doc/administration/load_balancer.md · f4bdf1fe304aedf59a437fd9c6728e31eb441bd4 · gitlab-cn / GitLab · 极狐GitLab

代码片段群组项目

1 month ago
965f72cf

Update docs content to use Hugo shortcodes · 965f72cf
由 Marcel Amirault 创作于 1 month ago

965f72cf

历史

Update docs content to use Hugo shortcodes
由 Marcel Amirault 创作于 1 month ago

代码所有者

load_balancer.md 7.21 KiB

stage: Systems
group: Distribution
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
title: Load Balancer for multi-node GitLab

{{< details >}}

Tier: Free, Premium, Ultimate
Offering: GitLab Self-Managed

{{< /details >}}

In a multi-node GitLab configuration, you need a load balancer to route traffic to the application servers. The specifics on which load balancer to use or the exact configuration is beyond the scope of GitLab documentation. We hope that if you're managing HA systems like GitLab you have a load balancer of choice already. Some examples including HAProxy (open-source), F5 Big-IP LTM, and Citrix NetScaler. This documentation outlines what ports and protocols to use with GitLab.

SSL

How do you want to handle SSL in your multi-node environment? There are several different options:

Each application node terminates SSL
The load balancers terminate SSL and communication is not secure between the load balancers and the application nodes
The load balancers terminate SSL and communication is secure between the load balancers and the application nodes

Application nodes terminate SSL

Configure your load balancers to pass connections on port 443 as 'TCP' rather than 'HTTP(S)' protocol. This passes the connection to the application nodes NGINX service untouched. NGINX has the SSL certificate and listen on port 443.

See the HTTPS documentation for details on managing SSL certificates and configuring NGINX.

Load Balancers terminate SSL without backend SSL

Configure your load balancers to use the HTTP(S) protocol rather than TCP. The load balancers are responsible for managing SSL certificates and terminating SSL.

Because communication between the load balancers and GitLab isn't secure, there is some additional configuration needed. See the proxied SSL documentation for details.

Load Balancers terminate SSL with backend SSL

Configure your load balancers to use the HTTP(S) protocol rather than TCP. The load balancers is responsible for managing SSL certificates that end users see.

Traffic is secure between the load balancers and NGINX in this scenario. There is no need to add configuration for proxied SSL because the connection is secure all the way. However, configuration must be added to GitLab to configure SSL certificates. See the HTTPS documentation for details on managing SSL certificates and configuring NGINX.

Ports

Basic ports

LB Port	Backend Port	Protocol
80	80	HTTP (1)
443	443	TCP or HTTPS (1) (2)
22	22	TCP