System information
System: Ubuntu 14.04Current User: git
Using RVM: no
Ruby Version: 2.1.5p273
Gem Version: 2.2.1Bundler Version:1.5.3Rake Version: 10.3.2Sidekiq Version:3.3.0GitLab information
Version: 7.8.1Revision: e2d785c
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: https://git.zhuima.comHTTP Clone URL: https://git.zhuima.com/some-project.gitSSH Clone URL: ssh://git@git.zhuima.com:10086/zhuima.gitUsing LDAP: yes
Using Omniauth: no
GitLab Shell
Version: 2.5.4Repositories: /data/gitlab/data/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks/
Git: /opt/gitlab/embedded/bin/git
每天总有一段时间会出现403的情况
办公网不能访问位
1、日志中出现401、403状态吗
2、gitlab-rake gitlab:check发现的问题 [修复未能解决问题]
zhuima-library / yii-framework ... no
Try fixing it:
sudo -u git -H bundle exec rake gitlab:satellites:create RAILS_ENV=production
If necessary, remove the tmp/repo_satellites directory ...
... and rerun the above command
For more information see:
doc/raketasks/maintenance.md3、网上的文档搜索相关文档
http://boardreader.com/thread/Gitlab_7_10_4_Forbidden_Error_56o55lX769.html怀疑是rack_attack.rb文件的策略导致的,修改文件,重启不生效
rack_attack.rb文件的额配置,修改1s并发300不生效!!!!!
unless Rails.env.test?
Rack::Attack.throttle('protected paths', limit: 300, period: 1.seconds) do |req|
if req.post? && req.path =~ paths_regex
req.ip
end
end
end
每次服务中断时间为1小时
该时间段内没有设置任务计划
gitlab是通过ladp进行账号验证的
仅仅办公网不能正常访问gitlab,外部网络访问正常
1、仅仅办公网不能正常访问gitlab,外部网络访问正常2、办公网络开发人数150+3、并发30+
1、如何禁用rack_attack.rb的策略2、稳定的服务
Started GET "/" for 127.0.0.1 at 2015-09-02 16:57:50 +0800Processing by DashboardController#show as */*Completed 401 Unauthorized in 44ms
=========
==> /var/log/gitlab/nginx/gitlab_access.log <==118.187.12.36 - - [02/Sep/2015:16:47:33 +0800] "GET /zhuima-egg/zhuima.git/info/refs?service=git-upload-pack HTTP/1.1" 403 20 "-" "git/1.9.5.msysgit.1"
1_settings.rb中定义的
1_settings.rb中添加白名单,生效,但是gitlab-ctl reconfigure之后配置被初始化
Settings['rack_attack'] ||= Settingslogic.new({})
Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({})
Settings.rack_attack.git_basic_auth['enabled'] = true if Settings.rack_attack.git_basic_auth['enabled'].nil?
Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{127.0.0.1}
Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{118.187.12.36}
Settings.rack_attack.git_basic_auth['maxretry'] ||= 10
Settings.rack_attck.git_basic_auth['findtime'] ||= 1.minute
Settings.rack_attack.git_basic_auth['bantime'] ||= 1.hour
禁用rack_attack.rb文件
http://boardreader.com/thread/Gitlab_7_10_4_Forbidden_Error_56o55lX769.html
关于rack_attack
rack-attack: 基于 Rack 的防攻击中间件
https://github.com/kickstarter/rack-attackhttps://github.com/kickstarter/rack-attack/wiki/Example-Configuration
官方文档的解释:
http://doc.gitlab.com/ce/security/rack_attack.htmlhttp://boardreader.com/thread/Gitlab_7_10_4_Forbidden_Error_56o55lX769.html
rack_attack配置在案例·
https://gitlab.com/gitlab-org/omnibus-gitlab/issues/480
gitlab-ce 9.10归档整理
https://about.gitlab.com/downloads/archives/
gitlab 7.9版本之后的rack_attack.rb配置示例:
https://github.com/kickstarter/rack-attack/wiki/Example-Configuration
参考文档
https://code.csdn.net/zhanglushan/gitlabhq/tree/0b1cf50060de0d0a3039dfb2fca47364c7fb5f