stage | group | info |
---|---|---|
Deploy |
Environments |
To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments |
DETAILS: Tier: Free, Premium, Ultimate Offering: Self-managed
- Disabled on self-managed in GitLab 15.0.
WARNING: This feature was deprecated in GitLab 14.5.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it available, an administrator can enable the feature flag named certificate_based_clusters
.
With the introduction of the Kubernetes integration, GitLab can store and use credentials for a Kubernetes cluster. GitLab uses these credentials to provide access to web terminals for environments.
NOTE: Only users with at least the Maintainer role for the project access web terminals.
A detailed overview of the architecture of web terminals and how they work can be found in this document. In brief:
GitLab and GitLab Runner take some precautions to keep interactive web terminal data encrypted between them, and everything protected with authorization guards. This is described in more detail below.
[session_server]
is configured.x509
certificate that is used for a wss
(Web Socket Secure) connection.(IP|HOST):PORT/session/$SOME_HASH
, where the IP/HOST
and PORT
are the configured listen_address
.wss
connection.NOTE: AWS Classic Load Balancers do not support web sockets. If you want web terminals to work, use AWS Network Load Balancers. Read AWS Elastic Load Balancing Product Comparison for more information.
As web terminals use WebSockets, every HTTP/HTTPS reverse proxy in front of
Workhorse must be configured to pass the Connection
and Upgrade
headers
to the next one in the chain. GitLab is configured by default to do so.
However, if you run a load balancer in front of GitLab, you may need to make some changes to your configuration. These guides document the necessary steps for a selection of popular reverse proxies:
Workhorse doesn't let WebSocket requests through to non-WebSocket endpoints, so
it's safe to enable support for these headers globally. If you prefer a
narrower set of rules, you can restrict it to URLs ending with /terminal.ws
.
This approach may still result in a few false positives.
If you self-compiled your installation, you may need to make some changes to your configuration. Read Upgrading Community Edition and Enterprise Edition from source for more details.
To disable web terminal support in GitLab, stop passing
the Connection
and Upgrade
hop-by-hop headers in the first HTTP reverse
proxy in the chain. For most users, this is the NGINX server bundled with
Linux package installations. In this case, you need to:
nginx['proxy_set_headers']
section of your gitlab.rb
fileConnection
and Upgrade
lines.For your own load balancer, just reverse the configuration changes recommended by the above guides.
When these headers are not passed through, Workhorse returns a
400 Bad Request
response to users attempting to use a web terminal. In turn,
they receive a Connection failed
message.
By default, terminal sessions do not expire. To limit the terminal session lifetime in your GitLab instance:
max session time
.此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。