====== 33 Let's Encrypt リバースプロキシ（手動板）+ GitLab ======

[[06_virtualization:05_container:25_let_s_encrypt_proxy]] は便利なのだが、一点だけポート80を全開放しないといけない。

もし443だけを表示させて、80だけは表示させたくない場合。（80は403とかにしたい場合）は手動で行う。

===== リバースプロキシ用意 =====

ディレクトリは/appに置くと想定

==== 1.Nginxの設定ファイル用意 ====

  mkdir /app
  cd /app
  mkdir ./conf.d
  mkdir ./vhost.d

<color #ed1c24>※この例では、gitlab.fl8.jpをSSL化したい時の例で説明</color>

<code|./conf.d/default.conf>
server {
    server_name  example.com;
    listen 80;
    listen [::]:80;

    # テストとして普通に表示させる場合
    #location / {
    #    root   /var/www/html;
    #    index  index.html index.htm;
    #}
    location / {
        return 403;
    }
    
    # 全てのリクエストをSSLサイトにリダイレクト
    #location / {
    #    return 301 https://$host$request_uri;
    #}

    # 例外的に証明書更新時のlet's encryptからのリクエストは80番で受ける（443に飛ばしても実は問題ない）
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
}

# gitlab.fl8.jp/
upstream gitlab.fl8.jp {
    # Container: gitlab-web-1
    server gitlab-web-1:80;
}

server {
    client_max_body_size 100m;
    server_name gitlab.fl8.jp;
    access_log /var/log/nginx/access.log;
    http2 on;
    listen 443 ssl ;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/letsencrypt/live/gitlab.fl8.jp/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/gitlab.fl8.jp/privkey.pem;
    #ssl_dhparam /etc/nginx/certs/gitlab.fl8.jp.dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/gitlab.fl8.jp/cert.pem;
    set $sts_header "";
    if ($https) {
        set $sts_header "max-age=31536000";
    }
    add_header Strict-Transport-Security $sts_header always;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://gitlab.fl8.jp;
        set $upstream_keepalive false;
    }
}
</code>

<code|./vhost.d/default>
## Start of configuration add by letsencrypt container
location ^~ /.well-known/acme-challenge/ {
    auth_basic off;
    auth_request off;
    allow all;
    root /usr/share/nginx/html;
    try_files $uri =404;
    break;
}
## End of configuration add by letsencrypt container
</code>


==== 2.docker-compose.yml用意 ====

<code|docker-compose.yml>
---
version: "3"
services:
  nginx:
    image: nginx
    restart: always
    volumes:
      - ./conf.d:/etc/nginx/conf.d
      - ./vhost.d:/etc/nginx/vhost.d
      - /etc/letsencrypt:/etc/letsencrypt
      - /var/www/html:/var/www/html
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy-tier
    # ロギングのデフォルト設定
    logging:
      driver: "json-file"
      options:
        max-size: "100m"
        max-file: "3"

  certbot:
    image: certbot/certbot
    volumes:
      - /etc/letsencrypt:/etc/letsencrypt
      - /var/www/html:/var/www/html
    command: ["--version"]
    network_mode: host

networks:
  proxy-tier:
    name: proxy-tier
</code>


==== 3.一回起動 ====
これでnginxのdocker imageをダウンロードして起動してくれる。
  # docker-compose up -d

==== 4.証明書作成 ====

  docker-compose run --rm certbot certonly --webroot -w /var/www/html -d gitlab.fl8.jp

=== 証明書更新 ===


  docker-compose run --rm certbot renew

=== 証明書一覧確認 ===

  docker-compose run --rm certbot certificates


==== 5.Cronでの証明書更新 ====

[[50_dialy:2024:08:31]]
===== GitLab SSLリバースプロキシ =====

このリバースプロキシ配下にGitLabを置いてみる

  mkdir /app/gitlab
  cd /app/gitlab
 
<code|docker-compose>
version: '3.9'

services:
  web:
    restart: always
      #image: gitlab/gitlab-ee:latest
    image: gitlab/gitlab-ee:17.0.1-ee.0
    environment:
      VIRTUAL_HOST: gitlab.fl8.jp
      GITLAB_OMNINBUS_CONFIG: |
        external_url 'https://gitlab.fl8.jp'
        gitlab_rails['gitlab_shell_ssh_port'] = 22
        nginx['listen_port'] = 80
    networks: 
      - proxy-tier
    ports:
      - "22:22"
      - "8080:80"
    volumes:
      - ./data/gitlab/config:/etc/gitlab
      - ./data/gitlab/logs:/var/log/gitlab
      - ./data/gitlab/data:/var/opt/gitlab
    # ロギングのデフォルト設定
    logging:
      driver: "json-file"
      options:
        max-size: "100m"
        max-file: "7"

networks: 
  proxy-tier: 
    external: true
</code>

==== リバースプロキシで利用する場合 ====

Gitlab自体はHTTPで動作しているので、Clone With HTTPになってる。
そこでカスタムURLを設定してあげる。

{{:06_virtualization:05_container:pasted:20241010-055800.png}}
==== GitLab設定変更 ====


<code>
external_url 'http://git.hogehoge.com'
 gitlab_rails['smtp_enable'] = true
 gitlab_rails['smtp_address'] = "hogehoge.com"
 gitlab_rails['smtp_port'] = 587
 gitlab_rails['smtp_user_name'] = "hogehoge@hoge.com"
 gitlab_rails['smtp_password'] = "xxxxxxxxxxxxxxxxxxxxxx"
 gitlab_rails['smtp_domain'] = "hogehoge.com"
 gitlab_rails['smtp_authentication'] = "login"
 gitlab_rails['smtp_enable_starttls_auto'] = true
 #gitlab_rails['smtp_tls'] = false
 gitlab_rails['smtp_pool'] = false
 gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"
 gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"
 gitlab_rails['gitlab_email_from'] = 'hogehoge@hoge.com'
 gitlab_rails['gitlab_email_display_name'] = 'Hogehoge Gitlab admin'
 gitlab_rails['gitlab_email_reply_to'] = 'hogehoge@hoge.com'
 gitlab_rails['gitlab_email_subject_suffix'] = ''
 gitlab_rails['gitlab_email_smime_enabled'] = false
 puma['enable'] = true
 puma['ha'] = false
 puma['worker_timeout'] = 60
 puma['worker_processes'] = 4
 puma['min_threads'] = 4
 puma['max_threads'] = 6
</code>

==== 設定反映 ====

  docker-compose exec web gitlab-ctl reconfigure


==== メールテスト ====

  docker-compose exec web gitlab-rails console
  
  Notify.test_email('hogehoge@hogehoge.com', 'From GitLab', 'GitLab Test Mail').deliver_now

{{tag>日記 nginx proxy docker GitLab git}}