Skip to content

Latest commit

 

History

History
169 lines (101 loc) · 4.07 KB

https.md

File metadata and controls

169 lines (101 loc) · 4.07 KB

https 相关操作

免费CA证书申请

nginx+tomcat的https配置

为gitlab申请https证书

nginx从http跳转到https

免费CA证书申请

步骤

  • 在阿里提交证书申请,等待审批
  • 下载专有验证文件fileauth.txt
  • web根目录下创建.well-known/pki-validation子目录,将上面的文件放入
  • 等待阿里审批
  • 审批成功后

alt

  • 阿里提供了在不同服务器配置的方法

alt

参考资料



nginx+tomcat的https配置

可选方案

具体步骤

配置nginx的https

  • 参考阿里的帮助文档

  • (1)在Nginx的安装目录下创建cert目录,并且将下载的全部文件拷贝到cert目录中

    • gitlab的nginx在/var/opt/gitlab/nginx
    • cd /var/opt/gitlab/nginx/
    • mkdir cert
    • scp -P 1422 -r ./nginx_ca.zip [email protected]:/var/opt/gitlab/nginx/cert/
    • unzip nginx_ca.zip
    • rm nginx_ca.zip
  • (2)在/opt/wk/目录下建立一个wk_nginx_https.conf

server {
  listen 443;

  server_name wx.runzhichina.com;
  server_tokens off;

  ssl on;
  root html;
  index index.html index.htm;
  ssl_certificate   /var/opt/gitlab/nginx/cert/214664584670529.pem;
  ssl_certificate_key  /var/opt/gitlab/nginx/cert/214664584670529.key;
  ssl_session_timeout 5m;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;

  location / {
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   Host      $http_host;
    proxy_pass  http://127.0.0.1:20180;
  }
}
  • (3)nginx的安装目录下conf中建立wk_nginx_https.conf的软连接,并include

    • cd /var/opt/gitlab/nginx/conf
    • ln -s /opt/wk/wk_nginx_https.conf ./
    • vim nginx.conf
# 文件的最后追加
include /var/opt/gitlab/nginx/conf/wk_nginx_https.conf;

为gitlab申请https证书

去阿里云申请https证书

alt

首先确定gitlab的web根目录

将阿里证书上传到服务器上 参考

配置gitlab-http.conf,可以由马宇航来操作。

nginx从http跳转到https

配置文档

server {
  listen 80;
  server_name wx.runzhichina.com;
  server_tokens off;
  ## Don't show the nginx version number, a security best practice
  location / {
    return 301 https://wx.runzhichina.com$request_uri; 

    # 下面代码是用来通过80端口访问的
    # proxy_set_header   X-Real-IP $remote_addr;
    # proxy_set_header   Host      $http_host;
    # proxy_pass  http://127.0.0.1:20180;
  }
}

参考文档