Skip to main content

HAProxy HTTPS SSH Bitbucket

Atlassian Bitbucket

Bitbucket is a software developped by Atlassian and I define it like an interface to Git, in order to make it more friendly.
There is a bunch of software in Bitbucket, acting as layers in order to facilitate collaboration on code.
Last but not least, Bitbucket has a good integration with Jira, which is one of the main reasons I choosed it to be our tool at ESTI.
I thank Atlassian very much for metting ESTI use community licence of both Jira and Bitbucket.

The goal: HTTPS and SSH on regular ports

Default HTTP and SSH port for Bitbucket is neither 443 nor 22. Their are configurable and it would be possible to directly make Bitbucket face those ports, but we dont like that, we'd rather setup a HAProxy instance that will forward the ports for us.
Prerequisite for that is to have a HTTPS certificate. It might be self signed or not. The one I use is not self-signed, and I bought it to Gandi, which provides an intermediate SHA2 certificate.

To sum it up, I have in my hand:
  • The private key I used to request the certificate: rktmb.org.key
  • The certificate for the domain: rktmb.org.crt
  • The intermediate Gandi certificate: gandi.pem

Configure HAProxy for HTTPS

Configuring HAProxy to make SSL termination sur Bitbucket is already documented on Atlassian Website. Pointing to that very good documentation is essential, but it misses one point: how to build the certificate that HAProxy need in order to trigger the SSL handshake?

As you can see in the sample configuration file, there is a "crt /etc/haproxy/certAndKey.pem" in the configuration and there is no indication is given on how to build it. We are going to fill that point here.

In HAProxy, the "crt" option has a unique value, which is a filename, hich points to the certificate issued by the authority you bought the certificate from. But it is not that simple: It should be in fact the concatenation of the "private key" and the "certificate". If you notice in the Atlassian documentation linked above, the name is "certAndKey.pem".
You build it with:

# cat rktmb.org.crt rktmb.org.key > certAndKey.pem

But if you ever need to use an intermediate certificate, this usually happens on some old browsers, the "certAndKey.pem" file then become a "cert_inter_private.pem" file, which is composed of the concatenation of the "private key" the "intermadiate" and the "certificate".
You buid it with:

# cat rktmb.org.crt gandi.pem rktmb.org.key > rktmb.org.cert_inter_private.pem

Conclusion

We end up with a 100% similar configuration to the one provided by Atlassian, but we brought a small explanation on how to build the expected certificate.

Comments

Popular posts from this blog

vmware net_device trans_start

VMWare Workstation 12 and Kernel 4.7 When recompiling vmware kernel modules on a kernel 4.7, I get this error:

/tmp/modconfig-xrrZGZ/vmnet-only/netif.c:468:7: error: ‘struct net_device’ has no member named ‘trans_start’; did you mean ‘mem_start’?     dev->trans_start = jiffies;
This seems to be an already encountered problem: http://rglinuxtech.com/?p=1746http://ferenc.homelinux.com/?p=356 I choosed to replace the line, instead of deleting it.

- dev->trans_start = jiffies; + netif_trans_update(dev); I also noted that I had to re-tar the modified sources instead of leaving them untared, because the compilation process only takes the archives. 
On precedent editions of these files, I just left the modified folders "vmnet-only/" and "vmmon-only/" expanded without the need to re-tar them.


vmware libz libfontconfig libexpat

Archlinux - Kernel 4.11 - VMWare workstation 12.5.7 With this combination, when I launch "vmware", despite the fact I already "export VMWARE_USE_SHIPPED_LIBS=force", I get those lines:

Unable to load libfontconfig.so.1. /usr/lib/vmware/lib/libz.so.1/libz.so.1: version `ZLIB_1.2.9' not found (required by /usr/lib/libpng16.so.16) Unable to load libfontconfig.so.1 from /usr/lib/vmware/lib/libfontconfig.so.1/libfontconfig.so.1: libexpat.so.0: cannot open shared object file: No such file or directory Unable to load dependencies for /usr/lib/vmware/lib/libvmware-modconfig.so/libvmware-modconfig.so
In order to workaround, I decided to get the things to the maximum: Add all shipped libraries in the LD_LIBRARY_PATH.

So I created my custom launcher of "vmware" and this is the content:

#!/bin/bash
export VMWARE_USE_SHIPPED_LIBS=force
LD_LIBRARY_PATH=""
LD_LIBRARY_PATH=$( find /usr/lib/vmware/lib/ -maxdepth 1 -mindepth 1 -type d | awk 'BEGIN{p=&quo…

Jira workflow for new projects

Associated workflow creation I'm a Jira Cloud user and begining from some version 6, I noticed that when I create a project, it automatically creates a Workflow and Issue Scheme that is prepended by the project key and which is a copy of the default scheme.
I always had to make a cleanup after creating a project. Default workflow for new projects I also miss a feature that would allow me to make a custom workflow (and globally custom project setting) the default for new projects I create.
Solution: Create with shared configuration While searching, I noticed that with Jira Cloud which is version 7.1.0 at the time I write, there is a link at the bottom of the "Create project" wizard:
"Create with shared configuration" will allow me to select the project I want the new one to share configuration with.

The new created project will use the same configuration as the project I selectThere will be no creation of Workflow and Issue Scheme that I need to cleanup

This fea…