{"id":748,"date":"2019-07-18T16:52:24","date_gmt":"2019-07-18T22:52:24","guid":{"rendered":"https:\/\/ugit.siua.ac.cr\/?p=748"},"modified":"2019-09-25T14:05:44","modified_gmt":"2019-09-25T20:05:44","slug":"proxmox5-proxy-reverso-configuracion-gitlab","status":"publish","type":"post","link":"https:\/\/sada.services\/?p=748","title":{"rendered":"PROXMOX5: Proxy Reverso configuraci\u00f3n GitLab"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Host: proxy<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Creamos un host virtual que atienda la solicitud \u00abgit.siua.ac.cr\u00bb y pueda ser accedido de forma p\u00fablica por letsencrypt<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/apache2\/sites-available\/git.siua.ac.cr.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Agregamos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>NameVirtualHost 181.193.87.6:80\n\n&lt;VirtualHost 181.193.87.6:80>\n\n        #************************************************************************\n        #*********  DATOS DEL SITIO WEB  ********************************\n        #************************************************************************\n        ServerName git.siua.ac.cr\n        ServerAlias www.git.siua.ac.cr\n        ErrorLog \/var\/log\/apache2\/git80.siua.ac.cr-error.log\n        CustomLog \/var\/log\/apache2\/git80.siua.ac.cr-access.log common\n\n        #************************************************************************\n        #*********  DATOS DEL WEBMASTER  *****************************\n        #************************************************************************\n        ServerAdmin interuniversitariadealajuela@gmail.com\n        Header add Author \"Unidad de Gestion e Innovacion Tecnologica\"\n\n        #************************************************************************\n        #*********  DATOS DEL REDIRECCIONAMIENTO  ****************\n        #************************************************************************\n\n&lt;\/VirtualHost><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Habilitamos el sitio<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>a2ensite git.siua.ac.cr<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Recargamos apache<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl reload apache2<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Host: DNS1 y Pfsense<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Dentro del DNS publico habilitamos los dominios \u00abgit.siua.ac.cr\u00bb y \u00abwww.git.siua.ac.cr\u00bb y los apuntamos a nuestro proxy reverso<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Host: proxy<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Mandamos a crear el letsencrypt<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>certbot --installer apache<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Resultado<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Saving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\n\nHow would you like to authenticate with the ACME CA?\n-------------------------------------------------------------------------------\n1: Apache Web Server plugin - Beta (apache)\n2: Spin up a temporary webserver (standalone)\n3: Place files in webroot directory (webroot)\n-------------------------------------------------------------------------------\nSelect the appropriate number [1-3] then [enter] (press 'c' to cancel): 1\nPlugins selected: Authenticator apache, Installer apache\n\nWhich names would you like to activate HTTPS for?\n-------------------------------------------------------------------------------\n1: git.siua.ac.cr\n2: www.git.siua.ac.cr\n3: soporte.siua.ac.cr\n4: www.soporte.siua.ac.cr\n-------------------------------------------------------------------------------\nSelect the appropriate numbers separated by commas and\/or spaces, or leave input\nblank to select all options shown (Enter 'c' to cancel): 1 2\nObtaining a new certificate\nPerforming the following challenges:\nhttp-01 challenge for git.siua.ac.cr\nhttp-01 challenge for www.git.siua.ac.cr\nWaiting for verification...\nCleaning up challenges\nCreated an SSL vhost at \/etc\/apache2\/sites-available\/git.siua.ac.cr-le-ssl.conf\nDeploying Certificate to VirtualHost \/etc\/apache2\/sites-available\/git.siua.ac.cr-le-ssl.conf\nEnabling available site: \/etc\/apache2\/sites-available\/git.siua.ac.cr-le-ssl.conf\nDeploying Certificate to VirtualHost \/etc\/apache2\/sites-available\/git.siua.ac.cr-le-ssl.conf\n\nPlease choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.\n-------------------------------------------------------------------------------\n1: No redirect - Make no further changes to the webserver configuration.\n2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for\nnew sites, or if you're confident your site works on HTTPS. You can undo this\nchange by editing your web server's configuration.\n-------------------------------------------------------------------------------\nSelect the appropriate number [1-2] then [enter] (press 'c' to cancel): 2\nRedirecting vhost in \/etc\/apache2\/sites-enabled\/git.siua.ac.cr.conf to ssl vhost in \/etc\/apache2\/sites-available\/git.siua.ac.cr-le-ssl.conf\n\n-------------------------------------------------------------------------------\nCongratulations! You have successfully enabled https:\/\/git.siua.ac.cr and\nhttps:\/\/www.git.siua.ac.cr\n\nYou should test your configuration at:\nhttps:\/\/www.ssllabs.com\/ssltest\/analyze.html?d=git.siua.ac.cr\nhttps:\/\/www.ssllabs.com\/ssltest\/analyze.html?d=www.git.siua.ac.cr\n-------------------------------------------------------------------------------\n\nIMPORTANT NOTES:\n- Congratulations! Your certificate and chain have been saved at:\n\/etc\/letsencrypt\/live\/git.siua.ac.cr\/fullchain.pem\nYour key file has been saved at:\n\/etc\/letsencrypt\/live\/git.siua.ac.cr\/privkey.pem\nYour cert will expire on 2018-07-18. To obtain a new or tweaked\nversion of this certificate in the future, simply run certbot again\nwith the \"certonly\" option. To non-interactively renew *all* of\nyour certificates, run \"certbot renew\"\n- If you like Certbot, please consider supporting our work by:\n\nDonating to ISRG \/ Let's Encrypt: https:\/\/letsencrypt.org\/donate\nDonating to EFF: https:\/\/eff.org\/donate-le<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Esto me modifica el archivo \u00abgit.siua.ac.cr.conf \u00bb quedando as\u00ed:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/apache2\/sites-available\/git.siua.ac.cr.conf <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>RESULTADO:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>NameVirtualHost 181.193.87.6:80\n\n&lt;VirtualHost 181.193.87.6:80>\n\n        #************************************************************************\n        #*********  DATOS DEL SITIO WEB  ********************************\n        #************************************************************************\n        ServerName git.siua.ac.cr\n        ServerAlias www.git.siua.ac.cr\n        ErrorLog \/var\/log\/apache2\/git80.siua.ac.cr-error.log\n        CustomLog \/var\/log\/apache2\/git80.siua.ac.cr-access.log common\n\n        #************************************************************************\n        #*********  DATOS DEL WEBMASTER  *****************************\n        #************************************************************************\n        ServerAdmin interuniversitariadealajuela@gmail.com\n        Header add Author \"Unidad de Gestion e Innovacion Tecnologica\"\n\n        #************************************************************************\n        #*********  DATOS DEL REDIRECCIONAMIENTO  ****************\n        #************************************************************************\n        RewriteEngine on\n        RewriteCond %{SERVER_NAME} =git.siua.ac.cr [OR]\n        RewriteCond %{SERVER_NAME} =www.git.siua.ac.cr\n        RewriteRule ^ https:\/\/%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]\n\n&lt;\/VirtualHost><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Y nos crea el archivo \u00abgit.siua.ac.cr-le-ssl.conf\u00bb<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/apache2\/sites-available\/git.siua.ac.cr-le-ssl.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>RESULTADO:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;IfModule mod_ssl.c>\n&lt;VirtualHost 181.193.87.6:443>\n\n        #************************************************************************\n        #*********  DATOS DEL SITIO WEB  ********************************\n        #************************************************************************\n        ServerName git.siua.ac.cr\n        ServerAlias www.git.siua.ac.cr\n        ErrorLog \/var\/log\/apache2\/git80.siua.ac.cr-error.log\n        CustomLog \/var\/log\/apache2\/git80.siua.ac.cr-access.log common\n\n        #************************************************************************\n        #*********  DATOS DEL WEBMASTER  *****************************\n        #************************************************************************\n        ServerAdmin interuniversitariadealajuela@gmail.com\n        Header add Author \"Unidad de Gestion e Innovacion Tecnologica\"\n\n        #************************************************************************\n        #*********  DATOS DEL REDIRECCIONAMIENTO  ****************\n        #************************************************************************\n\n\n\n        Include \/etc\/letsencrypt\/options-ssl-apache.conf\n        SSLCertificateFile \/etc\/letsencrypt\/live\/git.siua.ac.cr\/fullchain.pem\n        SSLCertificateKeyFile \/etc\/letsencrypt\/live\/git.siua.ac.cr\/privkey.pem\n\n&lt;\/VirtualHost>\n&lt;\/IfModule>\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Lo modificamos para que quede as\u00ed:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;IfModule mod_ssl.c>\n&lt;VirtualHost 181.193.87.6:443>\n\n        #************************************************************************\n        #*********  DATOS DEL SITIO WEB  ********************************\n        #************************************************************************\n        ServerName git.siua.ac.cr\n        ServerAlias www.git.siua.ac.cr\n        ErrorLog \/var\/log\/apache2\/git443.siua.ac.cr-error.log\n        CustomLog \/var\/log\/apache2\/git443.siua.ac.cr-access.log common\n\n        #************************************************************************\n        #*********  DATOS DEL WEBMASTER  *****************************\n        #************************************************************************\n        ServerAdmin interuniversitariadealajuela@gmail.com\n        Header add Author \"Unidad de Gestion e Innovacion Tecnologica\"\n\n        #************************************************************************\n        #*********  DATOS DEL REDIRECCIONAMIENTO  ****************\n        #************************************************************************\n        ProxyPreserveHost On\n        ProxyRequests off\n        SSLProxyEngine on\n        ProxyPass \/ https:\/\/10.20.200.22\/\n        ProxyPassReverse \/ https:\/\/10.20.200.2\/\n\n\n        Include \/etc\/letsencrypt\/options-ssl-apache.conf\n        SSLCertificateFile \/etc\/letsencrypt\/live\/git.siua.ac.cr\/fullchain.pem\n        SSLCertificateKeyFile \/etc\/letsencrypt\/live\/git.siua.ac.cr\/privkey.pem\n\n&lt;\/VirtualHost>\n&lt;\/IfModule><\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Host: GITLAB<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>El gitlab lo tenemos instalado en un debian 9 que ya posee un usuario root pero no esta habilitado para ingresar por ssh, por esto vamos a corregir esto<\/li><li>Verificamos si el usuario root ya tiene contrase\u00f1a si no aplicamos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>passwd root<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Resultado:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Introduzca la nueva contrase\u00f1a de UNIX: CA3\nVuelva a escribir la nueva contrase\u00f1a de UNIX: CA3\npasswd: password updated successfully<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Abrimos el archivo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Modificamos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>PermitRootLogin yes\nPubkeyAuthentication yes\nAuthorizedKeysFile      .ssh\/authorized_keys .ssh\/authorized_keys2\nPasswordAuthentication yes<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Reiniciamos el servicio<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>service sshd restart<\/code><\/pre>\n\n\n\n<p>Y con esto ya podemos ingresar con el usuario root por ssh<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh -l root 10.20.200.22<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora que ya tememos acceso le vamos a dar permiso a la carpeta donde se guardan los certificados<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 777 -R \/etc\/gitlab\/trusted-certs\/<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Vamos abrir el archivo de configuraci\u00f3n<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/gitlab\/gitlab.rb<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Modificar<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>external_url 'http:\/\/git.siua.ac.cr'\nX\nexternal_url 'https:\/\/git.siua.ac.cr'\n\n#nginx['enable'] = true\nX\nnginx['enable'] = true\n\n#nginx['redirect_http_to_https'] = false\nX\nnginx['redirect_http_to_https'] = true\n\n#nginx['redirect_http_to_https_port'] = 80\nX\nnginx['redirect_http_to_https_port'] = 80\n\nnginx['ssl_certificate'] = \"\/etc\/gitlab\/ssl\/#{node['fqdn']}.crt\"\nX\nnginx['ssl_certificate'] = \"\/etc\/gitlab\/trusted-certs\/git.siua.ac.cr\/fullchain1.pem\"\n\nnginx['ssl_certificate_key'] = \"\/etc\/gitlab\/ssl\/#{node['fqdn']}.key\"\nX\nnginx['ssl_certificate_key'] = \"\/etc\/gitlab\/trusted-certs\/git.siua.ac.cr\/privkey1.pem\"<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Host: PROXY<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Vamos a ingresar a la carpeta<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/root\/.ssh\/<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Y listamos los archivos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ls<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Esto para asegurar que no existan llaves ya creadas para el usuario \u00abroot\u00bb, si existen saltamos el siguiente paso:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>id_rsa id_rsa.pub known_hosts<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si no existen. Paso #1: Creamos las llaves para el cliente CON CONTRASE\u00d1A EN BLANCO<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh-keygen -t rsa<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>RESULTADO:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Generating public\/private rsa key pair.\nEnter file in which to save the key (\/root\/.ssh\/id_rsa):\nEnter passphrase (empty for no passphrase):\nEnter same passphrase again:\nYour identification has been saved in llave_proxy_rev_ext.\nYour public key has been saved in llave_proxy_rev_ext.pub.\nThe key fingerprint is:\nSHA256:Eao0rOXn89R8pg3FjvPKsYUwBlAXaBxHBMZrHt06u78 root@proxy-reverso-ex\nThe key's randomart image is:\n+---[RSA 2048]----+\n| .+=*B. |\n| . o=+ . |\n| =.oo.. |\n| = o+..... |\n| . oo..S. o |\n| o..o= = |\n| o .oO = |\n| +.. % |\n| ooEoo |\n+----[SHA256]-----+<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Continuando, una vez creadas las llaves las vamos a compartir al servidor remoto \u00abgit.siua.ac.cr\u00bb<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh-copy-id root@10.20.200.22<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Resultado:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/bin\/ssh-copy-id: INFO: Source of key(s) to be installed: \"\/root\/.ssh\/id_rsa.pub\"\nThe authenticity of host '10.20.200.22 (10.20.200.22)' can't be established.\nECDSA key fingerprint is SHA256:sQwHo1MowIYAC7XlD27jzFMmYxGizGIEd3uZZU2iyNA.\nAre you sure you want to continue connecting (yes\/no)? yes\n\/usr\/bin\/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n\/usr\/bin\/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys\nroot@10.20.200.22's password:\nbash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)\n\nNumber of key(s) added: 1\n\nNow try logging into the machine, with: \"ssh 'root@10.20.200.22'\"\nand check to make sure that only the key(s) you wanted were added.<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Podemos probar el ingreso<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh root@10.20.200.11<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Listo tenemos acceso directo<\/li><li>Ahora vamos a copiar los archivos del certificado letsencrypt al servidor git<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>scp -r \/etc\/letsencrypt\/archive\/git.siua.ac.cr\/ root@10.20.200.22:\/etc\/gitlab\/trusted-certs\/<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora mandamos a ejecutar un comando remoto para que reconfigure gitlab<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh root@10.20.200.22  gitlab-ctl reconfigure<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>&nbsp;Ahora vamos a editar el archivo de renovaci\u00f3n de certificados<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/root\/ssh-renew.sh<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>&nbsp;Y agregamos las l\u00edneas<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#Servidor gitlab\nscp -r \/etc\/letsencrypt\/archive\/git.siua.ac.cr\/ root@10.20.200.22:\/etc\/gitlab\/trusted-certs\/\nssh root@10.20.200.22  gitlab-ctl reconfigure<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Configuraci\u00f3n proxy reverso GitLab<\/p>\n","protected":false},"author":2,"featured_media":2065,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[41],"tags":[42,29],"class_list":["post-748","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-gitlab","tag-gitlab","tag-proxy"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[],"version":6}},"_links":{"self":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=748"}],"version-history":[{"count":2,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/748\/revisions"}],"predecessor-version":[{"id":2066,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/748\/revisions\/2066"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/media\/2065"}],"wp:attachment":[{"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}