Hello Everyone,
i am using git now since one year. i never cared for security as the system was so far entirly independent and not important to be secured.
never the less, this has changed, so i was working the last weekend on setting up some security aspects on my server.
one thing was to put my bitbucket and other software behind a nginx.
i created the certificates with letsencrypt and the other software is running without any issue.
my bitbucket address which was per default
http://ip:port/dashboard, i placed behind a proxy with the explenation from here:
https://confluence.atlassian.com/bitbucketserver/securing-bitbucket-server-behind-nginx-using-ssl-776640112.html
i also adjusted the Base-URL on the bitbucket config.
but sadly, it only works partial.
so what works:
- i can join the bitbucket over the domain link which is https://git.<domain>.de
- i can see all repos and check them and say i wanna edit them
- i can pull repos over source tree
- i can approve merge requests
what does not work:
- the info about activity has an endless loading
- the info about notifications / warnings has an endless loading
- i can not merge merge requests, the system tells me there was a server error
- i can not request a merge request it gives me an server error
Note: the stuff which does not work, only doesnt works if i go over https://git.<domain>.de, if i go directly over the ip, it works without issues. :(
Information:
i created a sub domain entry for my nginx to forward the request to bitbucket which looks like this (probably there is also my mistake, but i don't know where :( )
upstream php-handler {
server unix:/run/php/php7.0-fpm.sock;
}
server {
listen 80;
server_name git.<domain>.de;
# enforce https
rewrite ^ https://$server_name$request_uri permanent;
}
server {
listen 443 ssl;
server_name git.<domain>.de;
include /etc/nginx/snippets/letsencrypt.conf;
ssl on;
ssl_certificate /etc/letsencrypt/live/<domain>.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>.de/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/<domain>.de/chain.pem;
resolver 8.8.8.8;
client_max_body_size 0;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/letsencrypt/live/<domain>.de/dh2048.pem;
# Optional optimisation - please refer to
# http://nginx.org/en/docs/http/configuring_https_servers.html
# ssl_session_cache shared:SSL:10m;
location / {
proxy_pass http://<ipFromTheDomain>:7990;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
}
}
the config on bitbucket looks like this
Base-URL: https://git.<domain>.de
HTTP(S): Enabled
SSH: Enabled
SSH-Port: 7999
SSH-URL: blank
i hope someone here can help me.
Kind regards
Marco
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.