Skip to main content

Cluster network configuration

GitHub Enterprise Server clustering relies on proper DNS name resolution, load balancing, and communication between nodes to operate properly.

Network considerations

The simplest network design for clustering is to place the nodes on a single LAN. If a cluster must span subnetworks, we do not recommend configuring any firewall rules between the networks. The latency between nodes should be less than 1 millisecond.

为获取高可用性,具有主动节点的网络与具有被动节点的网络之间的延迟必须小于 70 毫秒。 我们不建议在两个网络之间配置防火墙。

Application ports for end users

Application ports provide web application and Git access for end users.

PortDescriptionEncrypted
22/TCPGit over SSHYes
25/TCPSMTPRequires STARTTLS
80/TCPHTTPNo
(When SSL is enabled this port redirects to HTTPS)
443/TCPHTTPSYes
9418/TCPSimple Git protocol port
(Disabled in private mode)
No

Administrative ports

Administrative ports are not required for basic application use by end users.

PortDescriptionEncrypted
ICMPICMP PingNo
122/TCPAdministrative SSHYes
161/UDPSNMPNo
8080/TCPManagement Console HTTPNo
(When SSL is enabled this port redirects to HTTPS)
8443/TCPManagement Console HTTPSYes

Cluster communication ports

If a network level firewall is in place between nodes, these ports will need to be accessible. The communication between nodes is not encrypted. These ports should not be accessible externally.

PortDescription
1336/TCPInternal API
3033/TCPInternal SVN access
3037/TCPInternal SVN access
3306/TCPMySQL
4486/TCPGovernor access
5115/TCPStorage backend
5208/TCPInternal SVN access
6379/TCPRedis
8001/TCPGrafana
8090/TCPInternal GPG access
8149/TCPGitRPC file server access
8300/TCPConsul
8301/TCPConsul
8302/TCPConsul
9000/TCPGit Daemon
9102/TCPPages file server
9105/TCPLFS server
9200/TCPElasticsearch
9203/TCPSemantic code service
9300/TCPElasticsearch
11211/TCPMemcache
161/UDPSNMP
8125/UDPStatsd
8301/UDPConsul
8302/UDPConsul
25827/UDPCollectd

Configuring a load balancer

We recommend an external TCP-based load balancer that supports the PROXY protocol to distribute traffic across nodes. Consider these load balancer configurations:

  • TCP ports (shown below) should be forwarded to nodes running the web-server service. These are the only nodes that serve external client requests.
  • Sticky sessions shouldn't be enabled.

警告:在负载均衡器上终止 HTTPS 连接时,从负载均衡器到 GitHub Enterprise Server 的请求也需要使用 HTTPS。 不支持降级到 HTTP 连接。

Handling client connection information

Because client connections to the cluster come from the load balancer, the client IP address can be lost. To properly capture the client connection information, additional consideration is required.

如果您的负载均衡器可以支持 PROXY 协议,我们强烈建议您实施该协议。 如果不能提供 PROXY 支持,使用 X-Forwarded-For 标头也可以对 HTTP 和 HTTPS 端口进行负载均衡。

安全警告:启用了 PROXY 支持或 HTTP 转发时,重要的是确保没有外部流量可以直接到达 GitHub Enterprise Server 设备。 如果未能正确阻止外部流量,则源 IP 地址可能被伪造。

Enabling PROXY support on GitHub Enterprise Server

We strongly recommend enabling PROXY support for both your instance and the load balancer.

注意:GitHub Enterprise Server 支持与 AWS 网络负载均衡器不兼容的 PROXY 协议 V1。 如果将 AWS 网络负载均衡器与 GitHub Enterprise Server 配合使用,请不要启用 PROXY 支持。

  • For your instance, use this command:

    $ ghe-config 'loadbalancer.proxy-protocol' 'true' && ghe-cluster-config-apply
  • For the load balancer, use the instructions provided by your vendor.

    PROXY 协议 TCP 端口映射

源端口目标端口服务说明
2223通过 SSH 访问 Git
8081HTTP
443444HTTPS
80808081Management Console HTTP
84438444Management Console HTTPS
94189419Git

Enabling X-Forwarded-For support on GitHub Enterprise Server

仅当 PROXY 协议不可用时才使用 X-Forwarded-For 协议。 X-Forwarded-For 标头仅适用于 HTTP 和 HTTPS。 基于 SSH 的 Git 连接报告的 IP 地址将显示负载均衡器 IP。

To enable the X-Forwarded-For header, use this command:

$ ghe-config 'loadbalancer.http-forward' 'true' && ghe-cluster-config-apply

协议 TCP 端口映射,无需 PROXY 支持即可使用

源端口目标端口服务说明
2222通过 SSH 访问 Git
2525SMTP
8080HTTP
443443HTTPS
80808080Management Console HTTP
84438443Management Console HTTPS

Configuring Health Checks

Health checks allow a load balancer to stop sending traffic to a node that is not responding if a pre-configured check fails on that node. If a cluster node fails, health checks paired with redundant nodes provides high availability.

配置负载均衡器以检查以下 URL 之一:

  • 如果已启用 HTTPS(默认),则检查 https://HOSTNAME/status
  • 如果已禁用 HTTPS(默认),则检查 http://HOSTNAME/status

如果节点运行正常并且可为最终用户的请求提供服务,则检查将返回状态代码 200(正常)。

注意: 当设备处于维护模式时,https://HOSTNAME/status URL 将返回状态代码 503(服务不可用)。 有关详细信息,请参阅“启用和安排维护模式”。

DNS Requirements

对 GitHub Enterprise Server 主机名的 DNS 查询应解析为负载均衡器。 我们建议您启用子域隔离。 如果启用了子域隔离,另一个通配符记录 *.HOSTNAME 也应解析到负载均衡器。 有关详细信息,请参阅“启用子域隔离”。