openresty/nginx反向代理gitlab容器具体配置

今天在尝试使用openresty反向代理gitlab，期间遇到一点问题记录一下。

/etc/gitlab/gitlab.rb添加下列几行

gitlab_rails['trusted_proxies'] = [
  '127.0.0.1',       # 如果 Nginx 在同一主机
  ‘localhost'
]
# 强制使用 HTTPS
nginx['redirect_http_to_https'] = true
nginx['listen_port'] = 80
nginx['listen_https'] = false  # 让 Nginx 处理 SSL

# 配置Workhorse信任代理
gitlab_workhorse['trusted_proxies'] = gitlab_rails['trusted_proxies']

Nginx配置

upstream gitlab {
    server localhost:8080;
    keepalive 64;
}
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      '';
}
server {
    listen 443 ssl http2;
    server_name gitlab.konoha.cc;
    index index.html index.php;
    ssl_session_timeout    1d;
    ssl_session_tickets    off;
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve X25519:P-256:P-384;
    ssl_session_cache builtin:1000 shared:SSL:50m;
    ssl_protocols       TLSv1.2  TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_certificate /usr/local/openresty/nginx/conf/ssl/server.crt;
    ssl_certificate_key /usr/local/openresty/nginx/conf/ssl/server.key    add_header X-XSS-Protection "1; mode=block" always;    add_header X-Content-Type-Options "nosniff" always;    add_header X-Frame-Options "SAMEORIGIN" always;    add_header Referrer-Policy "no-referrer-when-downgrade" always;    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }

    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    proxy_read_timeout          600;
    send_timeout                600;

    location / {
        proxy_pass http://gitlab; 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket 支持
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_http_version 1.1;
        # 缓存控制
        proxy_cache off;
    }
    access_log logs/git.konoha.cc.access.log combined;
    error_log  logs/git.konoha.cc.error.log  warn;
}

开始的时候web一直访问不了，后台日志显示"recv() failed (104: Connection reset by peer)"问了两遍deepseek，第一次不行，第二此尝试把gitlab externel_url中https改成http，nginx也监听80，web访问就正常，把这个情况反馈给deepseek分析

1. 协议不匹配：当 external_url 设置为 HTTPS 时，GitLab 期望所有请求都通过 HTTPS 到达，但 Nginx 代理使用的是 HTTP 连接。

2. 信任代理配置：GitLab 需要明确知道哪些代理是可信的。

改了之后就可以正常访问。后面尝试去掉listen的两条配置也不能访问，这个还是影响的。