Static objects external storage

原文:https://docs.gitlab.com/ee/administration/static_objects_external_storage.html

Static objects external storage

在 GitLab 12.3 中引入 .

可以将 GitLab 配置为从外部存储(例如内容交付网络(CDN))为存储库静态对象(例如,存档或原始 Blob)提供服务.

Configuring

要为静态对象配置外部存储,请执行以下操作:

  1. 导航到” 管理区域”>”设置”>”存储库” .
  2. 展开” 存储库静态对象”部分.
  3. 输入基本 URL 和任意令牌. 设置外部存储时 ,您将使用一个脚本,将这些值用作ORIGIN_HOSTNAMESTORAGE_TOKEN .

需要使用令牌来区分来自外部存储的请求,因此用户无需绕过外部存储就可以直接前往应用程序. 令牌应在来自外部存储的请求中的X-Gitlab-External-Storage-Token标头中设置.

Serving private static objects

GitLab 将为属于私有项目的静态对象 URL 附加一个用户特定的令牌,因此可以代表用户对外部存储进行身份验证. 当处理来自外部存储的请求时,GitLab 将在token查询参数或X-Gitlab-Static-Object-Token标头中查找X-Gitlab-Static-Object-Token以检查用户访问所请求对象的能力.

Requests flow example

以下示例显示了用户,GitLab 和 CDN 之间的一系列请求和响应:

sequenceDiagram User->> GitLab:GET /project/-/archive/master.zip GitLab->>用户:302 找到有关 User,GitLab 的注释:位置:https://cdn.com/project/-/archive/master. zip?token =安全用户令牌用户->> CDN:GET /project/-/archive/master.zip?token=安全用户令牌替代对象不在缓存 CDN->> GitLab:GET / project /- /archive/master.zip 关于 CDN,GitLab 的说明:X-Gitlab-External-Storage-Token:secure-cdn-token X-Gitlab-Static-Object-Token:安全用户令牌 GitLab->> CDN:200 OK CDN->>用户:master.zip 其他对象在缓存 CDN->> GitLab:GET / project /-/ a​​rchive / master.zip 关于 CDN,GitLab 的说明:X-Gitlab-External-Storage-Token:secure-cdn-token X-Gitlab-Static-Object-Token:安全用户令牌 如果不匹配:etag 值 GitLab->> CDN:304 未修改 CDN->>用户:master.zip 结束

Set up external storage

尽管此过程使用CloudFlare Workers进行外部存储,但其他 CDN 或功能即服务(FaaS)系统应使用相同的原理工作.

  1. 如果还没有,请选择一个 CloudFlare Worker 域.

  2. 在以下脚本中,为前两个常量设置以下值:

    • ORIGIN_HOSTNAME :GitLab 安装的主机名.

    • STORAGE_TOKEN :任何任意的安全令牌(例如,您可以通过在 UNIX 计算机上运行pwgen -cn1 64来获得一个). 按照配置部分中的说明将此令牌保存到管理面板.

      1. const ORIGIN_HOSTNAME = 'gitlab.installation.com' // FIXME: SET CORRECT VALUE
      2. const STORAGE_TOKEN = 'very-secure-token' // FIXME: SET CORRECT VALUE
      3. const CACHE_PRIVATE_OBJECTS = false
      5. const CORS_HEADERS = {
      6.   'Access-Control-Allow-Origin': '*',
      7.   'Access-Control-Allow-Methods': 'GET, HEAD, OPTIONS',
      8.   'Access-Control-Allow-Headers': 'X-Csrf-Token, X-Requested-With',
      9. }
      11. self.addEventListener('fetch', event => event.respondWith(handle(event)))
      13. async function handle(event) {
      14.   try {
      15.     let response = await verifyAndHandle(event);
      17.     // responses returned from cache are immutable, so we recreate them
      18.     // to set CORS headers
      19.     response = new Response(response.body, response)
      20.     response.headers.set('Access-Control-Allow-Origin', '*')
      22.     return response
      23.   } catch (e) {
      24.     return new Response('An error occurred!', {status: e.statusCode || 500})
      25.   }
      26. }
      28. async function verifyAndHandle(event) {
      29.   if (!validRequest(event.request)) {
      30.     return new Response(null, {status: 400})
      31.   }
      33.   if (event.request.method === 'OPTIONS') {
      34.     return handleOptions(event.request)
      35.   }
      37.   return handleRequest(event)
      38. }
      40. function handleOptions(request) {
      41.   // Make sure the necessary headers are present
      42.   // for this to be a valid pre-flight request
      43.   if (
      44.     request.headers.get('Origin') !== null &&
      45.     request.headers.get('Access-Control-Request-Method') !== null &&
      46.     request.headers.get('Access-Control-Request-Headers') !== null
      47.   ) {
      48.     // Handle CORS pre-flight request
      49.     return new Response(null, {
      50.       headers: CORS_HEADERS,
      51.     })
      52.   } else {
      53.     // Handle standard OPTIONS request
      54.     return new Response(null, {
      55.       headers: {
      56.         Allow: 'GET, HEAD, OPTIONS',
      57.       },
      58.     })
      59.   }
      60. }
      62. async function handleRequest(event) {
      63.   let cache = caches.default
      64.   let url = new URL(event.request.url)
      65.   let static_object_token = url.searchParams.get('token')
      66.   let headers = new Headers(event.request.headers)
      68.   url.host = ORIGIN_HOSTNAME
      69.   url = normalizeQuery(url)
      71.   headers.set('X-Gitlab-External-Storage-Token', STORAGE_TOKEN)
      72.   if (static_object_token !== null) {
      73.     headers.set('X-Gitlab-Static-Object-Token', static_object_token)
      74.   }
      76.   let request = new Request(url, { headers: headers })
      77.   let cached_response = await cache.match(request)
      78.   let is_conditional_header_set = headers.has('If-None-Match')
      80.   if (cached_response) {
      81.     return cached_response
      82.   }
      84.   // We don't want to override If-None-Match that is set on the original request
      85.   if (cached_response && !is_conditional_header_set) {
      86.     headers.set('If-None-Match', cached_response.headers.get('ETag'))
      87.   }
      89.   let response = await fetch(request, {
      90.     headers: headers,
      91.     redirect: 'manual'
      92.   })
      94.   if (response.status == 304) {
      95.     if (is_conditional_header_set) {
      96.       return response
      97.     } else {
      98.       return cached_response
      99.     }
      100.   } else if (response.ok) {
      101.     response = new Response(response.body, response)
      103.     // cache.put will never cache any response with a Set-Cookie header
      104.     response.headers.delete('Set-Cookie')
      106.     if (CACHE_PRIVATE_OBJECTS) {
      107.       response.headers.delete('Cache-Control')
      108.     }
      110.     event.waitUntil(cache.put(request, response.clone()))
      111.   }
      113.   return response
      114. }
      116. function normalizeQuery(url) {
      117.   let searchParams = url.searchParams
      118.   url = new URL(url.toString().split('?')[0])
      120.   if (url.pathname.includes('/raw/')) {
      121.     let inline = searchParams.get('inline')
      123.     if (inline == 'false' || inline == 'true') {
      124.       url.searchParams.set('inline', inline)
      125.     }
      126.   } else if (url.pathname.includes('/-/archive/')) {
      127.     let append_sha = searchParams.get('append_sha')
      128.     let path = searchParams.get('path')
      130.     if (append_sha == 'false' || append_sha == 'true') {
      131.       url.searchParams.set('append_sha', append_sha)
      132.     }
      133.     if (path) {
      134.       url.searchParams.set('path', path)
      135.     }
      136.   }
      138.   return url
      139. }
      141. function validRequest(request) {
      142.   let url = new URL(request.url)
      143.   let path = url.pathname
      145.   if (/^(.+)(\/raw\/|\/-\/archive\/)/.test(path)) {
      146.     return true
      147.   }
      149.   return false
      150. }

  3. 使用此脚本创建一个新的工作程序.

  4. 复制ORIGIN_HOSTNAMESTORAGE_TOKEN值. 使用这些值为静态对象配置外部存储 .