Jaranguda

Belajar Mengajar

Menggunakan SSL di GitLab CE

Last Updated on By Leave a Comment

Disini saya menggunakan Omnibus untuk menginstall GitLab CE (Community Edition). File konfigurasi nginx disimpan di /var/opt/gitlab/nginx
Buat folder baru tempat menyimpan file SSL

mkdir /var/opt/gitlab/nginx/ssl

Self Signed SSL

Pindah ke folder ssl lalu generate SSL dengan perintah

openssl req -sha256 -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3560

Commercial SSL/SSL Berbayar

Bila menggunakan SSL berbayar, certificate dan key tinggal di copy paste ke file cert.pem dan key.pem.

Cara untuk menggunakan SSL berbayar maupun Self signed sama saja ;). Edit server block nginx /var/opt/gitlab/nginx/conf/gitlab-http.conf
tambahkan di baris paling bawah

server {
  ssl on;
  listen *:443;
  server_name git.fgg;
  ssl_certificate /var/opt/gitlab/nginx/ssl/cert.pem;
  ssl_certificate_key /var/opt/gitlab/nginx/ssl/key.pem;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  root /opt/gitlab/embedded/service/gitlab-rails/public;
 
  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
  client_max_body_size 250m;
 
 
  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/gitlab/nginx/gitlab_access.log;
  error_log   /var/log/gitlab/nginx/gitlab_error.log;
 
  location / {
    ## Serve static files from defined root folder.
    ## @gitlab is a named location for the upstream fallback, see below.
    try_files $uri $uri/index.html $uri.html @gitlab;
  }
 
  location /uploads/ {
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
    gzip off;
 
    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
 
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
    proxy_pass http://gitlab;
  }
 
  ## If a file, which is not found in the root folder is requested,
  ## then the proxy passes the request to the upsteam (gitlab unicorn).
  location @gitlab {
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
      ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
 
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
    proxy_pass http://gitlab;
  }
 
  ## Enable gzip compression as per rails guide:
  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
  ## WARNING: If you are using relative urls remove the block below
  ## See config/application.rb under "Relative url support" for the list of
  ## other files that need to be changed for relative url support
  location ~ ^/(assets)/ {
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    gzip_static on; # to serve pre-gzipped version
    expires max;
    add_header Cache-Control public;
  }
  error_page 502 /502.html;
 
}

yang perlu di edit adalah bagian server_name dan letak file SSL anda.

Terakhir restart semua service gitlab

gitlab-ctl restart

Tulisan menarik lainnya

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *