Ross's Shared News Items

Friday, July 18, 2014

HOWTO: Enable SSL, notifications, and auto-updates in Phabricator install

Phabricator on Ubuntu 14.04 - post-install server configuration: SSL, notifications, auto-update, auto-start

I searched around for agile development and code review tools and was very pleasantly surprised with Phabricator. Used heavily at Facebook, it's got just about everything a development team could want or need.

I followed this setup guide to get up and running quickly. Nothing I've added below is particularly complex or difficult. I did deviate from this guide in two areas:

  1. I used Ubuntu 14.04 -- it's solid. No reason to use 12.04 for this.
  2. I did NOT install phpMyAdmin -- It's a nice tool, but it's also one of the most popular attack vectors for internet facing servers. I don't need it, so I follow the rule of occam's razor - "Everything should be as simple as possible - and no simpler"

Follow above guide and you've got a default phabricator instance up and running. Cool, Huh?

Here's what I think is missing from the above guide:

Enable SSL and force all traffic to SSL

If you have a wildcard SSL cert... you probably want to use it to protect sites containing your source code. If you don't have an SSL certificate, you might want consider getting one.

Deploy your ssl certs in the OS instance:
mkdir -p /etc/nginx/ssl
copy yoursite.com.crt and yoursite.com.key to /etc/nginx/ssl

Update nginx webserver config

edit /etc/nginx/sites-enabled/phabricator

Add a section that rewrites port 80 (http) traffic to port 443 (https) at the top:
server {
    root /opt/phabricator/phabricator/webroot;
    location / {
        rewrite ^ https://$http_host$request_uri? permanent;
    }
}

Add or Modify the second, original server secton below to be rules for our new default port 443 server to look like this:
server {
  set $fqdn phabricator.vettersoftware.com;
  set $phabWebRoot /opt/phabricator/phabricator/webroot;

  listen 443 ssl;

  server_name $fqdn;

  root      $phabWebRoot;
  ssl on;
  ssl_certificate /etc/nginx/ssl/yoursite.com.crt;
  ssl_certificate_key /etc/nginx/ssl/yoursite.com.key;
  ssl_session_timeout 30m;

...

Update the internal phabricator settings for base-uri

/opt/phabricator/phabricator/bin/config set phabricator.base-uri 'https://phabricator.yoursite.com/'

Restart nginx
service nginx restart


Enable Phabricator's aphlict notifications

See: https://secure.phabricator.com/book/phabricator/article/notifications/

Install pre-requestites for aphlict
sudo apt-get install nodejs

Set notification config option
/opt/phabricator/phabricator/bin/config set notification.enabled true

Start notification service
/opt/phabricator/phabricator/bin/aphlict start

Start all services on instance boot

This is not included in the guide I used. It's not complex. I include it here in hopes it helps others who haven't been building UNIX systems for decades.

edit /etc/rc.local and add the following lines:

#start phabricator daemons
/opt/phabricator/phabricator/bin/phd start
#start aphlict notification server
/opt/phabricator/phabricator/bin/aphlict start

Automate phabricator upgrades

Phabricator code gets updated frequently. You want those new features and bug fixes, right? You believe in continuous integration, right? Right!

cd /opt/phabricator
wget http://www.phabricator.com/rsrc/install/update_phabricator.sh
chmod a+x update_phabricator.sh

edit /opt/phabricator/update_phabricator.sh

change line 14: ROOT=`pwd` to:
ROOT='/opt/phabricator'

change all references to /etc/init.d/httpd to /etc/init.d/nginx since we're using nginx
uncomment the notification server stop and start lines

Add '--force' option and end of '$ROOT/phabricator/bin/storage upgrade' line so it looks like this"

$ROOT/phabricator/bin/storage upgrade --force

save

Test the upgrade script.

./update_phabricator.sh

Add cronjob to run upgrade script weekly.

crontab -e

add following lines, season to taste, and save:

# update phabricator every Saturday at 9:35AM
35 9 * * Sat /opt/phabricator/update_phabricator.sh


You're done!

No comments: