下面,我们在 Debian 12 下安装并配置 Nextcloud 服务端。

在Hestiacp中新建网站配置ssl新建数据库的操作就不再赘述了。如果你是第一次看到hestiacp系列教程,请到网站上方搜索关键词 HestiaCP,就能看到完整的一系列教程了。

Nginx模板

hestiacp要自定义nginx配置文件,模板是必不可少的。

下面是我修改了官方推荐的nginx配置的模板。

gitlab.tql

## GitLab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
##        CONTRIBUTING          ##
##################################
##
## If you change this file in a merge request, please also create
## a merge request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
##
###################################
##         configuration         ##
###################################
##
## See installation.md#using-https for additional HTTPS configuration details.



map $http_upgrade $connection_upgrade_gitlab {
    default upgrade;
    ''      close;
}

## NGINX 'combined' log format with filtered query strings
log_format gitlab_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_filtered_http_referer" "$http_user_agent"';

## Remove private_token from the request URI
# In:  /foo?private_token=unfiltered&authenticity_token=unfiltered&feed_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&feed_token=unfiltered&...
map $request_uri $gitlab_temp_request_uri_1 {
  default $request_uri;
  ~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

## Remove authenticity_token from the request URI
# In:  /foo?private_token=[FILTERED]&authenticity_token=unfiltered&feed_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&feed_token=unfiltered&...
map $gitlab_temp_request_uri_1 $gitlab_temp_request_uri_2 {
  default $gitlab_temp_request_uri_1;
  ~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

## Remove feed_token from the request URI
# In:  /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&feed_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&feed_token=[FILTERED]&...
map $gitlab_temp_request_uri_2 $gitlab_filtered_request_uri {
  default $gitlab_temp_request_uri_2;
  ~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

## A version of the referer without the query string
map $http_referer $gitlab_filtered_http_referer {
  default $http_referer;
  ~^(?<temp>.*)\? $temp;
}

## Normal HTTP host
server {
  ## Either remove "default_server" from the listen line below,
  ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
  ## to be served if you visit any address that your server responds to, eg.
  ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
  listen %ip%:%proxy_port%;
  server_name %domain_idn% %alias_idn%; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice
  root /opt/gitlab/embedded/service/gitlab-rails/public;

  ## See app/controllers/application_controller.rb for headers set

  ## Real IP Module Config
  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
  real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
  real_ip_recursive off;    ## If you enable 'on'
  ## If you have a trusted IP address, uncomment it and set it
  # set_real_ip_from YOUR_TRUSTED_ADDRESS; ## Replace this with something like 192.168.1.0/24

  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/nginx/gitlab_access.log gitlab_access;
  error_log   /var/log/nginx/gitlab_error.log;
	include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;

  location / {
    client_max_body_size 0;
    gzip off;

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    Upgrade             $http_upgrade;
    proxy_set_header    Connection          $connection_upgrade_gitlab;

    proxy_pass http://gitlab-workhorse;
  }

  error_page 404 /404.html;
  error_page 422 /422.html;
  error_page 500 /500.html;
  error_page 502 /502.html;
  error_page 503 /503.html;
  location ~ ^/(404|422|500|502|503)\.html$ {
    # Location to the GitLab's public directory,
    # for Omnibus this would be: /opt/gitlab/embedded/service/gitlab-rails/public.
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    internal;
  }
	include %home%/%user%/conf/web/%domain%/nginx.conf_*;

}

gitlab.stpl

## GitLab
##
## Modified from nginx http version
## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
##        CONTRIBUTING          ##
##################################
##
## If you change this file in a merge request, please also create
## a merge request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
##
###################################
##         configuration         ##
###################################
##
## See installation.md#using-https for additional HTTPS configuration details.

upstream gitlab-workhorse {
  # GitLab socket file,
  # for Omnibus this would be: unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket
  server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
}

map $http_upgrade $connection_upgrade_gitlab_ssl {
    default upgrade;
    ''      close;
}


## NGINX 'combined' log format with filtered query strings
log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';

## Remove private_token from the request URI
# In:  /foo?private_token=unfiltered&authenticity_token=unfiltered&feed_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&feed_token=unfiltered&...
map $request_uri $gitlab_ssl_temp_request_uri_1 {
  default $request_uri;
  ~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

## Remove authenticity_token from the request URI
# In:  /foo?private_token=[FILTERED]&authenticity_token=unfiltered&feed_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&feed_token=unfiltered&...
map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
  default $gitlab_ssl_temp_request_uri_1;
  ~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

## Remove feed_token from the request URI
# In:  /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&feed_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&feed_token=[FILTERED]&...
map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
  default $gitlab_ssl_temp_request_uri_2;
  ~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}

## A version of the referer without the query string
map $http_referer $gitlab_ssl_filtered_http_referer {
  default $http_referer;
  ~^(?<temp>.*)\? $temp;
}


## HTTPS host
server {
  listen %ip%:%proxy_ssl_port%	 ssl;
  server_name %domain_idn% %alias_idn%; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice
  root /opt/gitlab/embedded/service/gitlab-rails/public;
  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl_certificate     %ssl_pem%;
  ssl_certificate_key %ssl_key%;

  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:20m;
  ssl_session_tickets off;

  # These settings are in line with the modern settings from https://ssl-config.mozilla.org/
  # and are supported by all still-supported browsers since 2019. If you have specific needs
  # for older settings, please consult the intermediate settings there.
  ssl_protocols TLSv1.3;
  ssl_prefer_server_ciphers off;

  ## See app/controllers/application_controller.rb for headers set

  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  ## Replace with your ssl_trusted_certificate. For more info see:
  ## - https://medium.com/devops-programming/4445f4862461
  ## - https://www.ruby-forum.com/topic/4419319
  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  # ssl_stapling on;
  # ssl_stapling_verify on;
  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  # resolver_timeout 5s;

  ## [Optional] Enable HTTP Strict Transport Security
  # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

  ## Real IP Module Config
  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
  real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
  real_ip_recursive off;    ## If you enable 'on'
  ## If you have a trusted IP address, uncomment it and set it
  # set_real_ip_from YOUR_TRUSTED_ADDRESS; ## Replace this with something like 192.168.1.0/24

  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/nginx/gitlab_access.log gitlab_ssl_access;
  error_log   /var/log/nginx/gitlab_error.log;
	include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

  location / {
    client_max_body_size 0;
    gzip off;

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    Upgrade             $http_upgrade;
    proxy_set_header    Connection          $connection_upgrade_gitlab_ssl;

    proxy_pass http://gitlab-workhorse;
  }

  error_page 404 /404.html;
  error_page 422 /422.html;
  error_page 500 /500.html;
  error_page 502 /502.html;
  error_page 503 /503.html;
  location ~ ^/(404|422|500|502|503)\.html$ {
    # Location to the GitLab's public directory,
    # for Omnibus this would be: /opt/gitlab/embedded/service/gitlab-rails/public
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    internal;
  }
  include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;

}

安装GitLab

1.安装并配置必要的依赖项

sudo apt-get update
sudo apt-get install -y curl openssh-server ca-certificates perl

接下来,安装 Postfix(或 Sendmail)以发送通知电子邮件。如果您想使用其他解决方案发送电子邮件,请跳过此步骤并在安装 GitLab 后配置外部 SMTP 服务器

sudo apt-get install -y postfix

在 Postfix 安装期间,可能会出现一个配置屏幕。选择“Internet 站点”并按 Enter。使用服务器的外部 DNS 作为“邮件名称”,然后按 Enter。如果出现其他屏幕,请继续按 Enter 接受默认设置。

2.添加GitLab软件包存储库并安装软件包

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash

接下来,安装 GitLab 软件包。确保已正确设置 DNS,并将 https://gitlab.example.com 更改为要访问 GitLab 实例的 URL。安装将自动在该 URL 配置并启动 GitLab。

对于 https:// URL,GitLab 将自动使用 Let's Encrypt 请求证书,这需要入站 HTTP 访问和有效的主机名。您也可以使用自己的证书,或者只使用 http:// (不带 s )。

如果您想为初始管理员用户(root)指定自定义密码,请查阅文档。如果未指定密码,则会自动生成随机密码。

sudo EXTERNAL_URL="https://gitlab.example.com" apt-get install gitlab-ee
# List available versions: apt-cache madison gitlab-ee
# Specifiy version: sudo EXTERNAL_URL="https://gitlab.example.com" apt-get install gitlab-ee=16.2.3-ee.0
# Pin the version to limit auto-updates: sudo apt-mark hold gitlab-ee
# Show what packages are held back: sudo apt-mark showhold

下面是安装示例:

apt-get install gitlab-ee

3. 查找默认密码并登录

除非您在安装过程中提供了自定义密码,否则将随机生成一个密码,并将其存储在 /etc/gitlab/initial_root_password 中 24 小时。使用此密码和用户名 root 登录。

请参阅我们的文档以获取有关安装配置的详细说明。

4. 建议的后续步骤

完成安装后,请参考建议的后续步骤,包括身份验证选项和注册限制。

使用外部NGINX

1.禁用内置的 NGINX:

/etc/gitlab/gitlab.rb集合中:

nginx['enable'] = false

2.设置外部 Web 服务器用户的用户名:

Linux 软件包安装没有针对外部 Web 服务器用户的默认设置。您必须在配置中指定它。例如:

  • Debian/Ubuntu:默认用户www-data适用于 Apache 和 NGINX。
  • RHEL/CentOS:NGINX 用户是nginx

在继续之前安装 Apache 或 NGINX,以便创建 Web 服务器用户。否则,在重新配置期间 Linux 软件包安装会失败。

假设 Web 服务器用户为www-data,则/etc/gitlab/gitlab.rb设置如下:

web_server['external_users'] = ['www-data']

此设置是一个数组,因此您可以指定多个用户添加到gitlab-www组中。

在hestiacp中,还要将你创建的对应的用户,填入web_server。

运行sudo gitlab-ctl reconfigure以使更改生效。

3.配置正确的nginx模板:

参考文章一开始提供的模板。然后在hestiacp中选中添加后的模板,保存应用即可。

其他配置

Configuring a Linux package installation | GitLab
GitLab product documentation.
Docs

请参考此处官方文档,自行设置。

包含的标签:

News, 教程, HestiaCP

最后更新: October 17, 2024