Skip to main content

HAProxy HTTPS SSH Bitbucket

Atlassian Bitbucket

Bitbucket is a software developped by Atlassian and I define it like an interface to Git, in order to make it more friendly.
There is a bunch of software in Bitbucket, acting as layers in order to facilitate collaboration on code.
Last but not least, Bitbucket has a good integration with Jira, which is one of the main reasons I choosed it to be our tool at ESTI.
I thank Atlassian very much for metting ESTI use community licence of both Jira and Bitbucket.

The goal: HTTPS and SSH on regular ports

Default HTTP and SSH port for Bitbucket is neither 443 nor 22. Their are configurable and it would be possible to directly make Bitbucket face those ports, but we dont like that, we'd rather setup a HAProxy instance that will forward the ports for us.
Prerequisite for that is to have a HTTPS certificate. It might be self signed or not. The one I use is not self-signed, and I bought it to Gandi, which provides an intermediate SHA2 certificate.

To sum it up, I have in my hand:
  • The private key I used to request the certificate: rktmb.org.key
  • The certificate for the domain: rktmb.org.crt
  • The intermediate Gandi certificate: gandi.pem

Configure HAProxy for HTTPS

Configuring HAProxy to make SSL termination sur Bitbucket is already documented on Atlassian Website. Pointing to that very good documentation is essential, but it misses one point: how to build the certificate that HAProxy need in order to trigger the SSL handshake?

As you can see in the sample configuration file, there is a "crt /etc/haproxy/certAndKey.pem" in the configuration and there is no indication is given on how to build it. We are going to fill that point here.

In HAProxy, the "crt" option has a unique value, which is a filename, hich points to the certificate issued by the authority you bought the certificate from. But it is not that simple: It should be in fact the concatenation of the "private key" and the "certificate". If you notice in the Atlassian documentation linked above, the name is "certAndKey.pem".
You build it with:

# cat rktmb.org.crt rktmb.org.key > certAndKey.pem

But if you ever need to use an intermediate certificate, this usually happens on some old browsers, the "certAndKey.pem" file then become a "cert_inter_private.pem" file, which is composed of the concatenation of the "private key" the "intermadiate" and the "certificate".
You buid it with:

# cat rktmb.org.crt gandi.pem rktmb.org.key > rktmb.org.cert_inter_private.pem

Conclusion

We end up with a 100% similar configuration to the one provided by Atlassian, but we brought a small explanation on how to build the expected certificate.

Popular posts from this blog

npm run build base-href

Using NPM to specify base-href When building an Angular application, people usually use "ng" and pass arguments to that invocation. Typically, when wanting to hard code "base-href" in "index.html", one will issue: ng build --base-href='https://ngx.rktmb.org/foo' I used to build my angular apps through Bamboo or Jenkins and they have a "npm" plugin. I got the habit to build the application with "npm run build" before deploying it. But the development team once asked me to set the "--base-href='https://ngx.rktmb.org/foo'" parameter. npm run build --base-href='https://ngx.rktmb.org/foo did not set the base href in indext.html After looking for a while, I found https://github.com/angular/angular-cli/issues/13560 where it says: You need to use −− to pass arguments to npm scripts. This did the job! The command to issue is then: npm run build -- --base-href='https://ngx.rktmb.org/foo&
Read more

emacs29 intelephense

Emacs 29 and PHP Intelephense I use to use Emacs and PHP Intelephense for PHP development. I recently upgraded to Emacs 29 and PHP Intelephense stopped working. I found a solution on Reddit Based on that, I rewrote my .emacs file to use eglot instead of lsp-mode, and this is the result. (use-package eglot :ensure t) (add-hook 'php-mode-hook 'eglot-ensure) (use-package php-mode :ensure t :mode ("\\.php\\'" . php-mode)) (add-to-list 'auto-mode-alist '("\\.php$" . php-mode)) (provide 'lang-php) (use-package company :ensure t :config (setq company-idle-delay 0.3) (global-company-mode 1) (global-set-key (kbd "M- ") 'company-complete)) (require 'eglot) (add-to-list 'eglot-server-programs '((php-mode :language-id "php") . ("intelephense" "--stdio" :initializationOptions (:licenseKey "98989898989898989898"
Read more

Jenkins invalid privatekey

Publish over SSH, Message "invalid privatekey:" With quite recent (June-July 2020) installations of Jenkins and OpenSSH, I have the following error message when using the "Deploy overs SSH" Jenkins plug-in and publishing artifacts to the target overs SSH: jenkins.plugins.publish_over.BapPublisherException: Failed to add SSH key. Message [invalid privatekey: [B@d8d395a] This problem seems to be referenced here: https://issues.jenkins-ci.org/browse/JENKINS-57495 Just regenerate a key with the right parameters To solve it: ssh-keygen -t rsa -b 4096 Or ssh-keygen -t rsa -b 4096 -m PEM
Read more