Loading... <h2 id="_1">系统环境描述</h2> <pre>System information System: Ubuntu 14.04 Current User: git Using RVM: no Ruby Version: 2.1.5p273 Gem Version: 2.2.1 Bundler Version:1.5.3 Rake Version: 10.3.2 Sidekiq Version:3.3.0 GitLab information Version: 7.8.1 Revision: e2d785c Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: https://git.zhuima.com HTTP Clone URL: https://git.zhuima.com/some-project.git SSH Clone URL: ssh://git@git.zhuima.com:10086/zhuima.git Using LDAP: yes Using Omniauth: no GitLab Shell Version: 2.5.4 Repositories: /data/gitlab/data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks/ Git: /opt/gitlab/embedded/bin/git</pre> <h2 id="_2">问题症状</h2> <pre>每天总有一段时间会出现403的情况 办公网不能访问位</pre> <h2 id="_3">拍错思路</h2> <blockquote><p>1、日志中出现401、403状态吗</p> <p>2、gitlab-rake gitlab:check发现的问题 [修复未能解决问题]</p> </blockquote> <pre> zhuima-library / yii-framework ... no Try fixing it: sudo -u git -H bundle exec rake gitlab:satellites:create RAILS_ENV=production If necessary, remove the tmp/repo_satellites directory ... ... and rerun the above command For more information see: doc/raketasks/maintenance.md</pre> <blockquote><p>3、网上的文档搜索相关文档</p> </blockquote> <pre>http://boardreader.com/thread/Gitlab_7_10_4_Forbidden_Error_56o55lX769.html 怀疑是rack_attack.rb文件的策略导致的,修改文件,重启不生效</pre> <blockquote><p>rack_attack.rb文件的额配置,修改1s并发300不生效!!!!!</p> </blockquote> <pre>unless Rails.env.test? Rack::Attack.throttle('protected paths', limit: 300, period: 1.seconds) do |req| if req.post? && req.path =~ paths_regex req.ip end end end</pre> <h2 id="_4">其他</h2> <blockquote><p>每次服务中断时间为1小时</p> </blockquote> <pre>该时间段内没有设置任务计划 gitlab是通过ladp进行账号验证的</pre> <blockquote><p>仅仅办公网不能正常访问gitlab,外部网络访问正常</p> </blockquote> <pre>1、仅仅办公网不能正常访问gitlab,外部网络访问正常 2、办公网络开发人数150+ 3、并发30+</pre> <h2 id="_5">需要解决的问题</h2> <blockquote><p>想要的效果</p> </blockquote> <pre>1、如何禁用rack_attack.rb的策略 2、稳定的服务</pre> <h2 id="_6">相关日志</h2> <pre>Started GET "/" for 127.0.0.1 at 2015-09-02 16:57:50 +0800 Processing by DashboardController#show as */* Completed 401 Unauthorized in 44ms ========= ==> /var/log/gitlab/nginx/gitlab_access.log <== 118.187.12.36 - - [02/Sep/2015:16:47:33 +0800] "GET /zhuima-egg/zhuima.git/info/refs?service=git-upload-pack HTTP/1.1" 403 20 "-" "git/1.9.5.msysgit.1"</pre> <h2 id="_7">排错过程中所做的操作</h2> <h2 id="1_settingsrb">1_settings.rb中定义的</h2> <blockquote><p>1_settings.rb中添加白名单,生效,但是gitlab-ctl reconfigure之后配置被初始化</p> </blockquote> <pre>Settings['rack_attack'] ||= Settingslogic.new({}) Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({}) Settings.rack_attack.git_basic_auth['enabled'] = true if Settings.rack_attack.git_basic_auth['enabled'].nil? Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{127.0.0.1} Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{118.187.12.36} Settings.rack_attack.git_basic_auth['maxretry'] ||= 10 Settings.rack_attck.git_basic_auth['findtime'] ||= 1.minute Settings.rack_attack.git_basic_auth['bantime'] ||= 1.hour</pre> <h2 id="rack_attackrb">禁用rack_attack.rb文件</h2> <pre>http://boardreader.com/thread/Gitlab_7_10_4_Forbidden_Error_56o55lX769.html</pre> <h2 id="rack_attack">关于rack_attack</h2> <pre>rack-attack: 基于 Rack 的防攻击中间件 https://github.com/kickstarter/rack-attack https://github.com/kickstarter/rack-attack/wiki/Example-Configuration</pre> <h2 id="_8">官方文档的解释:</h2> <pre>http://doc.gitlab.com/ce/security/rack_attack.html http://boardreader.com/thread/Gitlab_7_10_4_Forbidden_Error_56o55lX769.html</pre> <h2 id="rack_attack_1">rack_attack配置在案例·</h2> <pre>https://gitlab.com/gitlab-org/omnibus-gitlab/issues/480</pre> <h2 id="gitlab-ce-910">gitlab-ce 9.10归档整理</h2> <pre>https://about.gitlab.com/downloads/archives/</pre> <h2 id="gitlab-79rack_attackrb">gitlab 7.9版本之后的rack_attack.rb配置示例:</h2> <pre>https://github.com/kickstarter/rack-attack/wiki/Example-Configuration</pre> <h2 id="_9">参考文档</h2> <pre>https://code.csdn.net/zhanglushan/gitlabhq/tree/0b1cf50060de0d0a3039dfb2fca47364c7fb5f82/doc/raketasks/maintenance.md</pre> 最后修改:2021 年 12 月 10 日 10 : 53 AM © 允许规范转载 赞赏 如果觉得我的文章对你有用,请随意赞赏 赞赏作者 支付宝微信