PROXMOX5: Proxy Reverso configuración GitLab

Host: proxy

  • Creamos un host virtual que atienda la solicitud «git.siua.ac.cr» y pueda ser accedido de forma pública por letsencrypt
nano /etc/apache2/sites-available/git.siua.ac.cr.conf
  • Agregamos
NameVirtualHost 181.193.87.6:80

<VirtualHost 181.193.87.6:80>

        #************************************************************************
        #*********  DATOS DEL SITIO WEB  ********************************
        #************************************************************************
        ServerName git.siua.ac.cr
        ServerAlias www.git.siua.ac.cr
        ErrorLog /var/log/apache2/git80.siua.ac.cr-error.log
        CustomLog /var/log/apache2/git80.siua.ac.cr-access.log common

        #************************************************************************
        #*********  DATOS DEL WEBMASTER  *****************************
        #************************************************************************
        ServerAdmin interuniversitariadealajuela@gmail.com
        Header add Author "Unidad de Gestion e Innovacion Tecnologica"

        #************************************************************************
        #*********  DATOS DEL REDIRECCIONAMIENTO  ****************
        #************************************************************************

</VirtualHost>
  • Habilitamos el sitio
a2ensite git.siua.ac.cr
  • Recargamos apache
systemctl reload apache2

Host: DNS1 y Pfsense

  • Dentro del DNS publico habilitamos los dominios «git.siua.ac.cr» y «www.git.siua.ac.cr» y los apuntamos a nuestro proxy reverso

Host: proxy

  • Mandamos a crear el letsencrypt
certbot --installer apache
  • Resultado
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: git.siua.ac.cr
2: www.git.siua.ac.cr
3: soporte.siua.ac.cr
4: www.soporte.siua.ac.cr
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for git.siua.ac.cr
http-01 challenge for www.git.siua.ac.cr
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/git.siua.ac.cr-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/git.siua.ac.cr-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/git.siua.ac.cr-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/git.siua.ac.cr-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/git.siua.ac.cr.conf to ssl vhost in /etc/apache2/sites-available/git.siua.ac.cr-le-ssl.conf

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://git.siua.ac.cr and
https://www.git.siua.ac.cr

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=git.siua.ac.cr
https://www.ssllabs.com/ssltest/analyze.html?d=www.git.siua.ac.cr
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/git.siua.ac.cr/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/git.siua.ac.cr/privkey.pem
Your cert will expire on 2018-07-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
  • Esto me modifica el archivo «git.siua.ac.cr.conf » quedando así:
nano /etc/apache2/sites-available/git.siua.ac.cr.conf 
  • RESULTADO:
NameVirtualHost 181.193.87.6:80

<VirtualHost 181.193.87.6:80>

        #************************************************************************
        #*********  DATOS DEL SITIO WEB  ********************************
        #************************************************************************
        ServerName git.siua.ac.cr
        ServerAlias www.git.siua.ac.cr
        ErrorLog /var/log/apache2/git80.siua.ac.cr-error.log
        CustomLog /var/log/apache2/git80.siua.ac.cr-access.log common

        #************************************************************************
        #*********  DATOS DEL WEBMASTER  *****************************
        #************************************************************************
        ServerAdmin interuniversitariadealajuela@gmail.com
        Header add Author "Unidad de Gestion e Innovacion Tecnologica"

        #************************************************************************
        #*********  DATOS DEL REDIRECCIONAMIENTO  ****************
        #************************************************************************
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =git.siua.ac.cr [OR]
        RewriteCond %{SERVER_NAME} =www.git.siua.ac.cr
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>
  • Y nos crea el archivo «git.siua.ac.cr-le-ssl.conf»
nano /etc/apache2/sites-available/git.siua.ac.cr-le-ssl.conf
  • RESULTADO:
<IfModule mod_ssl.c>
<VirtualHost 181.193.87.6:443>

        #************************************************************************
        #*********  DATOS DEL SITIO WEB  ********************************
        #************************************************************************
        ServerName git.siua.ac.cr
        ServerAlias www.git.siua.ac.cr
        ErrorLog /var/log/apache2/git80.siua.ac.cr-error.log
        CustomLog /var/log/apache2/git80.siua.ac.cr-access.log common

        #************************************************************************
        #*********  DATOS DEL WEBMASTER  *****************************
        #************************************************************************
        ServerAdmin interuniversitariadealajuela@gmail.com
        Header add Author "Unidad de Gestion e Innovacion Tecnologica"

        #************************************************************************
        #*********  DATOS DEL REDIRECCIONAMIENTO  ****************
        #************************************************************************



        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/git.siua.ac.cr/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/git.siua.ac.cr/privkey.pem

</VirtualHost>
</IfModule>
  • Lo modificamos para que quede así:
<IfModule mod_ssl.c>
<VirtualHost 181.193.87.6:443>

        #************************************************************************
        #*********  DATOS DEL SITIO WEB  ********************************
        #************************************************************************
        ServerName git.siua.ac.cr
        ServerAlias www.git.siua.ac.cr
        ErrorLog /var/log/apache2/git443.siua.ac.cr-error.log
        CustomLog /var/log/apache2/git443.siua.ac.cr-access.log common

        #************************************************************************
        #*********  DATOS DEL WEBMASTER  *****************************
        #************************************************************************
        ServerAdmin interuniversitariadealajuela@gmail.com
        Header add Author "Unidad de Gestion e Innovacion Tecnologica"

        #************************************************************************
        #*********  DATOS DEL REDIRECCIONAMIENTO  ****************
        #************************************************************************
        ProxyPreserveHost On
        ProxyRequests off
        SSLProxyEngine on
        ProxyPass / https://10.20.200.22/
        ProxyPassReverse / https://10.20.200.2/


        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/git.siua.ac.cr/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/git.siua.ac.cr/privkey.pem

</VirtualHost>
</IfModule>

Host: GITLAB

  • El gitlab lo tenemos instalado en un debian 9 que ya posee un usuario root pero no esta habilitado para ingresar por ssh, por esto vamos a corregir esto
  • Verificamos si el usuario root ya tiene contraseña si no aplicamos
passwd root
  • Resultado:
Introduzca la nueva contraseña de UNIX: CA3
Vuelva a escribir la nueva contraseña de UNIX: CA3
passwd: password updated successfully
  • Abrimos el archivo
nano /etc/ssh/sshd_config
  • Modificamos
PermitRootLogin yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2
PasswordAuthentication yes
  • Reiniciamos el servicio
service sshd restart

Y con esto ya podemos ingresar con el usuario root por ssh

ssh -l root 10.20.200.22
  • Ahora que ya tememos acceso le vamos a dar permiso a la carpeta donde se guardan los certificados
chmod 777 -R /etc/gitlab/trusted-certs/
  • Vamos abrir el archivo de configuración
nano /etc/gitlab/gitlab.rb
  • Modificar
external_url 'http://git.siua.ac.cr'
X
external_url 'https://git.siua.ac.cr'

#nginx['enable'] = true
X
nginx['enable'] = true

#nginx['redirect_http_to_https'] = false
X
nginx['redirect_http_to_https'] = true

#nginx['redirect_http_to_https_port'] = 80
X
nginx['redirect_http_to_https_port'] = 80

nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
X
nginx['ssl_certificate'] = "/etc/gitlab/trusted-certs/git.siua.ac.cr/fullchain1.pem"

nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
X
nginx['ssl_certificate_key'] = "/etc/gitlab/trusted-certs/git.siua.ac.cr/privkey1.pem"

Host: PROXY

  • Vamos a ingresar a la carpeta
cd /root/.ssh/
  • Y listamos los archivos
ls
  • Esto para asegurar que no existan llaves ya creadas para el usuario «root», si existen saltamos el siguiente paso:
id_rsa id_rsa.pub known_hosts
  • Si no existen. Paso #1: Creamos las llaves para el cliente CON CONTRASEÑA EN BLANCO
ssh-keygen -t rsa
  • RESULTADO:
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in llave_proxy_rev_ext.
Your public key has been saved in llave_proxy_rev_ext.pub.
The key fingerprint is:
SHA256:Eao0rOXn89R8pg3FjvPKsYUwBlAXaBxHBMZrHt06u78 root@proxy-reverso-ex
The key's randomart image is:
+---[RSA 2048]----+
| .+=*B. |
| . o=+ . |
| =.oo.. |
| = o+..... |
| . oo..S. o |
| o..o= = |
| o .oO = |
| +.. % |
| ooEoo |
+----[SHA256]-----+
  • Continuando, una vez creadas las llaves las vamos a compartir al servidor remoto «git.siua.ac.cr»
ssh-copy-id root@10.20.200.22
  • Resultado:
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.20.200.22 (10.20.200.22)' can't be established.
ECDSA key fingerprint is SHA256:sQwHo1MowIYAC7XlD27jzFMmYxGizGIEd3uZZU2iyNA.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.20.200.22's password:
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'root@10.20.200.22'"
and check to make sure that only the key(s) you wanted were added.
  • Podemos probar el ingreso
ssh root@10.20.200.11
  • Listo tenemos acceso directo
  • Ahora vamos a copiar los archivos del certificado letsencrypt al servidor git
scp -r /etc/letsencrypt/archive/git.siua.ac.cr/ root@10.20.200.22:/etc/gitlab/trusted-certs/
  • Ahora mandamos a ejecutar un comando remoto para que reconfigure gitlab
ssh root@10.20.200.22  gitlab-ctl reconfigure
  •  Ahora vamos a editar el archivo de renovación de certificados
nano /root/ssh-renew.sh
  •  Y agregamos las líneas
#Servidor gitlab
scp -r /etc/letsencrypt/archive/git.siua.ac.cr/ root@10.20.200.22:/etc/gitlab/trusted-certs/
ssh root@10.20.200.22  gitlab-ctl reconfigure