使用启用的防火墙无法访问 GitLab (OS: Ubuntu 16.04)
GitLab not accessible with enabled firewall (OS: Ubuntu 16.04)
描述
几天前我安装了 GitLab,它似乎工作得很好,但是当我今天尝试连接时它打印了一个 502 错误(加载时间过长)。
!!正如我上面所说,它在禁用防火墙的情况下工作得很好 :)
代码:
gitlab-ctl tail
输出:
2017-09-04_09:18:29.94177 2017/09/04 11:18:29 error: GET "/": badgateway: failed after 30s: dial tcp [::1]:8081: getsockopt: connection refused
2017-09-04_09:18:29.94187 git.myurl.com @ - - [2017-09-04 11:17:59.940389308 +0200 CEST] "GET / HTTP/1.1" 502 2925 "" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" 30.001060
2017-09-04_09:18:30.27682 2017/09/04 11:18:30 Send static file "/opt/gitlab/embedded/service/gitlab-rails/public/favicon.ico" ("") for GET "/favicon.ico"
2017-09-04_09:18:30.27712 git.myurl.com @ - - [2017-09-04 11:18:30.276480568 +0200 CEST] "GET /favicon.ico HTTP/1.1" 200 5430 "https://git.myurl.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" 0.000454
已经尝试过
在尝试和研究之后,我发现它在禁用防火墙的情况下工作得很好,所以我查找了所需的端口并允许它们通过
ufw allow "rule"
这是我现在打开的端口:
ufw status
输出:
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
3306 ALLOW Anywhere
Dovecot IMAP ALLOW Anywhere
Postfix ALLOW Anywhere
Postfix SMTPS ALLOW Anywhere
Postfix Submission ALLOW Anywhere
Dovecot Secure IMAP ALLOW Anywhere
8080 ALLOW Anywhere
9987/udp ALLOW Anywhere
1194 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
1194/udp ALLOW Anywhere
8443 ALLOW Anywhere
122 ALLOW Anywhere
123/udp ALLOW Anywhere
161/udp ALLOW Anywhere
22 ALLOW Anywhere
8081 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
Dovecot IMAP (v6) ALLOW Anywhere (v6)
Postfix (v6) ALLOW Anywhere (v6)
Postfix SMTPS (v6) ALLOW Anywhere (v6)
Postfix Submission (v6) ALLOW Anywhere (v6)
Dovecot Secure IMAP (v6) ALLOW Anywhere (v6)
8080 (v6) ALLOW Anywhere (v6)
9987/udp (v6) ALLOW Anywhere (v6)
1194 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
1194/udp (v6) ALLOW Anywhere (v6)
8443 (v6) ALLOW Anywhere (v6)
122 (v6) ALLOW Anywhere (v6)
123/udp (v6) ALLOW Anywhere (v6)
161/udp (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
8081 (v6) ALLOW Anywhere (v6)
我现在尝试了一些方法,但我不知道为什么它不起作用。
gitlab-ctl reconfigure
效果很好(好像已经 10 次了)。
我也重启了几次服务器(我每次都可以连接到gitlab,但只能禁用ufw)
gitlab-ctl status
输出:
run: gitaly: (pid 1385) 2506s; run: log: (pid 1383) 2506s
run: gitlab-monitor: (pid 1403) 2506s; run: log: (pid 1401) 2506s
run: gitlab-workhorse: (pid 1386) 2506s; run: log: (pid 1384) 2506s
run: logrotate: (pid 1400) 2506s; run: log: (pid 1399) 2506s
run: node-exporter: (pid 1409) 2506s; run: log: (pid 1408) 2506s
run: postgres-exporter: (pid 1410) 2506s; run: log: (pid 1402) 2506s
run: postgresql: (pid 1391) 2506s; run: log: (pid 1389) 2506s
run: prometheus: (pid 1407) 2506s; run: log: (pid 1406) 2506s
run: redis: (pid 1387) 2506s; run: log: (pid 1382) 2506s
run: redis-exporter: (pid 1405) 2506s; run: log: (pid 1404) 2506s
run: sidekiq: (pid 1396) 2506s; run: log: (pid 1395) 2506s
run: unicorn: (pid 1390) 2506s; run: log: (pid 1388) 2506s
我的配置
代码:
grep "^[^#;]" /etc/gitlab/gitlab.rb
输出:
external_url 'https://git.myurl.com'
unicorn['port'] = 8081
gitlab_git_http_server['auth_backend'] = "http://localhost:8081"
web_server['external_users'] = ['www-data']
nginx['enable'] = false
gitlab_rails['internal_api_url'] = 'https://git.myurl.com'
ufw 的奇怪行为
可能重要,不知道
当我安装 openvpn 时,我不得不向 /etc/ufw/before.rules
添加内容
代码:
less /etc/ufw/before.rules
输出(仅相关内容):
# START OPENVPN RULES
# NAT table rule
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface
you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o ens3 -j MASQUERADE
COMMIT
# END OPENVPN RULES
当我这样做时
ufw reload
输出:
ERROR: problem running ufw-init
Bad argument `*nat'
Error occurred at line: 21
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
Problem running '/etc/ufw/before.rules'
但是当我运行
ufw enable
在它之后,它开始工作并且防火墙在之后是活动的
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
因为这是我在 Whosebug 上被问到的第一个问题(是的,我知道如何 google 并且从来不需要自己启动线程;))我希望我提供了足够的信息(如果不只是告诉我)有人抽出时间来帮助我,
提前谢谢你,
保罗
编辑: 当我在 before.rules
中注释掉 OpenVPN 规则时它起作用了
ucommenting openvpn rules in before.rules 解决了这个问题,但我想知道如何在不中断 gitlab 的情况下启用伪装
描述
几天前我安装了 GitLab,它似乎工作得很好,但是当我今天尝试连接时它打印了一个 502 错误(加载时间过长)。
!!正如我上面所说,它在禁用防火墙的情况下工作得很好 :)
代码:
gitlab-ctl tail
输出:
2017-09-04_09:18:29.94177 2017/09/04 11:18:29 error: GET "/": badgateway: failed after 30s: dial tcp [::1]:8081: getsockopt: connection refused
2017-09-04_09:18:29.94187 git.myurl.com @ - - [2017-09-04 11:17:59.940389308 +0200 CEST] "GET / HTTP/1.1" 502 2925 "" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" 30.001060
2017-09-04_09:18:30.27682 2017/09/04 11:18:30 Send static file "/opt/gitlab/embedded/service/gitlab-rails/public/favicon.ico" ("") for GET "/favicon.ico"
2017-09-04_09:18:30.27712 git.myurl.com @ - - [2017-09-04 11:18:30.276480568 +0200 CEST] "GET /favicon.ico HTTP/1.1" 200 5430 "https://git.myurl.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" 0.000454
已经尝试过
在尝试和研究之后,我发现它在禁用防火墙的情况下工作得很好,所以我查找了所需的端口并允许它们通过
ufw allow "rule"
这是我现在打开的端口:
ufw status
输出:
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
3306 ALLOW Anywhere
Dovecot IMAP ALLOW Anywhere
Postfix ALLOW Anywhere
Postfix SMTPS ALLOW Anywhere
Postfix Submission ALLOW Anywhere
Dovecot Secure IMAP ALLOW Anywhere
8080 ALLOW Anywhere
9987/udp ALLOW Anywhere
1194 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
1194/udp ALLOW Anywhere
8443 ALLOW Anywhere
122 ALLOW Anywhere
123/udp ALLOW Anywhere
161/udp ALLOW Anywhere
22 ALLOW Anywhere
8081 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
Dovecot IMAP (v6) ALLOW Anywhere (v6)
Postfix (v6) ALLOW Anywhere (v6)
Postfix SMTPS (v6) ALLOW Anywhere (v6)
Postfix Submission (v6) ALLOW Anywhere (v6)
Dovecot Secure IMAP (v6) ALLOW Anywhere (v6)
8080 (v6) ALLOW Anywhere (v6)
9987/udp (v6) ALLOW Anywhere (v6)
1194 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
1194/udp (v6) ALLOW Anywhere (v6)
8443 (v6) ALLOW Anywhere (v6)
122 (v6) ALLOW Anywhere (v6)
123/udp (v6) ALLOW Anywhere (v6)
161/udp (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
8081 (v6) ALLOW Anywhere (v6)
我现在尝试了一些方法,但我不知道为什么它不起作用。
gitlab-ctl reconfigure
效果很好(好像已经 10 次了)。
我也重启了几次服务器(我每次都可以连接到gitlab,但只能禁用ufw)
gitlab-ctl status
输出:
run: gitaly: (pid 1385) 2506s; run: log: (pid 1383) 2506s
run: gitlab-monitor: (pid 1403) 2506s; run: log: (pid 1401) 2506s
run: gitlab-workhorse: (pid 1386) 2506s; run: log: (pid 1384) 2506s
run: logrotate: (pid 1400) 2506s; run: log: (pid 1399) 2506s
run: node-exporter: (pid 1409) 2506s; run: log: (pid 1408) 2506s
run: postgres-exporter: (pid 1410) 2506s; run: log: (pid 1402) 2506s
run: postgresql: (pid 1391) 2506s; run: log: (pid 1389) 2506s
run: prometheus: (pid 1407) 2506s; run: log: (pid 1406) 2506s
run: redis: (pid 1387) 2506s; run: log: (pid 1382) 2506s
run: redis-exporter: (pid 1405) 2506s; run: log: (pid 1404) 2506s
run: sidekiq: (pid 1396) 2506s; run: log: (pid 1395) 2506s
run: unicorn: (pid 1390) 2506s; run: log: (pid 1388) 2506s
我的配置
代码:
grep "^[^#;]" /etc/gitlab/gitlab.rb
输出:
external_url 'https://git.myurl.com'
unicorn['port'] = 8081
gitlab_git_http_server['auth_backend'] = "http://localhost:8081"
web_server['external_users'] = ['www-data']
nginx['enable'] = false
gitlab_rails['internal_api_url'] = 'https://git.myurl.com'
ufw 的奇怪行为
可能重要,不知道
当我安装 openvpn 时,我不得不向 /etc/ufw/before.rules
添加内容代码:
less /etc/ufw/before.rules
输出(仅相关内容):
# START OPENVPN RULES
# NAT table rule
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface
you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o ens3 -j MASQUERADE
COMMIT
# END OPENVPN RULES
当我这样做时
ufw reload
输出:
ERROR: problem running ufw-init
Bad argument `*nat'
Error occurred at line: 21
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
Problem running '/etc/ufw/before.rules'
但是当我运行
ufw enable
在它之后,它开始工作并且防火墙在之后是活动的
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
因为这是我在 Whosebug 上被问到的第一个问题(是的,我知道如何 google 并且从来不需要自己启动线程;))我希望我提供了足够的信息(如果不只是告诉我)有人抽出时间来帮助我,
提前谢谢你,
保罗
编辑: 当我在 before.rules
中注释掉 OpenVPN 规则时它起作用了ucommenting openvpn rules in before.rules 解决了这个问题,但我想知道如何在不中断 gitlab 的情况下启用伪装