问题:如何在gitlab服务器上新建网站

如果服务器资源不充裕的情况下,我们不能让一个gitlab 独自霸占服务器,那么就需要给gitlab动刀子了。

当我试图在gitlab服务自带nginx上创建一个站点时,想当然的创建一个.conf文件再包含进去,但是当我运行 gitlab-ctl reconfigure 发现现实并不是那么如意,nginx所有配置文件全都恢复默认了,所以这条路不通了。

但是如果直接启动本机自带的nginx呢?不用试都会知道两个nginx 公用一个80会有冲突根本启动不了,网上虽然有将gitlab 的gitlab改个名字,但是非常不靠谱,而且根本行不通。

那么只能把gitlab自带的nginx废弃掉,用自建的nginx扩展性才会更好。

更改Gitlab使用的nginx

禁用gitlab的nginx启动

vim /etc/gitlab/gitlab.rb

更改配置:

nginx['enable'] = false

2. 更改自建nginx.conf配置

因为gitlab里的nginx有自定义的参数配置,所以大部分都最好继续沿用
以下为我的nginx.conf配置,没有把gitlab的/opt/gitlab/embedded/conf/nginx.conf 完全拿来用,因为发现有的项会导致自建nginx卡在Starting nginx位置

  user gitlab-www gitlab-www;

worker_processes auto;

error_log /home/wwwlogs/nginx_error.log crit;

pid /usr/local/nginx/logs/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;

events
{
use epoll;
worker_connections 51200;
multi_accept on;
}

http
{
log_format gitlab_access '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent"';
log_format gitlab_mattermost_access '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent"';
proxy_cache_path proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2;
proxy_cache gitlab;
#include mime.types;
default_type application/octet-stream;
include /opt/gitlab/embedded/conf/mime.types;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;

sendfile on;
tcp_nopush on;

keepalive_timeout 60;

tcp_nodelay on;

fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;

gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";

#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.

server_tokens off;
access_log off;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Remove private_token from the request URI
# In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
map $request_uri $temp_request_uri_1 {
default $request_uri;
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

# Remove authenticity_token from the request URI
# In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
map $temp_request_uri_1 $temp_request_uri_2 {
default $temp_request_uri_1;
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

# Remove rss_token from the request URI
# In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...
map $temp_request_uri_2 $filtered_request_uri {
default $temp_request_uri_2;
~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

# A version of the referer without the query string
map $http_referer $filtered_http_referer {
default $http_referer;
~^(?<temp>.*)\? $temp;
}

server
{
listen 80 default_server;
#listen [::]:80 default_server ipv6only=on;
server_name pm_yunsee.vuln.cn;
index index.html index.htm index.php;
root /home/wwwroot/default;

#error_page 404 /404.html;

# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

include enable-php.conf;

location /nginx_status
{
stub_status on;
access_log off;
}

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 12h;
}

location ~ /.well-known {
allow all;
}

location ~ /\.
{
deny all;
}

#access_log /home/wwwlogs/access.log;
}
log_format access '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for "$upstream_addr" "$upstream_response_time" $request_time $content_length';
include vhost/*.conf;
include /var/opt/gitlab/nginx/conf/nginx-status.conf;
}

再直接把/var/opt/gitlab/nginx/conf/gitlab-http.conf,完整复制到自建nginx的conf/vhost目录,无需修改。

至此就已经完成了移植,新增站点就在vhost里添加配置文件了。

2020-11-17 更新

今天将gitlab 11 版本更新到13,出现了访问502:

Whoops, GitLab is taking too much time to respond.

日志中报错:

==> /var/log/gitlab/nginx/gitlab_error.log <==
2020/11/17 17:14:49 [crit] 1109#0: *1966 connect() to unix:/var/opt/gitlab/gitlab-workhorse/socket failed (2: No such file or directory) while connecting to upstream, client: 61.241.105.135, server: git.vuln.yunsee.cn, request: “GET /favicon.ico HTTP/1.1”, u

原因为自建的nginx 代理的socket路径发生的变化:

原来绑定的upstream为:unix:/var/opt/gitlab/gitlab-workhorse/socket

现在新的路径为:unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket

自建nginx 中修改好后重启即可