3

我设法在我的服务器上设置了带有 Apache 前端的 Gitlab。由于默认 SSL 端口已被占用,我添加了一个

Listen 444

到 Apache 端口和 VirtualHost 之类的

<VirtualHost *:444>

  ServerSignature Off

  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:-MEDIUM:!LOW:-SSLv2
  SSLCertificateFile /etc/apache2/ssl/server.crt
  SSLCertificateKeyFile /etc/apache2/ssl/server.key

  RewriteEngine on
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
  RewriteRule ^/(.*)$ balancer://unicornservers%{REQUEST_URI} [P,QSA,L]

  ProxyPreserveHost On
  ProxyPass /uploads !
  ProxyPass /error !

  <Proxy balancer://unicornservers>
    BalancerMember http://127.0.0.1:8081 
    ProxyPassReverse https://my.server.de:444/
  </Proxy>

  # needed for downloading attachments
  DocumentRoot /home/git/gitlab/public

  <Location />
    Order deny,allow
    Allow from all
  </Location>

  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
  ErrorLog  /var/log/apache2/gitlab.error.log
  CustomLog /var/log/apache2/gitlab.forwarded.log common_forwarded
  CustomLog /var/log/apache2/gitlab.access.log combined env=!dontlog
  CustomLog /var/log/apache2/gitlab.log combined

</VirtualHost>

目标是转发到本地独角兽(这是使用Gitlab的标准场景)。

打电话时

https:/my.server.de:444

我重定向到 /users/sign_in(如预期的那样),但在 HTTP 标头位置设置了“http”方案。我可以成功得到 

https:/my.server.de:444/users/sign_in

手动,但在每个帖子上,重定向位置都会再次错过正确的方案。知道发生了什么吗?ProxyPassReverse 不应该处理这个吗?

4

2 回答 2

7

这里有一个示例配置,它是几天前更新的: https ://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/apache/gitlab-ssl.conf

但这对我来说并没有真正起作用,我不得不添加:

RequestHeader set X-Forwarded-Proto "https"

在配置中:

<VirtualHost *:8081>
  SSLEngine on
  #strong encryption ciphers only
  #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
  SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
  SSLCertificateFile /etc/apache2/ssl/cert.pem
  SSLCertificateKeyFile /etc/apache2/ssl/cert.key

  #SSLCACertificateFile  /etc/httpd/ssl.crt/your-ca.crt

  ServerName gitlab.xy
  ServerSignature Off

  ProxyPreserveHost On
  RequestHeader set X-Forwarded-Proto "https"

  <Location />
    Order deny,allow
    Allow from all

    ProxyPass http://127.0.0.1:8080
    ProxyPassReverse http://127.0.0.1:8080

  </Location>

  #apache equivalent of nginx try files
  # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
  # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
  RewriteEngine on
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
  RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]

  # needed for downloading attachments
  DocumentRoot /home/git/gitlab/public

  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
  ErrorDocument 404 /404.html
  ErrorDocument 422 /422.html
  ErrorDocument 500 /500.html
  ErrorDocument 503 /deploy.html

  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
  ErrorLog  /var/log/apache2/logs/gitlab-ssl_error.log
  CustomLog /var/log/apache2/logs/gitlab-ssl_forwarded.log common_forwarded
  CustomLog /var/log/apache2/logs/gitlab-ssl_access.log combined env=!dontlog
  CustomLog /var/log/apache2/logs/gitlab-ssl.log combined

</VirtualHost>
于 2013-10-24T21:17:19.847 回答
1

这对我有帮助,请注意ProxyPassReverse 行。我的完整问题和解决方案位于https://stackoverflow.com/a/22390543/3112527

<IfModule mod_ssl.c>
<VirtualHost *:443>
  Servername gitlab.my_domain.com
  ServerAdmin my_admin@my_domain.com

  SSLCertificateFile /etc/apache2/ssl.crt/gitlab_my_domain.crt
  SSLCertificateKeyFile /etc/apache2/ssl.crt/gitlab_my_domain_private.key
  SSLCACertificateFile /etc/apache2/ssl.crt/gitlab.ca-bundle

  ##### All the other Apache SSL setup skipped here for StackOverflow ####

  ProxyPreserveHost On

  <Location />
    # New authorization commands for apache 2.4 and up
    # http://httpd.apache.org/docs/2.4/upgrading.html#access
    Require all granted

    # For relative URL root "host:your_gitlab_port/relative_root"
    #ProxyPassReverse http://127.0.0.1:8085/gitlab
    #ProxyPassReverse https://gitlab.my_domain.com/gitlab

    # For non-relative URL root
    ProxyPassReverse http://127.0.0.1:8085
    ProxyPassReverse https://gitlab.my_domain.com/
  </Location>

  # apache equivalent of nginx try files
  # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
  # https://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
  RewriteEngine on
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
  RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
  RequestHeader set X_FORWARDED_PROTO 'https'

  # needed for downloading attachments
  DocumentRoot /home/git/gitlab/public

  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
  ErrorDocument 404 /404.html
  ErrorDocument 422 /422.html
  ErrorDocument 500 /500.html
  ErrorDocument 503 /deploy.html

  LogFormat  "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
  ErrorLog      /var/log/apache2/gitlab-ssl_error.log
  CustomLog /var/log/apache2/gitlab-ssl_forwarded.log common_forwarded
  CustomLog /var/log/apache2/gitlab-ssl_access.log combined env=!dontlog
  CustomLog /var/log/apache2/gitlab-ssl.log combined
</VirtualHost>
</IfModule>

(来自https://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/apache/gitlab-ssl-apache2.4.conf

于 2014-03-13T21:02:41.513 回答