ce-12.0.3-ce.0.el7.x86_64.rpm/download.rpm
2、安装gitlab 安装命令
rpm -i gitlab-ce-12.0.3-ce.0.el7.x86_64
安装过程中,如果出现以下提示
执行以下命令,然后再执行gitlab安装命令
yum install policycoreutils-python
出现以下画面,则表示安装成功
3、修改gitlab配置文件,指定服务器ip和自定义端口或者域名
vim /etc/gitlab/gitlab.rb
4、执行配置
gitlab-ctl reconfigure
5、启动,如果出现如下界面就启动成功,则可以访问对应的域名或者IP地址
gitlab-ctl start
三、从阿里云申请ssl证书
1、在阿里云申请免费ssl证书,并下载到本地
2、解压后,修改pem文件后缀为crt
3、上传crt文件和key到服务器上
四、nginx配置https
第一种方案:内置Nginx配置Https
1、修改/etc/gitlab/gitlab.rb,共修改四处
#修改域名为https访问
external_url 'https://gitlab.example.com'
#http重定向到https
nginx['redirect_http_to_https'] = true
#证书地址
nginx['ssl_certificate'] = "/var/opt/gitlab/nginx/conf/cert/jh_ssl.crt"
nginx['ssl_certificate_key'] = "/var/opt/gitlab/nginx/conf/cert/jh_ssl.key"
第二种方案:外置nginx配置Https
1、/etc/gitlab/gitlab.rb 设置
设置外部访问地址
external_url 'https://git.example.com'
禁用内置的Nginx
nginx['enable'] = false
设置现有Nginx的用户名,根据服务器安装Nginx时创建的用户名
web_server['external_users'] = ['nginx-user']
设置现有Nginx的受信代理
gitlab_rails['trusted_proxies'] = ['127.0.0.1']
2、执行配置生效命令和启动命令
gitlab-ctl reconfigure
gitlab-ctl start
3、在nginx目录新增文件名,例如:gitlab-nginx.conf,复制以下内容
upstream gitlab-workhorse {
server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}
server {
listen 80;
server_name git.example.com;
server_tokens off;
return 301 https://$http_host$request_uri;
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
}
server {
listen 443 ssl;
server_name git.example.com;
server_tokens off;
root /opt/gitlab/embedded/service/gitlab-rails/public;
ssl on;
ssl_certificate cert/git.example.com/git.example.com.pem;
ssl_certificate_key cert/git.example.com/git.example.com.key;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
client_max_body_size 0;
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
}
其中修改几项
A、git.example.com替换成需要的使用的域名
B、ssl_certificate、ssl_certificate_key分别填上传到服务器的ssl文件地址
4、设置gitlab对应文件夹权限
chmod 777 /var/opt/gitlab/gitlab-workhorse
5、启动nginx即可
cd /usr/local/nginx/sbin
./nginx -s reload