GitBucketをhttpsとPostgreSQLで構築してみた #PostgreSQL

CentOS7.2
自己認証、標準のH2データベースではなくPostgreSQLで構築。
gitbucket、https、PostgreSQLと通しで説明されているページがなかなか無いのでやってみた。

gitlabってのもあったが、試した感じクソ重かったのでやめた。

構築時、参考にしたページ

まずは、必要なパッケージをyumインストール

# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel
# yum install postgresql-server
# yum install httpd
# yum install tomcat
# yum install mod_ssl

GitBucketダウンロード

# wget -P /var/lib/tomcat/webapps/ https://github.com/gitbucket/gitbucket/releases/download/4.4/gitbucket.war

自己証明書作成

秘密鍵(key)の作成

# openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
..................................................+++
....................................................+++
e is 65537 (0x10001)
Enter pass phrase:パスフレーズ
Verifying - Enter pass phrase:パスフレーズ

公開鍵(csr)の作成

# openssl req -new -key server.key > server.csr
Enter pass phrase for server.key:パスフレーズ
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Arakawa-ku
Organization Name (eg, company) [Default Company Ltd]:e-mail: 会社名
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: example.com
Email Address []:+1: メールアドレス

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: パスワード   
An optional company name []:company

デジタル証明書(crt)の作成

# openssl x509 -in server.csr -days 365000 -req -signkey server.key > server.crt
Signature ok
subject=/C=JP/ST=Tokyo/L=Arakawa-ku/O=example corp
Getting Private key
Enter pass phrase for server.key:パスフレーズ

秘密鍵とSSL証明書を適切な場所に移動し、パーミッション変更

# mv -i server.key /etc/pki/tls/private/
# mv -i server.crt /etc/pki/tls/certs/
# chmod 400 /etc/pki/tls/private/server.key
# chmod 400 /etc/pki/tls/certs/server.crt

# ls -l /etc/pki/tls/private/server.key 
-r-------- 1 root root 1766  9月 26 21:11 /etc/pki/tls/private/server.key
# ls -l /etc/pki/tls/certs/server.crt 
-r-------- 1 root root 1123  9月 26 21:39 /etc/pki/tls/certs/server.crt

CSR削除

# rm server.csr

Apacheとtomcat設定

Apache設定

VirtualHostの箇所を編集

/etc/httpd/conf.d/ssl.conf

<VirtualHost _default_:443>
DocumentRoot "/var/lib/tomcat/webapps/gitbucket"
ServerName 192.168.33.10:443

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key

  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

  ProxyPass /assets !
  ProxyPass /gitbucket ajp://localhost:8009/gitbucket
  ProxyPassReverse /gitbucket ajp://localhost:8009/gitbucket
  ProxyPreserveHost on

tomcat設定

Apacheと連携させるため、httpのコネクタポートは無効にし、ajpで連携

/etc/tomcat/server.xml

    <!--
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->


    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

一旦、http、tomcatを起動

gitbucketのwarが解凍されて起動&初期化される

# systemctl start httpd
# systemctl start tomcat

httpd、tomcat終了

# systemctl stop httpd
# systemctl stop tomcat

postgresql設定

初期化&起動

# service postgresql initdb --encoding=UTF-8 --locale=ja_JP.UTF-8
# systemctl start postgresql

pg_hba.conf編集

/var/lib/pgsql/data/pg_hba.conf

local   all             all                                     md5
host    all             all             127.0.0.1/32            md5
host    all             all             ::1/128                 md5

gitbucket用のdatabase作成

# su - postgres

-bash-4.2$ psql
psql (9.2.15)
"help" でヘルプを表示します.

postgres=# create database gitbucket WITH template template0 encoding 'utf8' lc_collate 'ja_JP.UTF-8' lc_ctype 'ja_JP.UTF-8';
CREATE DATABASE
postgres=# ¥q

gitbucket用ユーザー作成

# su - postgres
-bash-4.2$ createuser -P gitbucket_user
新しいロールのためのパスワード: gitbucket_user
もう一度入力してください：gitbucket_user
-bash-4.2$ exit

gitbucketのdatabase.conf編集

~tomcat/.gitbucket/database.conf

db {
  url = "jdbc:h2:${DatabaseHome};MVCC=true"
  user = "sa"
  password = "sa"
}
↓
db {
  url = "jdbc:postgresql://localhost/gitbucket"
  user = "gitbucket_user"
  password = "gitbucket_user"
}

Firewalld設定

# systemctl start firewalld
# firewall-cmd --add-service=http --zone=public --permanent
# firewall-cmd --add-service=https --zone=public --permanent
# firewall-cmd --reload

# firewall-cmd --list-all
public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client http https ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

各サービス再起動

# systemctl restart postgresql
# systemctl start httpd
# systemctl start tomcat

ブラウザでアクセスして画面が表示されるか確認
https://example.com/gitbucket

初期パスワード
Username:root
Password:root

postgresqlにgitbucketのテーブルが作成されているか確認

# psql -U gitbucket_user -d gitbucket
ユーザ gitbucket_user のパスワード: 
psql (9.2.15)
"help" でヘルプを表示します.

gitbucket=> select relname as TABLE_NAME from pg_stat_user_tables;
            table_name            
----------------------------------
 milestone
 commit_comment
 web_hook
 pull_request
 issue
 versions
 issue_comment
 collaborator
 issue_id
 label
 access_token
 activity
 issue_label
 plugin
 ssh_key
 repository
 commit_status
 protected_branch_require_context
 web_hook_event
 group_member
 account
 protected_branch
(22 行)

gitbucket=> ¥q

各サービス自動起動設定

# systemctl enable postgresql
# systemctl enable httpd
# systemctl enable tomcat
# systemctl enable firewalld

自己認証だと、git clone等ができない。
クライアントのPCにて

git config --global http.sslVerify false

一通り完了