我想要一个本地 Gitorious 安装,该安装无法在我的本地网络之外访问,并且与可能的。存储库将保存我需要保密和安全的代码,以防黑客或盗窃。
我不是 Linux 专家,当然也不是 git/gitorious 专家,所以下面描述的任何改进我的安装的技巧都会非常有帮助!
我已经:
- 在运行 Ubuntu Server 11.04 64 位的本地计算机上安装了 Gitorious,并使用加密的 LVM。
- 如果有人好奇,请使用本指南进行 Gitorious 安装。
- 修改 Gitorious 以支持本地 IP 作为主机名。
- 在 gitorious.yml 中:
- 主机字段是本地 IP(例如 192.168.xxx.xxx)
- public_mode:假
- only_site_admins_can_create_profiles:true
- hide_http_clone_urls:true
- git-daemon 已安装,但现已删除。
- 面向互联网的路由器没有将端口转发到机器。
基于 git:// 和基于 http:// 的请求通常都允许公开克隆存储库。删除 git-daemon 并将 hide_http_clone_urls 设置为 false 似乎已禁用两者。当我尝试克隆时,它们现在都会发出错误。
借助加密的 LVM,机器在物理被盗的情况下是安全的。此外,其他计算机上的所有克隆存储库也保存在加密驱动器上。我在加密的 LVM 上使用了一个自定义脚本,该脚本会在硬盘驱动器中填充色情内容,以防尝试失败次数过多。
我当前的担忧:
- 通过 git:// 和 http:// 进行存储库访问是否完全禁用?
- 现在所有回购访问途径都受到 ssh 保护了吗?
- 有没有办法阻止所有不是来自本地网络内部的对计算机的请求,以防我的路由器生气并寻求对我进行报复?
- 如果出现问题,我还可以做些什么来加密或保护存储库?
- 如何备份gitorious的数据?只备份MySQL数据库和repos目录?
谢谢。
I want to have a local Gitorious installation that cannot be accessed outside of my local network, and is as secure and private as possible. The repos will be holding code I need kept private and secure in case of hacking or theft.
I'm not an expert with Linux, and certainly not an expert with git/gitorious, so any tips for improving my installation described below would be most helpful!
I have:
- Installed Gitorious on a local machine running Ubuntu Server 11.04 64-bit, with an encrypted LVM.
- Used this guide for Gitorious installation, if anyone is curious.
- Modified Gitorious to support local IPs as hostnames.
- In gitorious.yml:
- host fields are a local IP (e.g. 192.168.xxx.xxx)
- public_mode: false
- only_site_admins_can_create_profiles: true
- hide_http_clone_urls: true
- git-daemon was installed, but is now removed.
- No ports forwarded by internet facing router to machine.
Both git:// based and http:// based requests would normally allow open cloning of repos. Removing git-daemon and setting hide_http_clone_urls to false seems to have disabled both. They both deliver errors now when I attempt to clone.
With an encrypted LVM the machine is secure in case of physical theft. Also, all cloned repos on other machines are kept on encrypted drives as well. I used a custom script on the encrypted LVM that fills the harddrive with porn in case of too many failed attempts.
My current concerns:
- Is repo access through git:// and http:// fully disabled?
- Are all avenues of repo access secured behind ssh now?
- Is there a way to block all requests to the machine that don't originate from within the local network, in case my router gets angry and seeks revenge against me?
- Anything more I can do to encrypt or protect the repos in case something goes wrong?
- How do I backup gitorious's data? Just backup the MySQL database and repos directory?
Thank you.
如果你的 git-daemon 没有运行,那么就没有 git:// 访问权限。
hide_http_clone_urls 不会禁用 http,它只是不显示链接。为了防止未经授权的访问,您可能需要在 apache/nginx 上阻止对 git.yourdomain.com 的所有访问。
你可以看一下我的 debian 包,它有很多默认配置,比互联网上提供的文档更好:
https://gitorious.org/gitorious-for-debian/gitorious/
基本文件夹是存储所有配置的位置,例如 apache 配置等,还有使默认用户和其他事情,只需探索源代码树即可。
关于 apache 配置的更具体,请看这里: "="">https://gitorious.org/gitorious-for-debian/gitorious/blobs/master/base/debian/etc/apache2/sites-available/gitorious
例如,如果您不不添加 git.yourserver.com 别名,那么就没有人能够从 http 进行 git clone 了。
您可能还想关注并支持私有存储库功能计划,这将提供对谁可以看到什么的真实、安全的控制。
另外,对于有关 ssh 的问题,我可以说,是的,它是安全的,并且只会授予在您的 gitorious 安装上注册了公钥的人访问权限。
关于请求问题,你可以看看apache允许、拒绝规则,您可以在其中创建类似的内容:
对于备份,您必须备份存储库文件夹和 mysql 数据库。
If your git-daemon is not running then no git:// access.
hide_http_clone_urls does not disable http, it just does not show the link. To protect it from unauthorized access, you might want to block on apache/nginx all access to git.yourdomain.com.
You can take a look at my debian package, that have many default configurations, better then the documentations available on the internet:
https://gitorious.org/gitorious-for-debian/gitorious/
the base folder is where all configurations is stored, like apache configs and others, there is also the shell scripts that make default users and other things, just explore the source tree.
being more specific about the apache config, take a look here: https://gitorious.org/gitorious-for-debian/gitorious/blobs/master/base/debian/etc/apache2/sites-available/gitorious
If, for example, you don't add the git.yourserver.com alias, then no one should be able to git clone from http.
You might also want to watch and support the private repositories feature that are planned, which will provide real, safe, control of who can see what.
Also for the question about ssh, I can say that, yes, it's safe and will only give access to who have a public key registered on your gitorious installation.
About the requests question, you could take a look at apache allow, deny rules, where you can create something like:
For backup, you have to backup your repository folder and mysql databases.