BairDev's questions

我正在使用这个VirtualHost

<IfModule headers_module>
    Header set ProcessingTime "%D"
    Header set Server "Apache 2.4"
</IfModule>

我可以看到设置ProcessingTime很愉快，但是Server是默认设置的，这告诉了太多有关服务器软件版本的信息。

我做错了什么，我能算出标题Server最终设置在哪里吗？

我努力了：

• sudo grep -Rin "Header" /etc/httpd/conf.d/-> 没有结果Header set Server
• sudo grep -Rin "servertokens" /etc/httpd/conf.d/-> 绝对没有结果

Apache 版本： CentOS 上的Apache/2.4.53 (codeit)。

我无法解决以下问题。使用 openssl 验证服务器证书失败，链不完整。

免责声明：我不是管理员，也没有过多地使用证书。

使用 OpenSSL 进行验证

$ openssl verify -CAfile /etc/letsencrypt/live/co2-avatar.com/fullchain.pem  /etc/letsencrypt/live/co2-avatar.com/cert.pem

# /etc/letsencrypt/live/co2-avatar.com/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
# error 2 at 2 depth lookup:unable to get issuer certificate

检查证书中的域之一

openssl s_client -connect co2avatar.org:443 -servername co2avatar.org
# CONNECTED(00000003)
# depth=0 CN = gitlab.sustainable-data-platform.org
# verify error:num=20:unable to get local issuer certificate
# verify return:1
# depth=0 CN = gitlab.sustainable-data-platform.org
# verify error:num=21:unable to verify the first certificate
# verify return:1
# ---
# Certificate chain
#  0 s:CN = gitlab.sustainable-data-platform.org
#    i:C = US, O = Let's Encrypt, CN = R3
# ---
# Server certificate
# -----BEGIN CERTIFICATE-----

或运行

curl -v https://co2avatar.org
# *   Trying 85.214.38.88:443...
# * TCP_NODELAY set
# * Connected to co2avatar.org (85.214.38.88) port 443 (#0)
# * ALPN, offering h2
# * ALPN, offering http/1.1
# * successfully set certificate verify locations:
# *   CAfile: /etc/ssl/certs/ca-certificates.crt
#   CApath: /etc/ssl/certs
# * TLSv1.3 (OUT), TLS handshake, Client hello (1):
# * TLSv1.3 (IN), TLS handshake, Server hello (2):
# * TLSv1.2 (IN), TLS handshake, Certificate (11):
# * TLSv1.2 (OUT), TLS alert, unknown CA (560):
# * SSL certificate problem: unable to get local issuer certificate
# * Closing connection 0
# curl: (60) SSL certificate problem: unable to get local issuer certificate

可能两者都有，我的 Apache VHost 中的域配置错误以及证书链本身的问题。我如何检查最后一个（我搜索了很多，但大多数点击是关于openssl verify或-CAfile关于不同的证书颁发者）？

我是否需要检查根证书包以及如何检查？

有没有类似certbot certonly的-addtrust标志？

我不是服务器管理员，所以我不会每天都配置 Apache 服务器。

但我想在我们的服务器上使用带有 SSL 和 Apache 2.4.6 的 Gitlab。（CentOS 7 上的 httpd）。

到目前为止，我已经添加了证书 ( .pem) 并打开了 SSL。

头 -30 /opt/gitlab/embedded/service/gitlab-rails/config/gitlab.yml

gitlab:
    ## Web server settings (note: host is the FQDN, do not include http://)
    host: gitlab.my-domain.org
    port: 443
    https: true

    # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout.
    # Default is 95% of the worker timeout
    max_request_duration_seconds: 57

阿帕奇配置：

<IfModule mod_ssl.c>
<VirtualHost *:443>  
  ServerName gitlab.my-domain.org
  ServerSignature Off

  ProxyPreserveHost On
  ProxyTimeout 60
  AllowEncodedSlashes NoDecode

  SSLEngine on
  SSLProxyEngine on
  SSLCertificateFile /etc/letsencrypt/live/some-original-domain/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/some-original-domain/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateChainFile /etc/letsencrypt/live/some-original-domain/chain.pem

  <Location />
    # New authorization commands for apache 2.4 and up
    # http://httpd.apache.org/docs/2.4/upgrading.html#access
    Require all granted
    ProxyPassReverse http://127.0.0.1:8080
    ProxyPassReverse https://gitlab.my-domain.org/
  </Location>

  RewriteEngine on
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
  RewriteCond %{REQUEST_URI} ^/uploads/.*
  RewriteRule .* https://127.0.0.1:8080%{REQUEST_URI} [P,QSA]

  RequestHeader set X_FORWARDED_PROTO 'https'
  RequestHeader set X-Forwarded-Ssl on

  # needed for downloading attachments
  DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public

  #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
  # ErrorDocument 404 /404.html
  # ErrorDocument 422 /422.html
  # ErrorDocument 500 /500.html
  # ErrorDocument 503 /deploy.html

  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
  ErrorLog  /var/log/httpd/gitlab.my-domain_error.log
  CustomLog /var/log/httpd/gitlab.my-domain_forwarded.log common_forwarded
  CustomLog /var/log/httpd/gitlab.my-domain_access.log combined env=!dontlog
  CustomLog /var/log/httpd/gitlab.my-domain.log combined

</VirtualHost>
</IfModule>

一定有一些错误配置，我只看到：

 [proxy_http:error] [pid 18466] (103)Software caused connection abort: [client {IP}:32906] AH01102: error reading status line from remote server 127.0.0.1:8080
[proxy:error] [pid 18466] [client {IP}:32906] AH00898: Error reading from remote server returned by /

而且我不明白<location> 这个配置的一部分

也为wget http://localhost:8080/api/v3/internal/检查服务器

{....} connection refused
ERROR 410: Gone.

最后gitlab-rake gitlab:check：

Checking GitLab subtasks ...

Checking GitLab Shell ...

GitLab Shell: ... GitLab Shell version >= 13.7.0 ? ... OK (13.7.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Gitaly ...

Gitaly: ... default ... OK

Checking Gitaly ... Finished

Checking Sidekiq ...

Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Checking Incoming Email ...

Incoming Email: ... Reply by email is disabled in config/gitlab.yml

Checking Incoming Email ... Finished

Checking LDAP ...

LDAP: ... LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab App ...

Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ... 
GitLab Instance / Monitoring ... yes
sdp-dev / sdp-services ... yes
sdp-dev / co2compass-app ... yes
sdp-dev / sdp-api ... yes
sdp-dev / sdp-ops ... yes
Redis version >= 4.0.0? ... yes
Ruby version >= 2.5.3 ? ... yes (2.6.6)
Git version >= 2.24.0 ? ... yes (2.28.0)
Git user has default SSH configuration? ... yes
Active users: ... 3
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes

Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

我认为这不是超时问题，因为来自浏览器的整个请求大约需要 150 毫秒。我能够通过http之前访问 Gitlab 实例。

任何想法？

编辑：网络统计

为了澄清，Gitlab 是否应该在127.0.0.1:8080下可用，我认为该服务在那里可用。

netstat -tupln

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    

tcp        0      0 127.0.0.1:9229          0.0.0.0:*               LISTEN      28566/gitlab-workho                  
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      6202/puma: cluster  
tcp        0      0 127.0.0.1:9168          0.0.0.0:*               LISTEN      28564/puma 4.3.5.gi         
tcp        0      0 127.0.0.1:8082          0.0.0.0:*               LISTEN      28846/sidekiq 5.2.9 
tcp        0      0 127.0.0.1:9236          0.0.0.0:*               LISTEN      28523/gitaly                   
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4950/httpd           
tcp6       0      0 ::1:9168                :::*                    LISTEN      28564/puma 4.3.5.gi