在本教程中,我们将介绍如何通过 Docker 在 HestiaCP 上安装 GitLab。与传统的 Linux版本 安装不同,Docker版的安装更加简便,不需要处理复杂的依赖问题,适合想要快速搭建GitLab的用户。
如果你已经看过我之前的 Linux版 GitLab 安装教程,可以跳过环境配置部分,直接参考Docker版的步骤,轻松完成部署。
HestiaCP 安装 GitLab 教程
下面,我们在 Debian 12 下安装并配置 Nextcloud 服务端。 在Hestiacp中新建网站,配置ssl,新建数据库的操作就不再赘述了。如果你是第一次看到hestiacp系列教程,请到网站上方搜索关键词 HestiaCP,就能看到完整的一系列教程了。 Nginx模板 hestiacp要自定义nginx配置文件,模板是必不可少的。 下面是我修改了官方推荐的nginx配置的模板。 gitlab.tql ## GitLab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
## CONTRIBUTING ##
##################################
##
FOXCOO
接下来,我们将详细说明如何在HestiaCP中使用Docker安装GitLab。
安装 Docker 环境
HestiaCP + Portainer:轻松管理所有 Docker 应用
安装 Docker 使用apt存储库安装 在新的主机上首次安装 Docker Engine 之前,您需要设置 Dockerapt存储库。之后,您可以从存储库安装和更新 Docker。 设置 Docker 的apt存储库。 # 添加 Docker 的 GPG 公钥:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/
FOXCOO
配置 Docker Compose
在 HestiaCP 中新建网站,配置ssl,新建数据库的操作就不再赘述了。如果你是第一次看到 HestiaCP 系列教程,请点击下方链接,就能看到完整的一系列教程了。
HestiaCP - HOSTEYE
由 FOXCOO
如果你打算使用 HestiaCP 的备份与恢复功能,可以将 Docker Compose 文件和持久化存储设置在网站目录下。接下来我们就以这种方式进行演示。
我们在 /home/user/web/domain/public_html/ 目录下创建一个 docker-compose.yml 文件。内容参考如下:
services:
gitlab:
image: gitlab/gitlab-ee:latest
container_name: gitlab
restart: always
hostname: 'xxx.com'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://xxx.com'
gitlab_rails['gitlab_shell_ssh_port'] = 2424
nginx['enable'] = false
web_server['external_users'] = ['www-data']
gitlab_rails['trusted_proxies'] = [ '172.17.0.1' ]
gitlab_workhorse['listen_network'] = "tcp"
gitlab_workhorse['listen_addr'] = "0.0.0.0:5678"
ports:
- '5678:5678'
- '2424:22'
volumes:
- '/home/user/web/domain/public_html/config:/etc/gitlab'
- '/home/user/web/domain/public_html/logs:/var/log/gitlab'
- '/home/user/web/domain/public_html/data:/var/opt/gitlab'
shm_size: '256m'
- SSH 配置部分
gitlab_rails['gitlab_shell_ssh_port'] = 2424。修改 GitLab 容器内部的 SSH 端口。默认情况下,GitLab 使用 22 端口来处理 SSH 连接。但在容器环境中,可能会与宿主机上的 SSH 服务发生端口冲突。因此,将 GitLab 的 SSH 端口修改为 2424(或其他端口),以避免与宿主机的 22 端口冲突。
- Nginx 配置部分
nginx['enable'] = false。禁用 GitLab 内置的 Nginx 服务器。GitLab 自带一个内置的 Nginx 服务器,但在很多生产环境中,用户更倾向于使用外部的 Nginx 来进行反向代理和流量控制。web_server['external_users'] = ['www-data']。指定外部 Web 服务器使用的用户。gitlab_rails['trusted_proxies'] = ['172.17.0.1']。指定 GitLab 信任的代理 IP 地址。由于 GitLab 运行在 Docker 容器中,外部 Nginx 可能通过 Docker 网桥(如172.17.0.1)访问 GitLab。此配置确保 GitLab 接受来自该 IP 的请求,避免错误地将其视为未经授权的请求。这样可以正确处理通过代理转发的请求头(如X-Forwarded-For)。
gitlab_workhorse['listen_addr'] = "0.0.0.0:5678"。设置 GitLab Workhorse 监听的 IP 地址和端口。
配置外部 Nginx 反向代理
hestiacp要自定义nginx配置文件,模板是必不可少的。
gitlab-docker.tpl
## Normal HTTP host
server {
## Either remove "default_server" from the listen line below,
## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
## to be served if you visit any address that your server responds to, eg.
## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
## See app/controllers/application_controller.rb for headers set
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
real_ip_recursive off; ## If you enable 'on'
## If you have a trusted IP address, uncomment it and set it
# set_real_ip_from YOUR_TRUSTED_ADDRESS; ## Replace this with something like 192.168.1.0/24
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;
location / {
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:32013;
}
include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}
gitlab-docker.stpl
## HTTPS host
server {
listen %ip%:%proxy_ssl_port% ssl;
server_name %domain_idn% %alias_idn%; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
# These settings are in line with the modern settings from https://ssl-config.mozilla.org/
# and are supported by all still-supported browsers since 2019. If you have specific needs
# for older settings, please consult the intermediate settings there.
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
## See app/controllers/application_controller.rb for headers set
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
## Replace with your ssl_trusted_certificate. For more info see:
## - https://medium.com/devops-programming/4445f4862461
## - https://www.ruby-forum.com/topic/4419319
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
# resolver_timeout 5s;
## [Optional] Enable HTTP Strict Transport Security
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
real_ip_recursive off; ## If you enable 'on'
## If you have a trusted IP address, uncomment it and set it
# set_real_ip_from YOUR_TRUSTED_ADDRESS; ## Replace this with something like 192.168.1.0/24
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
location / {
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:5678;
}
include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}
其他
查找默认密码并登录
除非您在安装过程中提供了自定义密码,否则将随机生成一个密码,并将其存储在 /etc/gitlab/initial_root_password 中 24 小时。使用此密码和用户名 root 登录。