Secure, Private, Local Gitorious
I want to have a local Gitorious installation that cannot be accessed outside of my local network, and is as secure and private as possible. The repos will be holding code I need kept private and secure in case of hacking or theft.
- Installed Gitorious on a local machine running Ubuntu Server 11.04 64-bit, with an encrypted LVM.
- Used this guide for Gitorious installation, if anyone is curious.
- Modified Gitorious to support local IPs as hostnames.
- In gitorious.yml:
- host fields are a local IP (e.g. 192.168.xxx.xxx)
- public_mode: false
- only_site_admins_can_create_profiles: true
- hide_http_clone_urls: true
- git-daemon was installed, but is now removed.
- No ports forwarded by internet facing router to machine.
Both git:// based and http:// based requests would normally allow open cloning of repos. Removing git-daemon and setting hide_http_clone_urls to false seems to have disabled both. They both deliver errors now when I attempt to clone.
With an encrypted LVM the machine is secure in case of physical theft. Also, all cloned repos on other machines are kept on encrypted drives as well. I used a custom script on the encrypted LVM that fills the harddrive with porn in case of too many failed attempts.
My current concerns:
- Is repo access through git:// and http:// fully disabled?
- Are all avenues of repo access secured behind ssh now?
- Is there a way to block all requests to the machine that don’t originate from within the local network, in case my router gets angry and seeks revenge against me?
- Anything more I can do to encrypt or protect the repos in case something goes wrong?
- How do I backup gitorious’s data? Just backup the MySQL database and repos directory?
One Solution collect form web for “Secure, Private, Local Gitorious”
If your git-daemon is not running then no git:// access.
hide_http_clone_urls does not disable http, it just does not show the link. To protect it from unauthorized access, you might want to block on apache/nginx all access to git.yourdomain.com.
You can take a look at my debian package, that have many default configurations, better then the documentations available on the internet:
the base folder is where all configurations is stored, like apache configs and others, there is also the shell scripts that make default users and other things, just explore the source tree.
being more specific about the apache config, take a look here: https://gitorious.org/gitorious-for-debian/gitorious/blobs/master/base/debian/etc/apache2/sites-available/gitorious
If, for example, you don’t add the git.yourserver.com alias, then no one should be able to git clone from http.
You might also want to watch and support the private repositories feature that are planned, which will provide real, safe, control of who can see what.
Also for the question about ssh, I can say that, yes, it’s safe and will only give access to who have a public key registered on your gitorious installation.
About the requests question, you could take a look at apache allow, deny rules, where you can create something like:
Deny from All Allow from 192.168.0
For backup, you have to backup your repository folder and mysql databases.