Disini saya menggunakan Omnibus untuk menginstall GitLab CE (Community Edition). File konfigurasi nginx disimpan di /var/opt/gitlab/nginx
Buat folder baru tempat menyimpan file SSL
mkdir /var/opt/gitlab/nginx/ssl
Self Signed SSL
Pindah ke folder ssl lalu generate SSL dengan perintah
openssl req -sha256 -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3560
Commercial SSL/SSL Berbayar
Bila menggunakan SSL berbayar, certificate dan key tinggal di copy paste ke file cert.pem dan key.pem.
Cara untuk menggunakan SSL berbayar maupun Self signed sama saja ;). Edit server block nginx /var/opt/gitlab/nginx/conf/gitlab-http.conf
tambahkan di baris paling bawah
server { ssl on; listen *:443; server_name git.fgg; ssl_certificate /var/opt/gitlab/nginx/ssl/cert.pem; ssl_certificate_key /var/opt/gitlab/nginx/ssl/key.pem; server_tokens off; ## Don't show the nginx version number, a security best practice root /opt/gitlab/embedded/service/gitlab-rails/public; ## Increase this if you want to upload large attachments ## Or if you want to accept large git objects over http client_max_body_size 250m; ## Individual nginx logs for this GitLab vhost access_log /var/log/gitlab/nginx/gitlab_access.log; error_log /var/log/gitlab/nginx/gitlab_error.log; location / { ## Serve static files from defined root folder. ## @gitlab is a named location for the upstream fallback, see below. try_files $uri $uri/index.html $uri.html @gitlab; } location /uploads/ { ## If you use HTTPS make sure you disable gzip compression ## to be safe against BREACH attack. gzip off; ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://gitlab; } ## If a file, which is not found in the root folder is requested, ## then the proxy passes the request to the upsteam (gitlab unicorn). location @gitlab { ## If you use HTTPS make sure you disable gzip compression ## to be safe against BREACH attack. ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://gitlab; } ## Enable gzip compression as per rails guide: ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression ## WARNING: If you are using relative urls remove the block below ## See config/application.rb under "Relative url support" for the list of ## other files that need to be changed for relative url support location ~ ^/(assets)/ { root /opt/gitlab/embedded/service/gitlab-rails/public; gzip_static on; # to serve pre-gzipped version expires max; add_header Cache-Control public; } error_page 502 /502.html; }
yang perlu di edit adalah bagian server_name dan letak file SSL anda.
Terakhir restart semua service gitlab
gitlab-ctl restart
Leave a Reply