Tuesday, October 23, 2012

MySQL SandBox on Ubuntu

With Sandbox, you can install multiple instances or versions of mysql on a single server.
$ sudo s-
# apt-get install build-essential libaio1 libaio-dev
# cpan MySQL::Sandbox

Friday, October 19, 2012

Gitweb & git-http-backend on Ubuntu apache2

I just began to learn git, and the web interface looked pretty good, but it was quite confusing to set up a git web host.
The main confusion was between gitweb and git-http-backend script. They are completely different scripts. If you need only to browse the git contents without pushing by http/https, then you do not need git-http-backend script, and it is really simple to setup.
Another main issue is the git package itself does not have an access control system. So a lot of tutorials on how to setup gitweb are dealing with gitolite together, and it creates more complication. For small projects, apache's auth tools should be good enough to start with.

Let's install git-core, gitweb, highlight (syntax highlight package). My Ubuntu is 12.04 server.
sudo apt-get install git-core gitweb highlight
git-core installs its package at /usr/lib/git-core/
and gitweb installs at /usr/share/gitweb. It also creates gitweb configuration at /etc/apache2/conf.d/gitweb. But we don't want this to be loaded on all apache2 hosts automatically, so let's delete this file.
sudo rm /etc/apache2/conf.d/gitweb
Depending on how to setup the apache host, the configuration may be different. Here is what we want to use
GIT repo location: /srv/git
GIT HTTP URL: git.mydomain.com
clone example from this url: clone http://git.mydomain.com/myrepo.git
First, create a GIT repo.
mkdir /srv/git
cd /srv/git
git init --bare --shared myrepo.git
Now we need to edit /etc/gitweb.conf to update the git repo location and add the highlight option at the end of the file.
sudo vim /etc/gitweb.conf
#projectroot to /srv/git
$projectroot = "/srv/git";

# Add Highlighting at the end
$feature{'highlight'}{'default'} = [1];
Ok, the first goal is setting up a simple git repo browsing host without push and access control.
sudo vi /etc/apache2/sites-available/git

<virtualhost *:80>
  ServerName git.mydomain.com
  DocumentRoot /usr/share/gitweb
  <Directory /usr/share/gitweb>
    Options FollowSymLinks +ExecCGI
    AddHandler cgi-script .cgi
    DirectoryIndex gitweb.cgi
  </directory>
</virtualhost>

#After saving the file, make it enabled
sudo a2ensite git
Now reload apache, and see it works. The next step is allowing pushing back to host and add an access control on it. We will use auth_digest apache module, but depending on cases, other mods can be used.
a2enmod auth_digest
Here is the apache host config for that.
<VirtualHost *:80>
  ServerName git.mydomain.com
  DocumentRoot /usr/share/gitweb

  ScriptAliasMatch \
        "(?x)^/(.*/(HEAD | \
                        info/refs | \
                        objects/(info/[^/]+ | \
                                 [0-9a-f]{2}/[0-9a-f]{38} | \
                                 pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                        git-(upload|receive)-pack))$" \
        /usr/lib/git-core/git-http-backend/$1

  SetEnv GIT_PROJECT_ROOT /srv/git
  SetEnv GIT_HTTP_EXPORT_ALL
  SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER 
  <Directory /usr/share/gitweb>
    Options FollowSymLinks +ExecCGI
    AddHandler cgi-script .cgi
    DirectoryIndex gitweb.cgi
  </Directory>

  <Location />
    AuthType Digest
    AuthName "Private Git Repository Access"
    AuthUserFile /srv/git/.htpasswd
    Require valid-user
  </Location>
</VirtualHost>
Create .htpasswd and add users
touch /srv/git/.htpasswd
htdigest /srv/git/.htpasswd "Private Git Repository Access" username
Allow apache user, www-data to access /srv/git directory
sudo chown -R www-data:www-data /srv/git
If you use https, make sure you have installed a valid certificate, otherwise you will get https validation error. If you want to skip this, run this on the client side.
git config --global http.sslVerify false
To enable anonymous read access but authenticated write access, replace the <Location /> directive to this.
<LocationMatch "^/.*/git-receive-pack$">
    AuthType Digest
    AuthName "Private Git Repository Access"
    AuthUserFile /srv/git/.htpasswd
    Require valid-user
</LocationMatch>
Also make sure that the git repo's name should end with ".git"

Further References



  • git-http-backend Manual
  • gitweb-theme by kogakure
  • Good VI / VIM guides

    Vim is a must for who needs to do something on linux servers. While the editor is so powerful, I am always lazy to learn or memorize most of important commands. I found a simple, but very interesting guide here.

    Learn Vim Progressively

    http://yannesposito.com/Scratch/en/blog/Learn-Vim-Progressively/

    iptables on Ubuntu

    Last week, I got one of OpenVZ based VPS at really cheap price, and have tried to install ufw with no success. There is fix for that. But it did not work at least for me. It seemed working, but no individual rules worked. Also I am not much comfortable with 'fixing' several system modules.

    So I began to touch iptables directly. It is not that much complicated, and it is even cleaner than using other front-end utilities such as ufw. For a basic firewall setting for web server, I don't think we need any other tools at all even for a beginner like me.

    Install

    apt-get install iptables
    apt-get install iptables-persistent
    

    Basic Setup

    #local loop and allowing established sessions
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    #open ssh & web ports
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    
    #apply default policy
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    #if you have a safe ip to be allowed everything
    iptables -A INPUT -s 123.123.123.123 -j ACCEPT
    

    Making auto-start at boot

    iptables-save > /etc/iptables/rules
    update-rc.d iptables-persistent defaults
    

    Reset iptables & reload from a file

    Ubuntu has no script files to start/stop iptables. You may create a shell script based on following commands.
    #reset iptables
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    
    #reload rules from a file
    iptables-restore < /etc/iptables/rules
     
    

    Delete a rule

    iptables -L INPUT -n --line-numbers
    
    #You'll get the list of all blocked IP. Look at the number on the left, then :
    iptables -D INPUT "line-number"
    
    #Or
    iptables -D rule
    iptables -D INPUT -s 202.100.85.0/24 -j DROP
     
    

    Insert a rule at line number x

    iptables -I INPUT 3 -p tcp --dport 22 -j ACCEPT
    

    Add log

    iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    

    Some more guides