0

我正在运行与 gitlab 捆绑的 nginx,它有一个 ssl 证书,但 ssl 证书仅适用于公共域,所以现在 nginx 不会接受未加密的流量,因此我无法从本地网络(这是我的家庭网络)。有没有办法可以改变这一点,以便 nginx接受本地网络上的未加密流量?

编辑:类似于这个问题

这是我的 nginx 配置:

user gitlab-www gitlab-www;
worker_processes 4;
error_log stderr;
pid nginx.pid;

daemon off;

events {
   worker_connections 10240;
}

http {
  log_format gitlab_access '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
  log_format gitlab_ci_access '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
  log_format gitlab_mattermost_access '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

 sendfile on;
 tcp_nopush on;
 tcp_nodelay on;

 keepalive_timeout 65;

 gzip on;
 gzip_http_version 1.0;
 gzip_comp_level 2;
 gzip_proxied any;
 gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json;

  include /opt/gitlab/embedded/conf/mime.types;

  include /var/opt/gitlab/nginx/conf/gitlab-http.conf;




}

这是 gitlab-http 配置:

upstream gitlab {
   server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket fail_timeout=0;
}

upstream gitlab-workhorse {
   server unix:/var/opt/gitlab/gitlab-workhorse/socket;
}

## Redirects all HTTP traffic to the HTTPS host
server {
  listen 0.0.0.0:80;
  listen [::]:80;
  server_name git.team2roblox.tk;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301 https://git.team2roblox.tk:443$request_uri;
  access_log  /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
  error_log   /var/log/gitlab/nginx/gitlab_error.log;
}

server {
  listen 0.0.0.0:443 ssl spdy;


  listen [::]:443 ssl spdy;


  server_name git.team2roblox.tk;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  root /opt/gitlab/embedded/service/gitlab-rails/public;

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
  client_max_body_size 250m;

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl on;
  ssl_certificate /etc/gitlab/ssl/cert.pem;
  ssl_certificate_key /etc/gitlab/ssl/fullchain.pem;

  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
 ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache  builtin:1000  shared:SSL:10m;
 ssl_session_timeout  5m;


 ## Individual nginx logs for this GitLab vhost
 access_log  /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
 error_log   /var/log/gitlab/nginx/gitlab_error.log;

 location / {
 ## Serve static files from defined root folder.
 ## @gitlab is a named location for the upstream fallback, see below.
    try_files $uri /index.html $uri.html @gitlab;
 }

 location /uploads/ {
 ## If you use HTTPS make sure you disable gzip compression
 ## to be safe against BREACH attack.
 gzip off;

 ## https://github.com/gitlabhq/gitlabhq/issues/694
 ## Some requests take more than 30 seconds.
 proxy_read_timeout      300;
 proxy_connect_timeout   300;
 proxy_redirect          off;

 proxy_set_header    Host                $http_host;
 proxy_set_header    X-Real-IP           $remote_addr;
 proxy_set_header    X-Forwarded-Ssl     on;
 proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
 proxy_set_header    X-Forwarded-Proto   https;
 proxy_set_header    X-Frame-Options     SAMEORIGIN;

 proxy_pass http://gitlab;
}

## If a file, which is not found in the root folder is requested,
## then the proxy passes the request to the upsteam (gitlab unicorn).
location @gitlab {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;

## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout      300;
proxy_connect_timeout   300;
proxy_redirect          off;

proxy_set_header    Host                $http_host;
proxy_set_header    X-Real-IP           $remote_addr;
proxy_set_header    X-Forwarded-Ssl     on;
proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto   https;
proxy_set_header    X-Frame-Options     SAMEORIGIN;

proxy_pass http://gitlab;
}

location ~ ^/[\w\.-]+/[\w\.-]+/gitlab-lfs/objects {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}

location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}

location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive {
    client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}

location ~ ^/api/v3/projects/.*/repository/archive {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}

# Build artifacts should be submitted to this location
location ~ ^/[\w\.-]+/[\w\.-]+/builds/download {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}

# Build artifacts should be submitted to this location
location ~ /ci/api/v1/builds/[0-9]+/artifacts {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
 error_page 418 = @gitlab-workhorse;
return 418;
}

location @gitlab-workhorse {
client_max_body_size 0;
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;

## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout      300;
proxy_connect_timeout   300;
proxy_redirect          off;

proxy_set_header    Host                $http_host;
proxy_set_header    X-Real-IP           $remote_addr;
proxy_set_header    X-Forwarded-Ssl     on;
proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto   https;

proxy_pass http://gitlab-workhorse;
}

 ## Enable gzip compression as per rails guide:
 ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
 ## WARNING: If you are using relative urls remove the block below
 ## See config/application.rb under "Relative url support" for the list of
 ## other files that need to be changed for relative url support
 location ~ ^/(assets)/ {
 root /opt/gitlab/embedded/service/gitlab-rails/public;
 gzip_static on; # to serve pre-gzipped version
 expires max;
 add_header Cache-Control public;
 }


 error_page 502 /502.html;


 }
4

1 回答 1

-1

看看iptables你有什么防火墙。如果您使用不同的操作系统,这可能会有所不同。

在 NGINX 服务器上(假设您使用的是 Linux 衍生产品),用于iptables允许仅网络连接并阻止任何其他连接。下面的第一个条目是本地网络 CIDR 范围,可能因您的网络而异。第二个是环回地址。最后一个条目用于其他所有内容。 

iptables -A INPUT -p tcp --dport 80 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
于 2015-12-13T23:28:54.450 回答