@@ -6,3 +6,85 @@ title: "Digital Ocean Server Setup" |
||
6 | 6 |
## Droplet Setup |
7 | 7 |
|
8 | 8 |
This server is going to have a bit of load so I will use the *$10* droplet with **1GB Ram** and **30GB SSD Disk**. Use the **Ubuntu 14.04 x64** image. I choose *Ubuntu* because there is a lot of documentation for it, but probably *Debian* or *CentOS* would be a better choise as a linux distro for a web server. |
9 |
+ |
|
10 |
+## Create a new super user |
|
11 |
+ |
|
12 |
+Its a good practice to create a new super user account that uses commands with ```sudo``` instead of using the **root** account where all commands are executed with ```sudo``` by default. |
|
13 |
+ |
|
14 |
+ adduser demo |
|
15 |
+ |
|
16 |
+Type in your password and answer some stupid questions. Then give this *demo* user some **sudo** powers: |
|
17 |
+ |
|
18 |
+ gpasswd -a demo sudo |
|
19 |
+ |
|
20 |
+Now with the super user created switch from root to the new user: |
|
21 |
+ |
|
22 |
+ su - demo |
|
23 |
+ |
|
24 |
+Create a new folder for **SSH** keys and modify its permissions: |
|
25 |
+ |
|
26 |
+ mkdir .ssh |
|
27 |
+ chmod 700 .ssh |
|
28 |
+ |
|
29 |
+Now create a new file for your SSH key and paste your public key inside of it: |
|
30 |
+ |
|
31 |
+ nano .ssh/authorized_keys |
|
32 |
+ |
|
33 |
+Press ```Ctrl + X``` to exit nano, then ```Y``` to save and then hit ```Enter```. |
|
34 |
+ |
|
35 |
+Now restrict the permissions of the file with your key: |
|
36 |
+ |
|
37 |
+ chmod 600 .ssh/authorized_keys |
|
38 |
+ |
|
39 |
+After everything is done, go back to being the root user: |
|
40 |
+ |
|
41 |
+ exit |
|
42 |
+ |
|
43 |
+Now test login in as your new user in a new shell session: |
|
44 |
+ |
|
45 |
+ ssh demo@server_ip |
|
46 |
+ |
|
47 |
+If everything works, you won't need to type in your password, the server will log you in automatically using the SSH key. |
|
48 |
+ |
|
49 |
+## Remove root login |
|
50 |
+ |
|
51 |
+For security reasons, its a good ideia disable the root account login thru SSH and only log in with user accounts. |
|
52 |
+ |
|
53 |
+To remove the root login, first make sure you can log in with a different super user account. Then log in as **root** and run: |
|
54 |
+ |
|
55 |
+ nano /etc/ssh/sshd_config |
|
56 |
+ |
|
57 |
+Next, change ```PermitRootLogin``` to ```no```. |
|
58 |
+ |
|
59 |
+Press ```Ctrl + X``` to exit nano, then ```Y``` to save and then hit ```Enter```. |
|
60 |
+ |
|
61 |
+Now restart the SSH service: |
|
62 |
+ |
|
63 |
+ service ssh restart |
|
64 |
+ |
|
65 |
+And thats it! Now when you log out of the root account, you wont be able to log in again! |
|
66 |
+ |
|
67 |
+If you ever have to log in as the root user again, just change this settings back as your new super user using ```sudo``` before the commands. |
|
68 |
+ |
|
69 |
+## Change SWAP memory settings |
|
70 |
+ |
|
71 |
+For droplets with a low amount of RAM memory, its possible to increase the **SWAP memory**. |
|
72 |
+ |
|
73 |
+ $ sudo fallocate -l 1024M /mnt/swap.img |
|
74 |
+ $ sudo mkswap /mnt/swap.img |
|
75 |
+ $ sudo swapon /mnt/swap.img |
|
76 |
+ $ sudo vim /etc/fstab |
|
77 |
+ |
|
78 |
+## Usefull commands |
|
79 |
+ |
|
80 |
+* ```sudo poweroff``` - turn off the droplet. It can be turned back on in the droplet control pannel. |
|
81 |
+* ```sudo reboot``` - restarts the server. |
|
82 |
+* ```landscape-sysinfo``` - simple system information. Use can use the flag ``` --exclude-sysinfo-plugins=Temperature,LandscapeLink,Processes```. |
|
83 |
+* ```find /usr/share/figlet -name *.?lf -exec basename {} \; | sed -e "s/\..lf$//" | xargs -I{} toilet -f {} {}``` - Show demo of toilet fonts |
|
84 |
+ |
|
85 |
+## Links |
|
86 |
+ |
|
87 |
+* [Initial Server Setup with Ubuntu 14.04 - Digital Ocean](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04) |
|
88 |
+* [Additional Recommended Steps for New Ubuntu 14.04 Servers - Digital Ocean](https://www.digitalocean.com/community/tutorials/additional-recommended-steps-for-new-ubuntu-14-04-servers) |
|
89 |
+* [How To Protect SSH with Fail2Ban on Ubuntu 14.04 - Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04) |
|
90 |
+* [How To Connect To Your Droplet with SSH - Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-connect-to-your-droplet-with-ssh) |
@@ -0,0 +1,136 @@ |
||
1 |
+--- |
|
2 |
+layout: post |
|
3 |
+title: "Gitlab with apache2 and multiple websites" |
|
4 |
+--- |
|
5 |
+ |
|
6 |
+ |
|
7 |
+This tutorial assumes you have a Ubuntu 14.04 droplet on Digital Ocean. The idea is to first install the Gitlab Omnibus package, install apache and configure gitlab to use the installed apache server instead of its default nginx server. |
|
8 |
+ |
|
9 |
+## Gitlab Omnibus Install |
|
10 |
+ |
|
11 |
+First install all dependencies. Choose "Internet Site" during Postfix install. Then install the [GitLab Omnibus package](https://about.gitlab.com/downloads/#ubuntu1404): |
|
12 |
+ |
|
13 |
+ sudo apt-get install curl openssh-server ca-certificates postfix |
|
14 |
+ curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash |
|
15 |
+ sudo apt-get install gitlab-ce |
|
16 |
+ |
|
17 |
+Modify the GitLab configuration file located on ```/etc/gitlab/gitlab.rb```: |
|
18 |
+ |
|
19 |
+ external_url "https://gitlab.<yourdomain>/" |
|
20 |
+ gitlab_rails['gitlab_email_from'] = "gitlab@<yourdomain>" |
|
21 |
+ gitlab_rails['gitlab_support_email'] = "gitlab-support@<yourdomain>" |
|
22 |
+ |
|
23 |
+Then run ```sudo gitlab-ctl reconfigure``` to reboot GitLab with the new settings. |
|
24 |
+ |
|
25 |
+After the last step, GitLab should be working properly. Visit your GitLab URL and login using the username ```root``` and password ``` 5iveL!fe```. |
|
26 |
+ |
|
27 |
+## Installing apache2 |
|
28 |
+ |
|
29 |
+Install apache2: |
|
30 |
+ |
|
31 |
+ sudo apt-get update |
|
32 |
+ sudo apt-get install apache2 |
|
33 |
+ |
|
34 |
+ sudo a2enmod proxy_http |
|
35 |
+ sudo a2enmod proxy |
|
36 |
+ sudo a2enmod rewrite |
|
37 |
+ sudo /etc/init.d/apache2 restart |
|
38 |
+ |
|
39 |
+If apache doesnt work with the [error](https://www.digitalocean.com/community/questions/98-address-already-in-use-ah00072-make_sock-could-not-bind-to-address-80-error): |
|
40 |
+ |
|
41 |
+ (98)Address already in use: AH00072: make_sock: could not bind to address [::]:80 - error |
|
42 |
+ |
|
43 |
+You can try to close other processes using port 80 with the commands: |
|
44 |
+ |
|
45 |
+ # Find the process with |
|
46 |
+ sudo lsof -i:80 |
|
47 |
+ # or |
|
48 |
+ sudo netstat -ltnp | grep ':80' |
|
49 |
+ # Then kill the process using its pid |
|
50 |
+ sudo kill -9 1047 |
|
51 |
+ |
|
52 |
+Another cause for this problem may be two directives in the apache configuration trying to bind to the same port. |
|
53 |
+ |
|
54 |
+ grep Listen /etc/apache2/ports.conf |
|
55 |
+ |
|
56 |
+This command will show all lines that have the word "listen", including the port numbers. If there is more than one port 80 declaration in this file, remove one of them. |
|
57 |
+ |
|
58 |
+ |
|
59 |
+## Configuring a website |
|
60 |
+ |
|
61 |
+## Configuring gitlab to use apache2 |
|
62 |
+ |
|
63 |
+In ```/etc/gitlab/gitlab.rb``` modify: |
|
64 |
+ |
|
65 |
+ external_url "http://gitlab.example.com:4554" |
|
66 |
+ # Disable nginx |
|
67 |
+ nginx['enable'] = false |
|
68 |
+ # Give apache user privileges to listen to GitLab |
|
69 |
+ web_server['external_users'] = ['www-data'] |
|
70 |
+ |
|
71 |
+Create the Virtual Host file for GitLab on ```/etc/apache2/sites-available/gitlab.conf``` with the contents below, modifying the URLs: |
|
72 |
+ |
|
73 |
+ #This configuration has been tested on GitLab 6.0.0 and GitLab 6.0.1 |
|
74 |
+ #Note this config assumes unicorn is listening on default port 8080. |
|
75 |
+ #Module dependencies |
|
76 |
+ # mod_rewrite |
|
77 |
+ # mod_proxy |
|
78 |
+ # mod_proxy_http |
|
79 |
+ <VirtualHost gitlab.example.com:80> |
|
80 |
+ ServerName gitlab.example.com |
|
81 |
+ ServerSignature Off |
|
82 |
+ |
|
83 |
+ ProxyPreserveHost On |
|
84 |
+ |
|
85 |
+ # Ensure that encoded slashes are not decoded but left in their encoded state. |
|
86 |
+ # http://doc.gitlab.com/ce/api/projects.html#get-single-project |
|
87 |
+ AllowEncodedSlashes NoDecode |
|
88 |
+ |
|
89 |
+ <Location /> |
|
90 |
+ # New authorization commands for apache 2.4 and up |
|
91 |
+ # http://httpd.apache.org/docs/2.4/upgrading.html#access |
|
92 |
+ Require all granted |
|
93 |
+ |
|
94 |
+ ProxyPassReverse http://127.0.0.1:8080 |
|
95 |
+ ProxyPassReverse http://gitlab.example.com/ |
|
96 |
+ </Location> |
|
97 |
+ |
|
98 |
+ #apache equivalent of nginx try files |
|
99 |
+ # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files |
|
100 |
+ # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab |
|
101 |
+ RewriteEngine on |
|
102 |
+ RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f |
|
103 |
+ RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA] |
|
104 |
+ |
|
105 |
+ # needed for downloading attachments |
|
106 |
+ DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public |
|
107 |
+ |
|
108 |
+ #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. |
|
109 |
+ ErrorDocument 404 /404.html |
|
110 |
+ ErrorDocument 422 /422.html |
|
111 |
+ ErrorDocument 500 /500.html |
|
112 |
+ ErrorDocument 503 /deploy.html |
|
113 |
+ |
|
114 |
+ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded |
|
115 |
+ ErrorLog /var/log/httpd/logs/gitlab.example.com_error.log |
|
116 |
+ CustomLog /var/log/httpd/logs/gitlab.example.com_forwarded.log common_forwarded |
|
117 |
+ CustomLog /var/log/httpd/logs/gitlab.example.com_access.log combined env=!dontlog |
|
118 |
+ CustomLog /var/log/httpd/logs/gitlab.example.com.log combined |
|
119 |
+ |
|
120 |
+ </VirtualHost> |
|
121 |
+ |
|
122 |
+Then bind GitLab virtual host to enabled sites and restart apache: |
|
123 |
+ |
|
124 |
+ sudo a2ensite gitlab |
|
125 |
+ sudo service apache2 restart |
|
126 |
+ |
|
127 |
+Then run ```sudo gitlab-ctl reconfigure``` to reload GitLab configurations. |
|
128 |
+ |
|
129 |
+## Links |
|
130 |
+ |
|
131 |
+* [Using a non-bundled web-server - GiLab Help](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#using-a-non-bundled-web-server) |
|
132 |
+* [Setting up Gitlab on Ubuntu 14.04 with Apache2 without owning a domain name - GitLab Forum](https://forum.gitlab.com/t/solved-setting-up-gitlab-on-ubuntu-14-04-with-apache2-without-owning-a-domain-name/679) |
|
133 |
+* [Host GitLab on Digital Oena - Geek Igor](http://igor.kupczynski.info/2014/07/08/host-gitlab-on-digitalocean.html) |
|
134 |
+* [Install GitLab on Ubuntu 14.04 using Apache2](http://paulshipley.id.au/blog/coding-tips/install-gitlab-on-ubuntu-14-04-using-apache2) |
|
135 |
+* [How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 14.04 - Digital Ocean](https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-14-04) |
|
136 |
+* [Using gitlab's nginx to serve another app - Stack Overflow](http://stackoverflow.com/questions/24090624/using-gitlabs-nginx-to-serve-another-app) |