从Gitlab重定向时,Apache代理方案中的HTTPS方案丢失
我设法在我的服务器上安装了带有Apache前端的Gitlab。由于默认SSL端口已被占用,我添加了一个从Gitlab重定向时,Apache代理方案中的HTTPS方案丢失,apache,https,proxy,reverse-proxy,gitlab,Apache,Https,Proxy,Reverse Proxy,Gitlab,我设法在我的服务器上安装了带有Apache前端的Gitlab。由于默认SSL端口已被占用,我添加了一个 Listen 444 到Apache端口和类似VirtualHost的 <VirtualHost *:444> ServerSignature Off SSLEngine on SSLCipherSuite ALL:!ADH:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:-MEDIUM:!LOW:-SSLv2 SSLCertificateF
Listen 444
到Apache端口和类似VirtualHost的
<VirtualHost *:444>
ServerSignature Off
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:-MEDIUM:!LOW:-SSLv2
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://unicornservers%{REQUEST_URI} [P,QSA,L]
ProxyPreserveHost On
ProxyPass /uploads !
ProxyPass /error !
<Proxy balancer://unicornservers>
BalancerMember http://127.0.0.1:8081
ProxyPassReverse https://my.server.de:444/
</Proxy>
# needed for downloading attachments
DocumentRoot /home/git/gitlab/public
<Location />
Order deny,allow
Allow from all
</Location>
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/gitlab.error.log
CustomLog /var/log/apache2/gitlab.forwarded.log common_forwarded
CustomLog /var/log/apache2/gitlab.access.log combined env=!dontlog
CustomLog /var/log/apache2/gitlab.log combined
</VirtualHost>
我得到了一个重定向到/users/sign_-in(如预期的那样),但是在http头位置设置了“http”方案。我能成功地得到
https:/my.server.de:444/users/sign_in
手动操作,但在每个post上,重定向位置都会再次错过正确的方案。知道发生了什么吗?ProxyPassReverse不应该解决这个问题吗?这里有一个配置示例,它是在几天前更新的: 但这对我来说也不起作用,我必须补充一点:
RequestHeader set X-Forwarded-Proto "https"
在配置中:
<VirtualHost *:8081>
SSLEngine on
#strong encryption ciphers only
#see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/cert.key
#SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt
ServerName gitlab.xy
ServerSignature Off
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
<Location />
Order deny,allow
Allow from all
ProxyPass http://127.0.0.1:8080
ProxyPassReverse http://127.0.0.1:8080
</Location>
#apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
# needed for downloading attachments
DocumentRoot /home/git/gitlab/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /deploy.html
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/logs/gitlab-ssl_error.log
CustomLog /var/log/apache2/logs/gitlab-ssl_forwarded.log common_forwarded
CustomLog /var/log/apache2/logs/gitlab-ssl_access.log combined env=!dontlog
CustomLog /var/log/apache2/logs/gitlab-ssl.log combined
</VirtualHost>
斯伦金安
#仅强加密密码
#参见密码(1)http://www.openssl.org/docs/apps/ciphers.html
SSLCipherSuite SSLv3:TLSv1:+高:!SSLv2:!MD5:!中等:!低:!经验:!ADH:!埃努尔:!阿努尔
SSLCertificateFile/etc/apache2/ssl/cert.pem
SSLCertificateKeyFile/etc/apache2/ssl/cert.key
#SSLCACertificateFile/etc/httpd/ssl.crt/your-ca.crt
ServerName gitlab.xy
服务器签名关闭
代理主机
RequestHeader集合X-Forwarded-Proto“https”
命令拒绝,允许
通融
ProxyPasshttp://127.0.0.1:8080
ProxyPassReversehttp://127.0.0.1:8080
#相当于apache的nginx try文件
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
重新启动发动机
重写cond%{DOCUMENT\u ROOT}/%{REQUEST\u FILENAME}-F
重写规则。*http://127.0.0.1:8080%{REQUEST_URI}[P,QSA]
#需要下载附件
DocumentRoot/home/git/gitlab/public
#设置apache错误文档,如果后端出现故障(即503错误),则会弹出维护/部署页面。
错误文档404/404.html
错误文档422/422.html
ErrorDocument 500/500.html
ErrorDocument 503/deploy.html
日志格式“%{X-Forwarded-For}i%l%u%t\%r\”%>s%b”公共\u转发
ErrorLog/var/log/apache2/logs/gitlab-ssl_error.log
CustomLog/var/log/apache2/logs/gitlab-ssl_转发。log common_转发
CustomLog/var/log/apache2/logs/gitlab-ssl_access.log组合env=!唐特洛
CustomLog/var/log/apache2/logs/gitlab-ssl.log组合
这对我很有帮助,请注意ProxyPassReverse行。我的全部问题和解决方案在
Servername gitlab.my_domain.com
服务器管理我的_admin@my_domain.com
SSLCertificateFile/etc/apache2/ssl.crt/gitlab\u my\u domain.crt
SSLCertificateKeyFile/etc/apache2/ssl.crt/gitlab\u my\u domain\u private.key
SSLCACertificateFile/etc/apache2/ssl.crt/gitlab.ca-bundle
#####此处跳过了StackOverflow的所有其他Apache SSL设置####
代理主机
#针对apache 2.4及更高版本的新授权命令
# http://httpd.apache.org/docs/2.4/upgrading.html#access
要求所有授权
#对于相对URL根“主机:您的\u gitlab\u端口/相对\u根”
#ProxyPassReversehttp://127.0.0.1:8085/gitlab
#ProxyPassReversehttps://gitlab.my_domain.com/gitlab
#对于非相对URL根
ProxyPassReversehttp://127.0.0.1:8085
ProxyPassReversehttps://gitlab.my_domain.com/
#相当于apache的nginx try文件
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# https://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
重新启动发动机
重写cond%{DOCUMENT\u ROOT}/%{REQUEST\u FILENAME}-F
重写规则。*http://127.0.0.1:8080%{REQUEST_URI}[P,QSA]
RequestHeader集合X_转发_协议“https”
#需要下载附件
DocumentRoot/home/git/gitlab/public
#设置apache错误文档,如果后端出现故障(即503错误),则会弹出维护/部署页面。
错误文档404/404.html
错误文档422/422.html
ErrorDocument 500/500.html
ErrorDocument 503/deploy.html
日志格式“%{X-Forwarded-For}i%l%u%t\%r\”%>s%b”公共\u转发
ErrorLog/var/log/apache2/gitlab-ssl_error.log
CustomLog/var/log/apache2/gitlab-ssl_转发。log common_转发
CustomLog/var/log/apache2/gitlab-ssl_access.log组合env=!唐特洛
CustomLog/var/log/apache2/gitlab-ssl.log组合
(from)谢谢。我将在周末试一试。我在理解这个代理配置时遇到的一个问题是,我没有真正理解ProxyPassReverse的含义。
ProxyPass
将请求从apache转发到GitLabProxyPassReverse
指示apache接受(并返回)从GitLab获得的响应。
<VirtualHost *:8081>
SSLEngine on
#strong encryption ciphers only
#see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/cert.key
#SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt
ServerName gitlab.xy
ServerSignature Off
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
<Location />
Order deny,allow
Allow from all
ProxyPass http://127.0.0.1:8080
ProxyPassReverse http://127.0.0.1:8080
</Location>
#apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
# needed for downloading attachments
DocumentRoot /home/git/gitlab/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /deploy.html
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/logs/gitlab-ssl_error.log
CustomLog /var/log/apache2/logs/gitlab-ssl_forwarded.log common_forwarded
CustomLog /var/log/apache2/logs/gitlab-ssl_access.log combined env=!dontlog
CustomLog /var/log/apache2/logs/gitlab-ssl.log combined
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
Servername gitlab.my_domain.com
ServerAdmin my_admin@my_domain.com
SSLCertificateFile /etc/apache2/ssl.crt/gitlab_my_domain.crt
SSLCertificateKeyFile /etc/apache2/ssl.crt/gitlab_my_domain_private.key
SSLCACertificateFile /etc/apache2/ssl.crt/gitlab.ca-bundle
##### All the other Apache SSL setup skipped here for StackOverflow ####
ProxyPreserveHost On
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
# For relative URL root "host:your_gitlab_port/relative_root"
#ProxyPassReverse http://127.0.0.1:8085/gitlab
#ProxyPassReverse https://gitlab.my_domain.com/gitlab
# For non-relative URL root
ProxyPassReverse http://127.0.0.1:8085
ProxyPassReverse https://gitlab.my_domain.com/
</Location>
# apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# https://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
RequestHeader set X_FORWARDED_PROTO 'https'
# needed for downloading attachments
DocumentRoot /home/git/gitlab/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /deploy.html
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/gitlab-ssl_error.log
CustomLog /var/log/apache2/gitlab-ssl_forwarded.log common_forwarded
CustomLog /var/log/apache2/gitlab-ssl_access.log combined env=!dontlog
CustomLog /var/log/apache2/gitlab-ssl.log combined
</VirtualHost>
</IfModule>