Comments on: Continuous Integration with phpUnderControl and Git

By: Petro Slyvko

Petro Slyvko — Thu, 28 Oct 2010 15:06:00 +0000

Due to lack of the authentication in phpUnderControl & CC, you article is just what I needed! Thanks for your effort. Got it working on CentOS 5 with some modifications!

By: Nightfly

Nightfly — Sat, 09 Oct 2010 09:42:00 +0000

Extremely useful to get this running on Gentoo. Thanks!

By: Analysing Ruby on Rails? Is it too late? « GC | Seeing how long he can blog for without getting bored…

Sat, 11 Sep 2010 15:43:13 +0000

[...] PHP, so I’ve just not given it the thought. The more I do with PHP however and the more I streamline my workflow the more I realise the Rails community has done it all. From the outset at the moment [...]

By: Esky

Esky — Wed, 21 Jul 2010 15:02:36 +0000

Thanks for this great guide it helped me install it on FreeBSD :)

By: Esky

Esky — Wed, 21 Jul 2010 15:02:00 +0000

Thanks for this great guide it helped me install it on FreeBSD :)

By: antimbe

antimbe — Fri, 14 May 2010 14:52:38 +0000

Hello,

very hapy to see that a big part of my choices of continuous integration server around php was been solved by this blog (Ubuntu, git, phpundecontrol/cruisecontrol).

Very Good Job.

Thanks a lot.

By: antimbe

antimbe — Fri, 14 May 2010 14:52:00 +0000

Hello,

very hapy to see that a big part of my choices of continuous integration server around php was been solved by this blog (Ubuntu, git, phpundecontrol/cruisecontrol).

Very Good Job.

Thanks a lot.

By: Mathias

Mathias — Thu, 18 Feb 2010 18:30:18 +0000

Thanks for the feedback :) One thing I noticed some time after writing this post was that the JMX console which handles requests like invoking a new build manually and lets you do some other stuff is still not secured with this setup. The console is running on port 8000 by default and the above setup just handles proxying and securing of the frontend while the console is still insecure. I wanted to update the post but was busy and never found time to write that down (as usual…). So, I’ll try to explain it quickly in this comment.

What I first did was restricting access to port 8000 just to the local IP via iptables. This should look somehow like this:

iptables -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 8000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000 -j REJECT --reject-with icmp-port-unreachable

Then, I created an extra DNS entry for a subdomain which handles the JMX console and modified my Apache config. I’m using GnuTLS for SSL-based virtual hosts here, but just letting it run without SSL should work fine too. With this config, the frontend is reachable via cruisecontrol.example.org and the console via jmx.cruisecontrol.example.org, both using the same authentication backend. The frontend vhost takes care of rewriting all requests to the JMX domain with some more output filter magic. Should more or less work copy&paste, just take care of the URLs in the output filters. My final config looks something like this:


        ServerName cruisecontrol.example.org
        RewriteEngine on
        RewriteRule ^(.*)$ https://cruisecontrol.example.org$1 [R=301,L]


    ServerName cruisecontrol.example.org

    [...SSL Stuff...]

    ProxyRequests Off  

    
        Order deny,allow
        Allow from all

        AuthName        "CruiseControl"
        AuthType        Basic
        AuthUserFile    /etc/apache2/cruisecontrol.htpasswd
        require         valid-user
      

    ProxyPass / http://127.0.0.1:8080/cruisecontrol/
    ProxyPassReverse / http://127.0.0.1:8080/cruisecontrol/

    ExtFilterDefine proxyurl mode=output intype=text/html cmd="/bin/sed s%http://127.0.0.1:8080%https://cruisecontrol.example.org%g"
    ExtFilterDefine proxypathfix mode=output intype=text/html cmd="/bin/sed s%/cruisecontrol/%/%g"
    ExtFilterDefine jmxurl mode=output intype=text/html cmd="/bin/sed s%http://cruisecontrol.example.org:8000%https://jmx.cruisecontrol.example.org%g"
    ExtFilterDefine ipfix mode=output intype=text/html cmd="/bin/sed s%127.0.0.1%cruisecontrol.example.org%g"

    SetOutputFilter proxyurl;proxypathfix;jmxurl;ipfix



        ServerName jmx.cruisecontrol.example.org
        RewriteEngine on
        RewriteRule ^(.*)$ https://jmx.cruisecontrol.example.org$1 [R=301,L]


    ServerName jmx.cruisecontrol.example.org

    [...SSL Stuff...]

    ProxyRequests Off  

    
        Order deny,allow
        Allow from all

        AuthName        "CruiseControl"
        AuthType        Basic
        AuthUserFile    /etc/apache2/cruisecontrol.htpasswd
        require         valid-user
      

    ProxyPass / http://127.0.0.1:8000/
    ProxyPassReverse / http://127.0.0.1:8000/

Regards,
Mathias

By: Mathias

Mathias — Thu, 18 Feb 2010 18:30:00 +0000

What I first did was restricting access to port 8000 just to the local IP via iptables. This should look somehow like this:

iptables -A INPUT -s 127.0.0.1/32 -p tcp -m tcp –dport 8000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 8000 -j REJECT –reject-with icmp-port-unreachable

Then, I created an extra DNS entry for a subdomain which handles the JMX console and modified my Apache config. I’m using GnuTLS for SSL-based virtual hosts here, but just letting it run without SSL should work fine too. With this config, the frontend is reachable via cruisecontrol.example.org and the console via jmx.cruisecontrol.example.org, both using the same authentication backend. The frontend vhost takes care of rewriting all requests to the JMX domain with some more output filter magic. Should more or less work copy&paste, just take care of the URLs in the output filters. My final config looks something like this:

ServerName cruisecontrol.example.org
RewriteEngine on
RewriteRule ^(.*)$ https://cruisecontrol.example.org$1 [R=301,L]

ServerName cruisecontrol.example.org

[...SSL Stuff...]

ProxyRequests Off

Order deny,allow
Allow from all

AuthName “CruiseControl”
AuthType Basic
AuthUserFile /etc/apache2/cruisecontrol.htpasswd
require valid-user

ProxyPass / http://127.0.0.1:8080/cruisecontrol/
ProxyPassReverse / http://127.0.0.1:8080/cruisecontrol/

ExtFilterDefine proxyurl mode=output intype=text/html cmd=”/bin/sed s%http://127.0.0.1:8080%https://cruisecontrol.example.org%g”
ExtFilterDefine proxypathfix mode=output intype=text/html cmd=”/bin/sed s%/cruisecontrol/%/%g”
ExtFilterDefine jmxurl mode=output intype=text/html cmd=”/bin/sed s%http://cruisecontrol.example.org:8000%https://jmx.cruisecontrol.example.org%g”
ExtFilterDefine ipfix mode=output intype=text/html cmd=”/bin/sed s%127.0.0.1%cruisecontrol.example.org%g”

SetOutputFilter proxyurl;proxypathfix;jmxurl;ipfix

ServerName jmx.cruisecontrol.example.org
RewriteEngine on
RewriteRule ^(.*)$ https://jmx.cruisecontrol.example.org$1 [R=301,L]

ServerName jmx.cruisecontrol.example.org

[...SSL Stuff...]

ProxyRequests Off

Order deny,allow
Allow from all

AuthName “CruiseControl”
AuthType Basic
AuthUserFile /etc/apache2/cruisecontrol.htpasswd
require valid-user

ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/

Regards,
Mathias

By: Eric Clemmons

Eric Clemmons — Thu, 18 Feb 2010 17:31:08 +0000

Just letting you know that this post was critical in getting my environment up & going.

Thanks so much for taking the time on this post!

By: Eric Clemmons

Eric Clemmons — Thu, 18 Feb 2010 17:31:00 +0000

Just letting you know that this post was critical in getting my environment up & going.

Thanks so much for taking the time on this post!