Fislam: Created page with "== Installation == ===Preparing=== Some necessary packages that must be installed prior to beginning with the actual gogs installation. First of all do a `sudo apt-get..."`


2017-12-22T12:37:58Z
Created page with "== Installation ==  ===Preparing=== Some necessary packages that must be installed prior to beginning with the actual gogs installation. First of all do a  <code>sudo apt-get..."
New page
== Installation ==



===Preparing===

Some necessary packages that must be installed prior to beginning with the actual gogs installation.

First of all do a 

<code>sudo apt-get update</code>

Install the following packages (some are for later)

<code>sudo apt-get install -y gcc g++ build-essential dpkg mysql-server wget</code>



During the installation, you will be asked to enter the password of the database root user. Make sure you use a secure one, and remember it, because you'll need it later in this tutorial.Now create and open a file named gogs.sql. Here, we're using nano, but you can use your favorite text editor.



<code>nano gogs.sql</code>



Paste this in the newly created sql dump



<code>DROP DATABASE IF EXISTS gogs;

CREATE DATABASE IF NOT EXISTS gogs CHARACTER SET utf8 COLLATE utf8_general_ci;</code>



Finally, execute gogs.sql with MySQL to create the Gogs database. Replace your_password with the root password you chose earlier in this step.

<code> mysql -u root -pyour_password < gogs.sql </code>



To install Gogs from source, version control tools like Git and Mercurial are needed, so install them next.

<code>sudo apt-get -y install mercurial git</code>



===Installing Go===



It is recoomended to add a new user git before installing go. Root permissions are not required for this user.



<code>adduser git</code>



Because Gogs is written in Go, we need to install it before compiling Gogs.



First, there are some environment variables we need to set for Go. To do that, open the file ~/.bashrc for editing.



<code>nano ~/.bashrc</code>



Add the following lines to the end of the file, then close and save it.



<code>export GOPATH=/home/git/go



export GOROOT=/usr/local/src/go



export PATH=${PATH}:$GOROOT/bin</code>



Next, apply your changes.



<code>source ~/.bashrc</code>



Now get the most recent compiled version of go from their website 



<code>wget https://storage.googleapis.com/golang/go1.4.2.linux-amd64.tar.gz</code>



Decompress



<code>tar zxf go1.4.2.linux-amd64.tar.gz</code>



Change directories to the $GOROOT we defined in ~/.bashrc.



<code>sudo mv go $GOROOT</code>



Now test if Go is working.



===Installing Gogs===



Go has a built in command, get, for easily downloading the source code of a Go project along with all of its dependencies, which we'll use to download Gogs.



<code>go get -d github.com/gogits/gogs</code>



The source code of Gogs will now be in $GOPATH/src/github.com/gogits/gogs, so move there.



<code>cd $GOPATH/src/github.com/gogits/gogs</code>



Next, build and generate the binary. This command may take a moment to run.



<code>go build</code>



Now test go by moving into go directory and typing 



<code>./go</code>



This should run Go. However, to run it on the the background.



<code>./go &</code>



===Using Supervisor to manage Go===



<code>sudo apt-get -y install supervisor</code>



Let's make a Gogs daemon by creating a Supervisor configuration section. First, create a directory for the log files to live in.



<code>sudo mkdir -p /var/log/gogs</code>



<code>sudo nano /etc/supervisor/supervisord.conf</code>



Append the following contents to the file to create the Gogs section.



<code>

[program:gogs]



directory=/home/git/go/src/github.com/gogits/gogs/



command=/home/git/go/src/github.com/gogits/gogs/gogs web



autostart=true



autorestart=true



startsecs=10



stdout_logfile=/var/log/gogs/stdout.log



stdout_logfile_maxbytes=1MB



stdout_logfile_backups=10



stdout_capture_maxbytes=1MB



stderr_logfile=/var/log/gogs/stderr.log



stderr_logfile_maxbytes=1MB



stderr_logfile_backups=10



stderr_capture_maxbytes=1MB



environment = HOME="/home/git", USER="git"



user = git



</code>



This section defines the command we want to execute to start Gogs, automatically starts it with Supervisor, and specifies the locations of log files.



<code>sudo service supervisor restart</code>



We can check that Gogs is running with the following command.



<code>ps -ef | grep gogs</code>



You can verify that the server is running by taking a look at the stdout.log file, too.



<code>tail /var/log/gogs/stdout.log</code>



Output should look like <code>2017/12/31 14:24:42 [I] Gogs: Go Git Service 0.5.16.0301 Beta</code>



==Deploying==



===Set up nginx as reverse proxy===

You should also be able visit the web page with URL http://your_server_ip:3000/. This will redirect to the installation page, but don't fill that out just yet. But we want it running on port 80 for now.



Install nginx



<code>sudo apt-get -y install nginx</code>



Create a config file



<code>sudo nano /etc/nginx/sites-available/servername</code>



Adjust to the following template



<code>server {</code>

    listen 80;

    server_name your_server_ip;



    proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP



    location / {

        proxy_pass http://localhost:3000;

    }

<code>}</code>



And symlink it so that Nginx can use it.



<code>sudo ln -s /etc/nginx/sites-available/gogs /etc/nginx/sites-enabled/gogs</code>



For more about Nginx virtual host configuration files, see this tutorial.



Finally, restart Nginx to activate the virtual host configuration.



<code>sudo service nginx restart</code>



You should now be able visit the web page with the URL http://your_server_ip/, without specifying the port.



===Initialize Gogs===

There is one more simple step left to initialize Gogs for its first run.



Visit http://your_server_ip/install and fill in the following options. Many of them will be filled out for you already, but make sure to replace the variables in red with the values for your server.



In the first section, Gogs requires MySQL, PostgreSQL or SQLite3, fill out:



Database Type: MySQL

Host: 127.0.0.1:3306

User: root

Password: your_database_password

Database Name: gogs

In the second section, General Settings of Gogs, fill out:



Repository Root Path: /home/git/gogs-repositories

Run User: git

Domain: your_server_ip

HTTP Port: 3000

Application URL: http://your_server_ip/

Skip the optional e-mail and notification settings, then under Admin Account Settings, choose an admin username and password, and include your email address. We'll refer to the admin username as your_admin_username in the next step.



Finally, click Install Gogs, and then log in.



===Test Gogs===



First, go to http://your_server_ip/repo/create and create a repository with the name my-test-repo, and you click on the option Initialize this repository with a README.md.



Now you should be able to clone it. First, move to your home directory.



cd

Next, clone the repository.



git clone http://your_server_ip/your_admin_username/my-test-repo.git

Change to the repository directory.



cd my-test-repo

Update the README.md.



echo 'Blaaa blaaa World' >> README.md

Commit your changes and push them. This command will ask you for your Gogs username and password.



git add --all && git commit -m "init commit" && git push origin master



==Securing gogs==

We need to install Let's Encrypt, generate CA certificate and use nginx to redirect HTTP traffic to HTTPS.



First, add the repository.



<code>sudo add-apt-repository ppa:certbot/certbot</code>



You'll need to press ENTER to accept. Then, update the package list to pick up the new repository's package information.



<code>sudo apt-get update</code>



<code>sudo apt-get install python-certbot-nginx</code>



===Configure Iptables===

Before starting with the certificate, Iptables should be configured.



<code>sudo apt install iptables iptables-persistent</code>



you can use the following iptables rules

<code>



-P INPUT DROP



-P FORWARD DROP



-P OUTPUT ACCEPT



-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT



-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT



-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT



-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT



-A INPUT -s 127.0.0.0/8 -i lo -m comment --comment "Allow loopback" -j ACCEPT



-A INPUT -i eth1 -m comment --comment "Allow traffic from LAN" -j ACCEPT



-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow ping" -j ACCEPT



</code>



Make the rules persistent.



<code>sudo invoke-rc.d iptables-persistent save </code>



View Iptables status 



<code>iptables -L</code>



===Obtain SSL Certiciate===

Install CertBot & Let's Encrypt

Add the repository



<code>sudo add-apt-repository ppa:certbot/certbot</code>



<code>apt update</code>



<code>sudo apt-get install python-certbot-apache</code>



<code>sudo certbot --nginx -d example.com -d www.example.com</code>



This runs certbot with the --nginx plugin, using -d to specify the names we'd like the certificate to be valid for.



If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for.



If that's successful, certbot will ask how you'd like to configure your HTTPS settings. For the moment do not select any redirection. Keep using http.



===Self-signed cert (If you do not use Let's Encrypt===

In case of a self signed certificate

<code>sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt</code>



===Generate DHParam and strengthen nginx===



While we are using OpenSSL, we should also create a strong Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients.



We can do this by typing:



sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048



Create a Configuration Snippet with Strong Encryption Settings



Next, we will create another snippet that will define some SSL settings. This will set Nginx up with a strong SSL cipher suite and enable some advanced features that will help keep our server secure.



The parameters we will set can be reused in future Nginx configurations, so we will give the file a generic name:



<code>sudo nano /etc/nginx/snippets/ssl-params.conf</code>



Paste the following 



<code>

# from https://cipherli.st/

# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html



ssl_protocols TLSv1 TLSv1.1 TLSv1.2;



ssl_prefer_server_ciphers on;



ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";



ssl_ecdh_curve secp384r1;



ssl_session_cache shared:SSL:10m;



ssl_session_tickets off;



ssl_stapling on;



ssl_stapling_verify on;



resolver 8.8.8.8 8.8.4.4 valid=300s;



resolver_timeout 5s;



# Disable preloading HSTS for now.  You can use the commented out header line that includes



# the "preload" directive if you understand the implications.



#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";



add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";



add_header X-Frame-Options DENY;



add_header X-Content-Type-Options nosniff;



ssl_dhparam /etc/ssl/certs/dhparam.pem;

</code>



===Reconfigure nginx for https redirection===

Fairly straightforward process assuming your servername is servername.eu. Open up the <code>nano /etc/nginx/sites-available/servername</code>



the configuration file should look like this:



<code>server {

        server_name servername.eu;

        listen 443 ssl; # managed by Certbot

        ssl_certificate /etc/letsencrypt/live/servername.eu/full.pem# managed by Certbot

        ssl_certificate_key /etc/letsencrypt/live/servername.eu/privkey.pem; # managed by Certbot

        include snippets/ssl-params.conf;

        proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP</code>

        

        location / {

        proxy_pass http://localhost:3000;}}

<code>

server{</code>

        server_name servername.eu

        listen 80;

        return 301 https://servername.eu;}
User talk:Fislam - Revision history

Fislam: Created page with "== Installation == ===Preparing=== Some necessary packages that must be installed prior to beginning with the actual gogs installation. First of all do a sudo apt-get..."

Fislam: Created page with "== Installation == ===Preparing=== Some necessary packages that must be installed prior to beginning with the actual gogs installation. First of all do a `sudo apt-get..."`
