gitlab内网屏蔽配置

发表于 分类于 阅读次数:

从gitlab12.2版本开始,默认会屏蔽内网网段,这就会导致配置webhook或者导入内网的git仓库失败.需要手动打开

1.配置

页面配置
这里勾选上打开就行了.

很简单吧,但是遇到个问题,在某些小版本,修改这个配置直接报错500 未知错误了.

这时候我们看一下日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Completed 500 Internal Server Error in 17ms (ActiveRecord: 2.2ms)

OpenSSL::Cipher::CipherError ():

lib/gitlab/crypto_helper.rb:27:in `aes256_gcm_decrypt'
app/models/concerns/token_authenticatable_strategies/encrypted.rb:55:in `get_token'
app/models/concerns/token_authenticatable_strategies/base.rb:27:in `ensure_token'
app/models/concerns/token_authenticatable_strategies/encrypted.rb:42:in `ensure_token'
app/models/concerns/token_authenticatable.rb:38:in `block in add_authentication_token_field'
app/services/application_settings/update_service.rb:18:in `execute'
app/controllers/admin/application_settings_controller.rb:40:in `update'
lib/gitlab/i18n.rb:55:in `with_locale'
lib/gitlab/i18n.rb:61:in `with_user_locale'
app/controllers/application_controller.rb:420:in `set_locale'
lib/gitlab/middleware/multipart.rb:103:in `call'
lib/gitlab/request_profiler/middleware.rb:16:in `call'
lib/gitlab/middleware/go.rb:19:in `call'
lib/gitlab/etag_caching/middleware.rb:13:in `call'
lib/gitlab/middleware/correlation_id.rb:16:in `block in call'
lib/gitlab/correlation_id.rb:15:in `use_id'
lib/gitlab/middleware/correlation_id.rb:15:in `call'
lib/gitlab/middleware/read_only/controller.rb:40:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/request_context.rb:20:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:29:in `call'
lib/gitlab/middleware/release_env.rb:13:in `call'

看起来是什么加密算法报错了,查了一下找到了这个issue

看起来是gitlab本身的配置出错了.执行一下以下命令

1
2
3
4
5
6
gitlab-rails console

ApplicationSetting.first.delete

settings = ApplicationSetting.last
==> nil

最后一步返回的是空,再gitlab-ctl reconfigure重载一下就可以修改成功了

2.初始化配置

有没有办法初始化勾选这个配置呢.我找到了这个issue

大概意思是有gitlab.rb加”allow_local_requests_from_hooks_and_services”这个配置就行,但是我试了一下不行,不知道是不是版本问题.

这条路走不通,想了另一种方案,通过api去做.因为我负责的模块本身有接入gitlab4j(gitlab的java sdk),可以在服务启动的时候去确认这个配置去打开这个配置,代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
@PostConstruct
   public void checkSetting(){
       GitLabApi gitlabApi = gitlabClient.getGitlabApi();
       ApplicationSettings settings;
       try {
           settings = gitlabApi.getApplicationSettingsApi().getApplicationSettings();
           //如果打开了内网屏蔽
           if (!Boolean.parseBoolean(settings.getSetting(ALLOW_LOCAL_REQUESTS).toString())){
               log.info("检测到gitlab打开了内网屏蔽,自动关闭");
               gitlabApi.getApplicationSettingsApi().updateApplicationSetting(ALLOW_LOCAL_REQUESTS,true);
           }
       } catch (GitLabApiException e) {
           log.error("检查gitlab配置失败",e);
       }
   }

这样只要我服务启动,配置就会自动打开.