User talk:Fislam

From ICO wiki
Jump to navigationJump to search

Installation

Preparing

Some necessary packages that must be installed prior to beginning with the actual gogs installation. First of all do a sudo apt-get update Install the following packages (some are for later) sudo apt-get install -y gcc g++ build-essential dpkg mysql-server wget

During the installation, you will be asked to enter the password of the database root user. Make sure you use a secure one, and remember it, because you'll need it later in this tutorial.Now create and open a file named gogs.sql. Here, we're using nano, but you can use your favorite text editor.

nano gogs.sql

Paste this in the newly created sql dump

DROP DATABASE IF EXISTS gogs; CREATE DATABASE IF NOT EXISTS gogs CHARACTER SET utf8 COLLATE utf8_general_ci;

Finally, execute gogs.sql with MySQL to create the Gogs database. Replace your_password with the root password you chose earlier in this step. mysql -u root -pyour_password < gogs.sql

To install Gogs from source, version control tools like Git and Mercurial are needed, so install them next. sudo apt-get -y install mercurial git

Installing Go

It is recoomended to add a new user git before installing go. Root permissions are not required for this user.

adduser git

Because Gogs is written in Go, we need to install it before compiling Gogs.

First, there are some environment variables we need to set for Go. To do that, open the file ~/.bashrc for editing.

nano ~/.bashrc

Add the following lines to the end of the file, then close and save it.

export GOPATH=/home/git/go

export GOROOT=/usr/local/src/go

export PATH=${PATH}:$GOROOT/bin

Next, apply your changes.

source ~/.bashrc

Now get the most recent compiled version of go from their website

wget https://storage.googleapis.com/golang/go1.4.2.linux-amd64.tar.gz

Decompress

tar zxf go1.4.2.linux-amd64.tar.gz

Change directories to the $GOROOT we defined in ~/.bashrc.

sudo mv go $GOROOT

Now test if Go is working.

Installing Gogs

Go has a built in command, get, for easily downloading the source code of a Go project along with all of its dependencies, which we'll use to download Gogs.

go get -d github.com/gogits/gogs

The source code of Gogs will now be in $GOPATH/src/github.com/gogits/gogs, so move there.

cd $GOPATH/src/github.com/gogits/gogs

Next, build and generate the binary. This command may take a moment to run.

go build

Now test go by moving into go directory and typing

./go

This should run Go. However, to run it on the the background.

./go &

Using Supervisor to manage Go

sudo apt-get -y install supervisor

Let's make a Gogs daemon by creating a Supervisor configuration section. First, create a directory for the log files to live in.

sudo mkdir -p /var/log/gogs

sudo nano /etc/supervisor/supervisord.conf

Append the following contents to the file to create the Gogs section.

[program:gogs]

directory=/home/git/go/src/github.com/gogits/gogs/

command=/home/git/go/src/github.com/gogits/gogs/gogs web

autostart=true

autorestart=true

startsecs=10

stdout_logfile=/var/log/gogs/stdout.log

stdout_logfile_maxbytes=1MB

stdout_logfile_backups=10

stdout_capture_maxbytes=1MB

stderr_logfile=/var/log/gogs/stderr.log

stderr_logfile_maxbytes=1MB

stderr_logfile_backups=10

stderr_capture_maxbytes=1MB

environment = HOME="/home/git", USER="git"

user = git

This section defines the command we want to execute to start Gogs, automatically starts it with Supervisor, and specifies the locations of log files.

sudo service supervisor restart

We can check that Gogs is running with the following command.

ps -ef | grep gogs

You can verify that the server is running by taking a look at the stdout.log file, too.

tail /var/log/gogs/stdout.log

Output should look like 2017/12/31 14:24:42 [I] Gogs: Go Git Service 0.5.16.0301 Beta

Deploying

Set up nginx as reverse proxy

You should also be able visit the web page with URL http://your_server_ip:3000/. This will redirect to the installation page, but don't fill that out just yet. But we want it running on port 80 for now.

Install nginx

sudo apt-get -y install nginx

Create a config file

sudo nano /etc/nginx/sites-available/servername

Adjust to the following template

server {

   listen 80;
   server_name your_server_ip;
   proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP
   location / {
       proxy_pass http://localhost:3000;
   }

}

And symlink it so that Nginx can use it.

sudo ln -s /etc/nginx/sites-available/gogs /etc/nginx/sites-enabled/gogs

For more about Nginx virtual host configuration files, see this tutorial.

Finally, restart Nginx to activate the virtual host configuration.

sudo service nginx restart

You should now be able visit the web page with the URL http://your_server_ip/, without specifying the port.

Initialize Gogs

There is one more simple step left to initialize Gogs for its first run.

Visit http://your_server_ip/install and fill in the following options. Many of them will be filled out for you already, but make sure to replace the variables in red with the values for your server.

In the first section, Gogs requires MySQL, PostgreSQL or SQLite3, fill out:

Database Type: MySQL Host: 127.0.0.1:3306 User: root Password: your_database_password Database Name: gogs In the second section, General Settings of Gogs, fill out:

Repository Root Path: /home/git/gogs-repositories Run User: git Domain: your_server_ip HTTP Port: 3000 Application URL: http://your_server_ip/ Skip the optional e-mail and notification settings, then under Admin Account Settings, choose an admin username and password, and include your email address. We'll refer to the admin username as your_admin_username in the next step.

Finally, click Install Gogs, and then log in.

Test Gogs

First, go to http://your_server_ip/repo/create and create a repository with the name my-test-repo, and you click on the option Initialize this repository with a README.md.

Now you should be able to clone it. First, move to your home directory.

cd Next, clone the repository.

git clone http://your_server_ip/your_admin_username/my-test-repo.git Change to the repository directory.

cd my-test-repo Update the README.md.

echo 'Blaaa blaaa World' >> README.md Commit your changes and push them. This command will ask you for your Gogs username and password.

git add --all && git commit -m "init commit" && git push origin master

Securing gogs

We need to install Let's Encrypt, generate CA certificate and use nginx to redirect HTTP traffic to HTTPS.

First, add the repository.

sudo add-apt-repository ppa:certbot/certbot

You'll need to press ENTER to accept. Then, update the package list to pick up the new repository's package information.

sudo apt-get update

sudo apt-get install python-certbot-nginx

Configure Iptables

Before starting with the certificate, Iptables should be configured.

sudo apt install iptables iptables-persistent

you can use the following iptables rules

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -s 127.0.0.0/8 -i lo -m comment --comment "Allow loopback" -j ACCEPT

-A INPUT -i eth1 -m comment --comment "Allow traffic from LAN" -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow ping" -j ACCEPT

Make the rules persistent.

sudo invoke-rc.d iptables-persistent save

View Iptables status

iptables -L

Obtain SSL Certiciate

Install CertBot & Let's Encrypt Add the repository

sudo add-apt-repository ppa:certbot/certbot

apt update

sudo apt-get install python-certbot-apache

sudo certbot --nginx -d example.com -d www.example.com

This runs certbot with the --nginx plugin, using -d to specify the names we'd like the certificate to be valid for.

If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for.

If that's successful, certbot will ask how you'd like to configure your HTTPS settings. For the moment do not select any redirection. Keep using http.

Self-signed cert (If you do not use Let's Encrypt

In case of a self signed certificate sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Generate DHParam and strengthen nginx

While we are using OpenSSL, we should also create a strong Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients.

We can do this by typing:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Create a Configuration Snippet with Strong Encryption Settings

Next, we will create another snippet that will define some SSL settings. This will set Nginx up with a strong SSL cipher suite and enable some advanced features that will help keep our server secure.

The parameters we will set can be reused in future Nginx configurations, so we will give the file a generic name:

sudo nano /etc/nginx/snippets/ssl-params.conf

Paste the following

  1. from https://cipherli.st/
  2. and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

ssl_ecdh_curve secp384r1;

ssl_session_cache shared:SSL:10m;

ssl_session_tickets off;

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 5s;

  1. Disable preloading HSTS for now. You can use the commented out header line that includes
  1. the "preload" directive if you understand the implications.
  1. add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Reconfigure nginx for https redirection

Fairly straightforward process assuming your servername is servername.eu. Open up the nano /etc/nginx/sites-available/servername

the configuration file should look like this:

server {

       server_name servername.eu;
       listen 443 ssl; # managed by Certbot
       ssl_certificate /etc/letsencrypt/live/servername.eu/full.pem# managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/servername.eu/privkey.pem; # managed by Certbot
       include snippets/ssl-params.conf;
       proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP
       
       location / {
       proxy_pass http://localhost:3000;}}

server{

       server_name servername.eu
       listen 80;
       return 301 https://servername.eu;}