GitLab for small site (LV.1)

Reference Architecture

20 RPS หรือ 1000 users

API: 20 RPS, Web: 2 RPS, Git (Pull): 2 RPS, Git (Push): 1 RPS

Architecture: Standalone VM, no HA
CPU: 8 vCPUs
Memory: 16 GB
OS: Ubuntu

Firewall

Port

Protocol

TCP

HTTP

443

HTTPS

Config firewall on Ubuntu

sudo apt install ufw
sudo systemctl enable --now ufw
sudo ufw default deny
sudo ufw allow http
sudo ufw allow https
sudo ufw limit ssh/tcp
sudo ufw enable
sudo ufw status

Allow Git user to push/pull via SSH

แก้ไขไฟล์ /etc/ssh/sshd_config เพิ่ม config

# Ensure only authorized users are using Git
AcceptEnv GIT_PROTOCOL

restart ssh service

sudo systemctl restart ssh

Kernel Hardening

สร้างไฟล์ /etc/sysctl.d/99-gitlab-hardening.conf

##
## The following help mitigate out of bounds, null pointer dereference, heap and
## buffer overflow bugs, use-after-free etc from being exploited. It does not 100%
## fix the issues, but seriously hampers exploitation.
##
# Default is 65536, 4096 helps mitigate memory issues used in exploitation
vm.mmap_min_addr=4096
# Default is 0, randomize virtual address space in memory, makes vuln exploitation
# harder
kernel.randomize_va_space=2
# Restrict kernel pointer access (for example, cat /proc/kallsyms) for exploit assistance
kernel.kptr_restrict=2
# Restrict verbose kernel errors in dmesg
kernel.dmesg_restrict=1
# Restrict eBPF
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
# Prevent common use-after-free exploits
vm.unprivileged_userfaultfd=0

## Networking tweaks ##
##
## Prevent common attacks at the IP stack layer
##
# Prevent SYNFLOOD denial of service attacks
net.ipv4.tcp_syncookies=1
# Prevent time wait assassination attacks
net.ipv4.tcp_rfc1337=1
# IP spoofing/source routing protection
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
# IP redirection protection
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

สั่ง apply ทันที

sudo sysctl --system

ติดตั้ง Gitlab

sudo apt-get update
sudo apt-get install -y curl openssh-server ca-certificates tzdata perl
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
sudo apt-get install gitlab-ee

ทำการแก้ไข config gitlab

sudo vi /etc/gitlab/gitlab.rb

ตัวอย่าง config ที่แก้ไข

external_url 'https://gitlab.novice.solutions' # ชื่อ subdomain ที่ map DNS ไว้
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.novice.solutions" # SMTP server
gitlab_rails['smtp_port'] = 587                  # SMTP port
gitlab_rails['smtp_user_name'] = "smtpuser"      # ชื่อ username เพื่อ authen SMTP server
gitlab_rails['smtp_password'] = "mysecret"       # ชื่อ password เพื่อ authen SMTP server
gitlab_rails['smtp_domain'] = "novice.solutions" # domain name
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_pool'] = true

ใช้คำสั่งดังนี้เพื่อเริ่ม config และติดตั้ง

sudo gitlab-ctl reconfigure

หลังติดตั้ง หา root password ได้จาก

sudo cat /etc/gitlab/initial_root_password

username ที่ใช้ login คือ root

หลังจากนั้น login เข้าไปเพื่อ disable สิทธิ์ในการ sign up

กดปุ่ม Deactivate > เอาติ๊กช่อง Sign-up enabled ออก > กด Save

PreviousGitLab NextContainer

Last updated 1 year ago

hashtagReference Architecture

hashtag20 RPS หรือ 1000 users

hashtagFirewall

hashtagConfig firewall on Ubuntu

hashtagAllow Git user to push/pull via SSH

hashtagKernel Hardening

hashtagติดตั้ง Gitlab