Gitlab CI令牌 - 带有apache的403

Question

I'm running gitlab on my server. I'm serving the website with apache2 (with https).

Recently I got started with gitlab CI, but ran into a problem I just can't resolve on my own: I always get a 403 error:

remote: Access denied
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@git.mydomain.com/group/project.git/': The requested URL returned error: 403

Both SSH and HTTP(S) are enabled for cloning and ci works just fine with public projects, checking all gitlab logs reveals that the runner isn't authenticated thus triggering a 403.

My best guess is that the apache configuration doesn't pass the ci-token to gitlab, but neither do I know how I can check that, nor do I believe that this is truly the cause.

My vhost:

<VirtualHost *:80>
  ServerName git.mydomain.com
  ServerSignature Off

  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>

<VirtualHost *:443>
  SSLEngine on

  SSLProtocol all -SSLv2
  SSLHonorCipherOrder on
  SSLCipherSuite     "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
  Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
  SSLCompression Off
  SSLCertificateFile /etc/letsencrypt/live/git.mydomain.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/git.mydomain.com/privkey.pem
  SSLCACertificateFile /etc/letsencrypt/live/git.mydomain.com/chain.pem

  ServerName git.mydomain.com
  ServerSignature Off

  ProxyPreserveHost On

  AllowEncodedSlashes NoDecode

  <Location />
    Require all granted
    ProxyPassReverse http://127.0.0.1:8181
    ProxyPassReverse http://git.mydomain.com/
  </Location>
  RewriteEngine on

  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
  RewriteCond %{REQUEST_URI} ^/uploads/.*
  RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]

  RequestHeader set X_FORWARDED_PROTO 'https'
  RequestHeader set X-Forwarded-Ssl on

  DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public

  ErrorDocument 404 /404.html
  ErrorDocument 422 /422.html
  ErrorDocument 500 /500.html
  ErrorDocument 502 /502.html
  ErrorDocument 503 /503.html

  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
  ErrorLog /var/log/apache2/gitlab_error.log
  CustomLog /var/log/apache2/gitlab_forwarded.log common_forwarded
  CustomLog /var/log/apache2/gitlab_access.log combined env=!dontlog
  CustomLog /var/log/apache2/gitlab.log combined

</VirtualHost>

Relevant part of /etc/gitlab/gitlab.rb

external_url 'https://git.mydomain.com'

nginx['enable'] = false
web_server['external_users'] = ['www-data']
gitlab_workhorse['listen_network'] = "tcp"
gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"

gitlab_rails['gitlab_email_reply_to'] = 'webmaster@mydomain.com'

The Runner config:

[[runners]]
  name = "Runner Name"
  url = "https://git.mydomain.com/ci"
  token = "Some generated token"
  executor = "shell"
  [runners.cache]

/etc/default/gitlab:

gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr 127.0.0.1:8181 -authBackend http://127.0.0.1:8080"

.gitlab-ci.yml:

stages:
  - compile

compilei7:
    stage: compile
    script:
        - /./home/public/folder/someScript.sh -f `$PWD`
    tags:
    - neededtag

All help is appreciated, I ran against a wall here. Thanks.

Answer 1

似乎这是我修复的一个更新，因为我发布了这个问题，因为它现在正在使用完全相同的服务器和配置。

Answer 2

This happens when a GitLab Runner tries to clone the project from the Git repo.

In order to solve that problem, add yourself as a member of the project:

1. Go to your project in GitLab.
2. From the menu in the left sidebar, select the Settings / Members entry.
3. In the Select member to invite input field, type your name (or name of the member that pushed his code).
4. In Choose a role permission , select Developer .
5. Click the Add to project button.