Gitlab背后HAProxy与SSL终止

Question

我想安装haproxy背后的gitlab。我使用官方的gitlab docker容器和dockercloud/haproxy容器。如果我尝试从我 浏览器连接到gitlab我在gitlab得到以下错误：

==> /var/log/gitlab/sshd/current <== 
2016-09-16_00:24:09.98430 Bad protocol version identification 'GET /users /sign_in HTTP/1.1' from 172.17.0.7 port 49514 

的HAProxy的输出：（域，IPS等改变）

00000008:port_80.accept(0008)=0009 from [184.11.129.10:60554] 
00000009:port_443.accept(0007)=000a from [184.11.129.10:59956] 
00000009:port_443.clireq[000a:ffffffff]: GET/HTTP/1.1 
00000009:port_443.clihdr[000a:ffffffff]: Host: gitlab.example.com 
00000009:port_443.clihdr[000a:ffffffff]: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 
00000009:port_443.clihdr[000a:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
00000009:port_443.clihdr[000a:ffffffff]: Accept-Language: en-US,en;q=0.5 
00000009:port_443.clihdr[000a:ffffffff]: Accept-Encoding: gzip, deflate, br 
00000009:port_443.clihdr[000a:ffffffff]: Cookie: _gitlab_session=c68e65e7d79ef8af9c4aef14e29bed7a 
00000009:port_443.clihdr[000a:ffffffff]: Connection: keep-alive 
00000009:port_443.clihdr[000a:ffffffff]: Upgrade-Insecure-Requests: 1 
00000009:SERVICE_GITLAB.srvrep[000a:000b]: HTTP/1.1 302 Found 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Server: nginx 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Date: Fri, 16 Sep 2016 00:15:12 GMT 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Content-Type: text/html; charset=utf-8 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Content-Length: 105 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Connection: keep-alive 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Cache-Control: no-cache 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Location: https://gitlab.example.com/users/sign_in 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Set-Cookie: _gitlab_session=2b529bf6639da2b83406dcdf1312c385; path=/; secure; HttpOnly 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: Status: 302 Found 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: X-Content-Type-Options: nosniff 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: X-Frame-Options: SAMEORIGIN 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: X-Request-Id: b97cbe2a-0147-4ccd-9cf1-c80542d35b0f 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: X-Runtime: 0.278044 
00000009:SERVICE_GITLAB.srvhdr[000a:000b]: X-Xss-Protection: 1; mode=block 
0000000a:port_443.clireq[000a:000b]: GET /users/sign_in HTTP/1.1 
0000000a:port_443.clihdr[000a:000b]: Host: gitlab.example.com 
0000000a:port_443.clihdr[000a:000b]: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 
0000000a:port_443.clihdr[000a:000b]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
0000000a:port_443.clihdr[000a:000b]: Accept-Language: en-US,en;q=0.5 
0000000a:port_443.clihdr[000a:000b]: Accept-Encoding: gzip, deflate, br 
0000000a:port_443.clihdr[000a:000b]: Cookie: _gitlab_session=2b529bf6639da2b83406dcdf1312c385 
0000000a:port_443.clihdr[000a:000b]: Connection: keep-alive 
0000000a:port_443.clihdr[000a:000b]: Upgrade-Insecure-Requests: 1 
0000000a:SERVICE_GITLAB.srvcls[000a:000b] 
0000000a:SERVICE_GITLAB.clicls[000a:000b] 
0000000a:SERVICE_GITLAB.closed[000a:000b] 
00000008:port_80.clicls[0009:ffffffff] 
00000008:port_80.closed[0009:ffffffff] 
0000000b:port_443.accept(0007)=000b from [184.11.129.10:59990] 
0000000c:port_443.accept(0007)=000a from [184.11.129.10:59994] 
0000000d:port_443.accept(0007)=0009 from [184.11.129.10:59992] 
0000000b:port_443.clireq[000b:ffffffff]: GET /users/sign_in HTTP/1.1 
0000000b:port_443.clihdr[000b:ffffffff]: Host: gitlab.example.com 
0000000b:port_443.clihdr[000b:ffffffff]: Connection: keep-alive 
0000000b:port_443.clihdr[000b:ffffffff]: Cache-Control: max-age=0 
0000000b:port_443.clihdr[000b:ffffffff]: Upgrade-Insecure-Requests: 1 
0000000b:port_443.clihdr[000b:ffffffff]: User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36 
0000000b:port_443.clihdr[000b:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
0000000b:port_443.clihdr[000b:ffffffff]: Accept-Encoding: gzip, deflate, sdch, br 
0000000b:port_443.clihdr[000b:ffffffff]: Accept-Language: en-US,en;q=0.8 
0000000b:port_443.clihdr[000b:ffffffff]: Cookie: _gitlab_session=efd1f2dca673f443a756b93743097228 
0000000b:port_443.clihdr[000b:ffffffff]: If-None-Match: W/"bc26f64dfe227748fcff77508b9b63c5" 
0000000b:SERVICE_GITLAB.srvrep[000b:000c]: HTTP/1.1 302 Found 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Server: nginx 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Date: Fri, 16 Sep 2016 00:15:20 GMT 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Content-Type: text/html; charset=utf-8 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Content-Length: 153 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Connection: keep-alive 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Cache-Control: no-cache 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Location: https://gitlab.example.com/users/password/edit?reset_password_token=BpNnrPG4mrQ3h85hqrgz 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Set-Cookie: _gitlab_session=0f9ecb6d6096e6809e151f5d8654394b; path=/; secure; HttpOnly 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: Status: 302 Found 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: X-Content-Type-Options: nosniff 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: X-Frame-Options: SAMEORIGIN 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: X-Request-Id: c67da4bd-5d84-46e5-bc1c-6b382991c27c 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: X-Runtime: 0.672426 
0000000b:SERVICE_GITLAB.srvhdr[000b:000c]: X-Xss-Protection: 1; mode=block 
0000000e:port_443.clireq[000b:000c]: GET /users/password/edit?reset_password_token=BpNnrPG4mrQ3h85hqrgz HTTP/1.1 
0000000e:port_443.clihdr[000b:000c]: Host: gitlab.example.com 
0000000e:port_443.clihdr[000b:000c]: Connection: keep-alive 
0000000e:port_443.clihdr[000b:000c]: Cache-Control: max-age=0 
0000000e:port_443.clihdr[000b:000c]: Upgrade-Insecure-Requests: 1 
0000000e:port_443.clihdr[000b:000c]: User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36 
0000000e:port_443.clihdr[000b:000c]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
0000000e:port_443.clihdr[000b:000c]: Accept-Encoding: gzip, deflate, sdch, br 
0000000e:port_443.clihdr[000b:000c]: Accept-Language: en-US,en;q=0.8 
0000000e:port_443.clihdr[000b:000c]: Cookie: _gitlab_session=0f9ecb6d6096e6809e151f5d8654394b 
0000000e:SERVICE_GITLAB.srvcls[000b:000c] 
00000017:port_443.clihdr[000a:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
00000017:port_443.clihdr[000a:ffffffff]: Accept-Language: en-US,en;q=0.5 
00000017:port_443.clihdr[000a:ffffffff]: Accept-Encoding: gzip, deflate, br 
00000017:port_443.clihdr[000a:ffffffff]: Cookie: _gitlab_session=2b529bf6639da2b83406dcdf1312c385 
00000017:port_443.clihdr[000a:ffffffff]: Connection: keep-alive 
00000017:port_443.clihdr[000a:ffffffff]: Upgrade-Insecure-Requests: 1 
00000017:SERVICE_GITLAB.srvrep[000a:000b]: HTTP/1.1 302 Found 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Server: nginx 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Date: Fri, 16 Sep 2016 00:24:09 GMT 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Content-Type: text/html; charset=utf-8 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Content-Length: 105 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Connection: keep-alive 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Cache-Control: no-cache 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Location: https://gitlab.example.com/users/sign_in 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: Status: 302 Found 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: X-Content-Type-Options: nosniff 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: X-Frame-Options: SAMEORIGIN 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: X-Request-Id: 43311710-97be-439b-87ea-a5bee9e7a6d3 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: X-Runtime: 0.296297 
00000017:SERVICE_GITLAB.srvhdr[000a:000b]: X-Xss-Protection: 1; mode=block 
00000018:port_443.clireq[000a:000b]: GET /users/sign_in HTTP/1.1 
00000018:port_443.clihdr[000a:000b]: Host: gitlab.example.com 
00000018:port_443.clihdr[000a:000b]: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 
00000018:port_443.clihdr[000a:000b]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
00000018:port_443.clihdr[000a:000b]: Accept-Language: en-US,en;q=0.5 
00000018:port_443.clihdr[000a:000b]: Accept-Encoding: gzip, deflate, br 
00000018:port_443.clihdr[000a:000b]: Cookie: _gitlab_session=2b529bf6639da2b83406dcdf1312c385 
00000018:port_443.clihdr[000a:000b]: Connection: keep-alive 
00000018:port_443.clihdr[000a:000b]: Upgrade-Insecure-Requests: 1 
00000018:SERVICE_GITLAB.srvcls[000a:000b] 
00000018:SERVICE_GITLAB.clicls[000a:000b] 
00000018:SERVICE_GITLAB.closed[000a:000b] 
00000016:port_80.clicls[0009:ffffffff] 
00000016:port_80.closed[0009:ffffffff] 

这是怎么了我启动gitlab容器（域和东西改变）：

docker run --detach \ 
--expose 80 --expose 22 \ 
--hostname gitlab.example.com 
--name gitlab \ 
--restart always \ 
--env VIRTUAL_HOST=https://gitlab.example.com,gitlab.example.com \ 
--env FORCE_SSL=yes \ 
--volume /srv/gitlab/config:/etc/gitlab \ 
--volume /srv/gitlab/logs:/var/log/gitlab \ 
--volume /srv/gitlab/data:/var/opt/gitlab \ 
gitlab/gitlab-ce:latest 

这是HAProxy的所述搬运工撰写的文件：

version: '2' 
services: 
    haProxy: 
    image: dockercloud/haproxy 
    volumes: 
     - /var/run/docker.sock:/var/run/docker.sock 
     - /srv/certs:/certs/ 
    external_links: 
     - gitlab:gitlab 
    ports: 
     - 80:80 
     - 443:443 
     - 9090:9090 
    environment: 
     - STATS_AUTH="dummy:dummy" 
     - STATS_PORT=9090 
     - CERT_FOLDER=/certs/ 
     - FORCE_SSL=yes 
     - EXTRA_GLOBAL_SETTINGS="debug" 
    network_mode: "bridge" 
networks: 
    default: 
    external: 
     name: bridge 

任何提示都非常感谢！

比你好！

Answer 1

在这里你不是真的用HAProxy终止SSL - 你的GitLab容器正在发布80端口，所以它公开监听HTTP流量，但你也使用FORCE_SSL，所以我不认为它会在HTTP上回答。

要在代理层执行SSL，您可以从GitLab中删除FORCE_SSL，以便在HTTP上运行，并使HAProxy与GitLab保持私有连接，因此访问GitLab的唯一方法是通过HAProxy。

如果您将GitLab作为服务放置在与HAProxy相同的Docker Compose文件中，那么您无需从GitLab发布端口80。当您使用docker-compose up -d时，容器将运行在同一个Docker网络中，并且代理容器将能够通过图像中公开的任何端口上的容器名称访问GitLab（您不必为同一网络中的容器发布端口进行通信）。

或者，如果GitLab是你正在运行的所有程序，那么你不需要HAProxy - 你可以本身。