基于Docker和Nginx搭建HTTPS Git服务器

使用到的工具：

1. Docker Compose
2. Nginx
3. Git
4. fcgiwrap

Docker Compose 配置

services:
  nginx:
    restart: always
    container_name: nginx
    user: root
    image: nginx
    extra_hosts:
      - "host.docker.internal:host-gateway"
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
      - ./nginx/mine.types:/etc/nginx/mine.types
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./nginx/html:/etc/nginx/html
      - ./nginx/screen:/etc/nginx/screen
      - ./nginx/logs:/etc/nginx/logs
      # 重要：
      - /run/fcgiwrap.socket:/var/run/fcgiwrap.socket
      # 这里不需要映射进去，因为 fcgiwrap 是运行在宿主机里面的
      # - "/usr/lib/git-core/:/usr/libexec/git-core/:ro"
    environment:
      - NGINX_PORT=80
      - TZ=Asia/Shanghai
    privileged: true

Nginx 配置

# 443 端口
server {
    listen 443 ssl;
    server_name git.wangzhy.com;
    ssl_certificate /etc/nginx/ssl/wangzhy.com_ecc/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/wangzhy.com_ecc/wangzhy.com.key;
    
    ssl_session_cache    shared:git_ssl_cache:10m;
    ssl_session_timeout 10m;
    
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    charset utf-8;
    default_type text/plain;

    include /etc/nginx/ip-conf/whitelist.conf;
    deny all;

    root         /etc/nginx/html;

    # 通过 https 请求 git
    location ~ (/.*)$ {
        # 使用 Basic 认证
        # auth_basic "Restricted";
        # auth_basic_user_file /etc/nginx/passwd;

        # FastCGI 参数
        include       fastcgi_params;
        fastcgi_pass  unix:/var/run/fcgiwrap.socket;
        # 因为 fastcgi 是通过 docker 将宿主机的程序映射过来的，fastcgi 实际是运行在宿主机的，所以在这里要是有宿主机的地址。
        fastcgi_param SCRIPT_FILENAME "/usr/lib/git-core/git-http-backend";
        fastcgi_param GIT_HTTP_EXPORT_ALL "";
        # git 库在服务器上的根目录
        fastcgi_param GIT_PROJECT_ROOT    /wangzhy/gitrepo;
        fastcgi_param PATH_INFO           $1;
        # 将认证用户信息传递给 fastcgi 程序
        # fastcgi_param REMOTE_USER $remote_user;
        # 将允许客户端 post 的最大值调整为 100 兆
    }

    error_page 400 402 403 404 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}

Git 配置

允许远程访问 git 仓库：

git config --system http.receivepack true
git config --system http.uploadpack true

fcgiwrap 配置

安装

apt update && apt install fcgiwrap

启动

systemctl start fcgiwrap
systemctl enable fcgiwrap

问题处理

权限问题

1. error: remote unpack failed: unable to create temporary object directory

检查下面文件、文件夹的权限

• /run/fcgiwrap.socket
• /usr/lib/git-core/git-http-backend
• ps aux | grep fcgiwrap
• Docker Compose Nginx 的主线线的用户
• xxx.git 文件夹的权限，一般要求是 chmod -R 755 xxx.git

2. fatal: unable to access 'https://xxxx/.git/': The requested URL returned error: 403

检查 xxx.git/config 文件，查看是否配置了 http.receivepack true

修改运行 fcgiwrap 的用户

系统默认是 www-data，如果需要修改成其他用户，比如 nginx，可以使用下面命令：

systemctl edit --full fcgiwrap.service