结合使用 GitHub Enterprise Server 和负载均衡器
在单个 GitHub Enterprise Server 设备或一对采用高可用性配置的设备前方使用负载均衡器。
A load balancer design uses a network device to direct Git and HTTP traffic to individual GitHub Enterprise Server appliances. You can use a load balancer to restrict direct traffic to the appliance for security purposes or to redirect traffic if needed without DNS record changes. We strongly recommend using a TCP-based load balancer that supports the PROXY protocol.
DNS lookups for the GitHub Enterprise Server hostname should resolve to the load balancer. We recommend that you enable subdomain isolation. If subdomain isolation is enabled, an additional wildcard record (*.HOSTNAME) should also resolve to the load balancer. 更多信息请参阅“启用子域隔离”。
本文内容
处理客户端连接信息
由于与 GitHub Enterprise Server 的客户端连接来自负载均衡器,因此客户端 IP 可丢失。
If your load balancer can support it, we strongly recommend implementing the PROXY protocol. When no PROXY support is available, it is also possible to load balance the HTTP and HTTPS ports using the X-Forwarded-For header.
Security Warning: When either PROXY support or HTTP forwarding is enabled, it is critical that no external traffic can directly reach the GitHub Enterprise Server appliances. If external traffic is not properly blocked, the source IP addresses can be forged.
在 您的 GitHub Enterprise Server 实例 上启用 PROXY 协议支持
强烈建议同时为您的设备和负载均衡器启用 PROXY 协议支持。 按照您的供应商提供的说明操作,在负载均衡器上启用 PROXY 协议。 更多信息请参阅 PROXY 协议文档。
-
In the upper-right corner of any page, click .
-
在左侧边栏中,单击 管理控制台。
-
In the left sidebar, click Privacy.
-
在 External load balancers 下,选择 Enable support for PROXY protocol。
-
Under the left sidebar, click Save settings.
PROXY protocol TCP port mappings
| Source port | Destination port | Service description |
|---|---|---|
| 22 | 23 | 通过 SSH 访问 Git |
| 80 | 81 | HTTP |
| 443 | 444 | HTTPS |
| 8080 | 8081 | Management Console HTTP |
| 8443 | 8444 | Management Console HTTPS |
| 9418 | 9419 | Git |
在 您的 GitHub Enterprise Server 实例 上启用 X-Forwarded-For 支持
Use the X-Forwarded-For protocol only when the PROXY protocol is unavailable. The X-Forwarded-For header only works with HTTP and HTTPS. The IP address reported for Git connections over SSH will show the load balancer IP.
Warning: When terminating HTTPS connections on a load balancer, the requests from the load balancer to GitHub Enterprise Server also need to use HTTPS. Downgrading the connection to HTTP is not supported.
-
In the upper-right corner of any page, click .
-
在左侧边栏中,单击 管理控制台。
-
In the left sidebar, click Privacy.
-
在 External load balancers 下,选择 Allow HTTP X-Forwarded-For header。
-
Under the left sidebar, click Save settings.
Protocol TCP port mappings for use without PROXY support
| Source port | Destination port | Service description |
|---|---|---|
| 22 | 22 | 通过 SSH 访问 Git |
| 25 | 25 | SMTP |
| 80 | 80 | HTTP |
| 443 | 443 | HTTPS |
| 8080 | 8080 | Management Console HTTP |
| 8443 | 8443 | Management Console HTTPS |
配置健康状态检查
如果预配置的检查在该节点上失败,则状态检查允许负载均衡器停止向未响应的节点发送流量。 如果设备因维护或计划外的故障而离线,负载均衡器可以显示状态页面。 在高可用性 (HA) 配置下,负载均衡器可用作故障转移策略的组成部分。 不过,不支持 HA 对的自动故障转移。 在副本设备开始为请求提供服务之前,您必须手动升级副本设备。 更多信息请参阅“配置 GitHub Enterprise Server 以实现高可用性”。
Configure the load balancer to check one of these URLs:
https://HOSTNAME/statusif HTTPS is enabled (default)http://HOSTNAME/statusif HTTPS is disabled
The check will return status code 200 (OK) if the node is healthy and available to service end-user requests.
注:当设备处于维护模式时,https://HOSTNAME/status URL 将返回状态代码 503(服务不可用)。更多信息请参阅“启用和安排维护模式”。