搭建https和gitlab自定义(小内存安装)

搭建https和gitlab自定义(小内存安装)

服务器搭建完成,现在由http变成https

curl https://get.acme.sh | sh

之后会在用户目录下有一个.acme.sh文件夹cd .acme.sh下执行

acme.sh --issue -d yuhelove.com -d www.yuhelove.com --webroot /www/xxx/xxx

最后一个www/xxx/xx表示项目目录.生成的域名仅适用于www.想要多个就申请多个.

nginx 配置

listen 443 ssl;
server_name www.yuhelove.com *.yuhelove.com;
root /www/xxx/xxx;
index index.html index.htm index.php default.html default.htm default.php;
ssl_certificate /etc/local/nginx/ssl/fullchain.cer;
ssl_certificate_key /etc/local/nginx/ssl/yuhelove.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#减少点击劫持
add_header X-Frame-Options DENY;
#禁止服务器自动解析资源类型
add_header X-Content-Type-Options nosniff;
#防XSS攻击
add_header X-Xss-Protection 1;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;preload" always;

注意:如果想让ie支持https那么编译nginx时加入--with-openssl-opt='enable-weak-ssl-ciphers'.

gitlab

由于服务器内存较小.搭建gitlab需要改参数.服务器是1核2G.但是开启了swap.2G

安装请点击.之前一直执行到vim /etc/gitlab/gitlab.rb这里

然后修改.rb文件

external_url 'http://gitlab.yuhelove.com'
gitlab_rails['rack_attack_git_basic_auth'] = {
'enabled' => false,
'ip_whitelist' => ["127.0.0.1","xx.xx.xx.xx"], //这里要加上本机ip否则访问403
'maxretry' => 10,
'findtime' => 60,
'bantime' => 3600
}
unicorn['worker_processes'] = 2 //最小为2
unicorn['worker_memory_limit_min'] = "50 * 1 << 20" //这里按自己需求去改
unicorn['worker_memory_limit_max'] = "100 * 1 << 20" //这里按自己需求去改
sidekiq['concurrency'] = 10 //这里按自己需求去改
postgresql['shared_buffers'] = "32MB" //这里按自己需求去改 最小32MB
postgresql['max_worker_processes'] = 2 //这里按自己需求去改
web_server['external_users'] = ['www'] //填写的是nginx用户组
nginx['enable'] = false //不启用gitlab自带的nginx.


这样就能用gitlab了.

然后配置nginx.

upstream gitlab-workhorse {
server unix:/var/opt/gitlab/gitlab-workhorse/socket;
}
server
{
listen 80;
server_name gitlab.yuhelove.com ;
rewrite ^(.*) https://$server_name$1 permanent;
}
server{
listen 443 ssl;
server_name gitlab.yuhelove.com;
root /opt/gitlab/embedded/service/gitlab-rails/public;
index index.html index.htm index.php default.html default.htm default.php;
ssl_certificate /etc/local/nginx/ssl/fullchain.cer;
ssl_certificate_key /etc/local/nginx/ssl/yuhelove.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#减少点击劫持
add_header X-Frame-Options DENY;
#禁止服务器自动解析资源类型
add_header X-Content-Type-Options nosniff;
#防XSS攻击
add_header X-Xss-Protection 1;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;preload" always;

include rewrite/none.conf;
location /
{
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;

}

include enable-php-pathinfo.conf;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 12h;
}

location ~ /.well-known {
allow all;
}

location ~ /\.
{
deny all;
}
error_log /data/logs/nginx_error.log error;

}


这样服务器就有了https和gitlab