1. ホーム
  2. 質問と答え
  3. GitlabのHAProxyとsslターミネーションの接続

GitlabのHAProxyとsslターミネーションの接続

2016-09-16 24 views
0

haproxyの後ろにgitlabを設定しようとしています。私は公式のgitlab dockerコンテナとdockercloud/haproxyコンテナを使用します。GitlabのHAProxyとsslターミネーションの接続

==> /var/log/gitlab/sshd/current <== 
2016-09-16_00:24:09.98430 Bad protocol version identification 'GET /users /sign_in HTTP/1.1' from 172.17.0.7 port 49514

haproxy出力::私は私の ブラウザから接続しようとした場合、私はgitlabで次のエラーを取得するgitlabする

00000008:port_80.accept(0008)=0009 from [184.11.129.10:60554] 
00000009:port_443.accept(0007)=000a from [184.11.129.10:59956] 
00000009:port_443.clireq[000a:ffffffff]: GET/HTTP/1.1 
00000009:port_443.clihdr[000a:ffffffff]: Host: gitlab.example.com 
00000009:port_443.clihdr[000a:ffffffff]: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 
00000009:port_443.clihdr[000a:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
00000009:port_443.clihdr[000a:ffffffff]: Accept-Language: en-US,en;q=0.5 
00000009:port_443.clihdr[000a:ffffffff]: Accept-Encoding: gzip, deflate, br 
00000009:port_443.clihdr[000a:ffffffff]: Cookie: _gitlab_session=c68e65e7d79ef8af9c4aef14e29bed7a 
00000009:port_443.clihdr[000a:ffffffff]: Connection: keep-alive 
00000009:port_443.clihdr[000a:ffffffff]: Upgrade-Insecure-Requests: 1 
00000009:SERVICE_GITLAB.srvrep[000a:000b]: HTTP/1.1 302 Found 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Server: nginx 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Date: Fri, 16 Sep 2016 00:15:12 GMT 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Content-Type: text/html; charset=utf-8 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Content-Length: 105 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Connection: keep-alive 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Cache-Control: no-cache 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Location: https://gitlab.example.com/users/sign_in 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Set-Cookie: _gitlab_session=2b529bf6639da2b83406dcdf1312c385; path=/; secure; HttpOnly 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Status: 302 Found 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: X-Content-Type-Options: nosniff 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: X-Frame-Options: SAMEORIGIN 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: X-Request-Id: b97cbe2a-0147-4ccd-9cf1-c80542d35b0f 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: X-Runtime: 0.278044 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: X-Xss-Protection: 1; mode=block 
0000000a:port_443.clireq[000a:000b]: GET /users/sign_in HTTP/1.1 
0000000a:port_443.clihdr[000a:000b]: Host: gitlab.example.com 
0000000a:port_443.clihdr[000a:000b]: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 
0000000a:port_443.clihdr[000a:000b]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
0000000a:port_443.clihdr[000a:000b]: Accept-Language: en-US,en;q=0.5 
0000000a:port_443.clihdr[000a:000b]: Accept-Encoding: gzip, deflate, br 
0000000a:port_443.clihdr[000a:000b]: Cookie: _gitlab_session=2b529bf6639da2b83406dcdf1312c385 
0000000a:port_443.clihdr[000a:000b]: Connection: keep-alive 
0000000a:port_443.clihdr[000a:000b]: Upgrade-Insecure-Requests: 1 
0000000a:SERVICE_GITLAB.srvcls[000a:000b] 
0000000a:SERVICE_GITLAB.clicls[000a:000b] 
0000000a:SERVICE_GITLAB.closed[000a:000b] 
00000008:port_80.clicls[0009:ffffffff] 
00000008:port_80.closed[0009:ffffffff] 
0000000b:port_443.accept(0007)=000b from [184.11.129.10:59990] 
0000000c:port_443.accept(0007)=000a from [184.11.129.10:59994] 
0000000d:port_443.accept(0007)=0009 from [184.11.129.10:59992] 
0000000b:port_443.clireq[000b:ffffffff]: GET /users/sign_in HTTP/1.1 
0000000b:port_443.clihdr[000b:ffffffff]: Host: gitlab.example.com 
0000000b:port_443.clihdr[000b:ffffffff]: Connection: keep-alive 
0000000b:port_443.clihdr[000b:ffffffff]: Cache-Control: max-age=0 
0000000b:port_443.clihdr[000b:ffffffff]: Upgrade-Insecure-Requests: 1 
0000000b:port_443.clihdr[000b:ffffffff]: User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36 
0000000b:port_443.clihdr[000b:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
0000000b:port_443.clihdr[000b:ffffffff]: Accept-Encoding: gzip, deflate, sdch, br 
0000000b:port_443.clihdr[000b:ffffffff]: Accept-Language: en-US,en;q=0.8 
0000000b:port_443.clihdr[000b:ffffffff]: Cookie: _gitlab_session=efd1f2dca673f443a756b93743097228 
0000000b:port_443.clihdr[000b:ffffffff]: If-None-Match: W/"bc26f64dfe227748fcff77508b9b63c5" 
0000000b:SERVICE_GITLAB.srvrep[000b:000c]: HTTP/1.1 302 Found 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Server: nginx 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Date: Fri, 16 Sep 2016 00:15:20 GMT 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Content-Type: text/html; charset=utf-8 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Content-Length: 153 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Connection: keep-alive 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Cache-Control: no-cache 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Location: https://gitlab.example.com/users/password/edit?reset_password_token=BpNnrPG4mrQ3h85hqrgz 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Set-Cookie: _gitlab_session=0f9ecb6d6096e6809e151f5d8654394b; path=/; secure; HttpOnly 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Status: 302 Found 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: X-Content-Type-Options: nosniff 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: X-Frame-Options: SAMEORIGIN 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: X-Request-Id: c67da4bd-5d84-46e5-bc1c-6b382991c27c 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: X-Runtime: 0.672426 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: X-Xss-Protection: 1; mode=block 
0000000e:port_443.clireq[000b:000c]: GET /users/password/edit?reset_password_token=BpNnrPG4mrQ3h85hqrgz HTTP/1.1 
0000000e:port_443.clihdr[000b:000c]: Host: gitlab.example.com 
0000000e:port_443.clihdr[000b:000c]: Connection: keep-alive 
0000000e:port_443.clihdr[000b:000c]: Cache-Control: max-age=0 
0000000e:port_443.clihdr[000b:000c]: Upgrade-Insecure-Requests: 1 
0000000e:port_443.clihdr[000b:000c]: User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36 
0000000e:port_443.clihdr[000b:000c]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
0000000e:port_443.clihdr[000b:000c]: Accept-Encoding: gzip, deflate, sdch, br 
0000000e:port_443.clihdr[000b:000c]: Accept-Language: en-US,en;q=0.8 
0000000e:port_443.clihdr[000b:000c]: Cookie: _gitlab_session=0f9ecb6d6096e6809e151f5d8654394b 
0000000e:SERVICE_GITLAB.srvcls[000b:000c] 
00000017:port_443.clihdr[000a:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
00000017:port_443.clihdr[000a:ffffffff]: Accept-Language: en-US,en;q=0.5 
00000017:port_443.clihdr[000a:ffffffff]: Accept-Encoding: gzip, deflate, br 
00000017:port_443.clihdr[000a:ffffffff]: Cookie: _gitlab_session=2b529bf6639da2b83406dcdf1312c385 
00000017:port_443.clihdr[000a:ffffffff]: Connection: keep-alive 
00000017:port_443.clihdr[000a:ffffffff]: Upgrade-Insecure-Requests: 1 
00000017:SERVICE_GITLAB.srvrep[000a:000b]: HTTP/1.1 302 Found 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Server: nginx 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Date: Fri, 16 Sep 2016 00:24:09 GMT 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Content-Type: text/html; charset=utf-8 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Content-Length: 105 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Connection: keep-alive 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Cache-Control: no-cache 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Location: https://gitlab.example.com/users/sign_in 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Status: 302 Found 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: X-Content-Type-Options: nosniff 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: X-Frame-Options: SAMEORIGIN 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: X-Request-Id: 43311710-97be-439b-87ea-a5bee9e7a6d3 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: X-Runtime: 0.296297 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: X-Xss-Protection: 1; mode=block 
00000018:port_443.clireq[000a:000b]: GET /users/sign_in HTTP/1.1 
00000018:port_443.clihdr[000a:000b]: Host: gitlab.example.com 
00000018:port_443.clihdr[000a:000b]: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 
00000018:port_443.clihdr[000a:000b]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
00000018:port_443.clihdr[000a:000b]: Accept-Language: en-US,en;q=0.5 
00000018:port_443.clihdr[000a:000b]: Accept-Encoding: gzip, deflate, br 
00000018:port_443.clihdr[000a:000b]: Cookie: _gitlab_session=2b529bf6639da2b83406dcdf1312c385 
00000018:port_443.clihdr[000a:000b]: Connection: keep-alive 
00000018:port_443.clihdr[000a:000b]: Upgrade-Insecure-Requests: 1 
00000018:SERVICE_GITLAB.srvcls[000a:000b] 
00000018:SERVICE_GITLAB.clicls[000a:000b] 
00000018:SERVICE_GITLAB.closed[000a:000b] 
00000016:port_80.clicls[0009:ffffffff] 
00000016:port_80.closed[0009:ffffffff]

これはどのようにある(ドメイン、IPSなどに変更)は、i

012:これはhaproxy用ドッキングウィンドウのコンファイルである 

docker run --detach \ 
--expose 80 --expose 22 \ 
--hostname gitlab.example.com 
--name gitlab \ 
--restart always \ 
--env VIRTUAL_HOST=https://gitlab.example.com,gitlab.example.com \ 
--env FORCE_SSL=yes \ 
--volume /srv/gitlab/config:/etc/gitlab \ 
--volume /srv/gitlab/logs:/var/log/gitlab \ 
--volume /srv/gitlab/data:/var/opt/gitlab \ 
gitlab/gitlab-ce:latest

:gitlabコンテナを(ドメインとスタッフが変更)を開始

version: '2' 
services: 
    haProxy: 
    image: dockercloud/haproxy 
    volumes: 
     - /var/run/docker.sock:/var/run/docker.sock 
     - /srv/certs:/certs/ 
    external_links: 
     - gitlab:gitlab 
    ports: 
     - 80:80 
     - 443:443 
     - 9090:9090 
    environment: 
     - STATS_AUTH="dummy:dummy" 
     - STATS_PORT=9090 
     - CERT_FOLDER=/certs/ 
     - FORCE_SSL=yes 
     - EXTRA_GLOBAL_SETTINGS="debug" 
    network_mode: "bridge" 
networks: 
    default: 
    external: 
     name: bridge

どのようなヒントもありがとうございます!

Thany you!

出典

2016-09-16 nebukad

答えて

0

GitLabコンテナはポート80を公開してHTTPトラフィックを公に聞いていますが、FORCE_SSLも使用していますので、HTTPで答えるとは思われません。

SSLをプロキシレイヤーで実行するには、FORCE_SSLをGitLabから削除してHTTP上で実行できるようにし、HAProxyからGitLabへの接続をプライベートにすることで、GitLabにアクセスする唯一の方法はHAProxy経由です。

サービスとしてGitLabをHAProxyと同じDocker Composeファイルに配置すると、GitLabからポート80を公開する必要はありません。 docker-compose up -dコンテナは同じDockerネットワーク上で実行され、プロキシコンテナは画像に公開されているポートのコンテナ名でGitLabにアクセスできます(同じネットワーク内のコンテナのポートを通信する必要はありません)。

また、GitLabがすべて実行している場合は、HAProxyは必要ありません。自体です。

出典

2016-09-16 12:33:04

+0

FORCE_SSL環境変数はHAProxyによって使用されます。私はそれがgitlab自体に影響を与えているとは思わない。 私は複数のサービスを稼働していますが、1つのドッキング・コンパス・ファイルにそれらを入れたくありません。これが私が独立してサービスを開始する理由です。 – nebukad

関連する問題

 関連する問題