modify rules
/etc/nginx/nginx.conf
Sites
cd /usr/share/nginx/html/localtransporter.space/
cd /usr/share/nginx/html/spiffydesign.com/
cd /usr/share/nginx/html/dit-dah.click
To hide the .env
file using Nginx and prevent it from being served publicly, you can add a specific rule in your Nginx configuration that denies access to this file. Here’s how to do it:
Step-by-step instructions:
-
Open your Nginx configuration file:You can either add this rule to your main Nginx configuration file (e.g.,
/etc/nginx/nginx.conf
) or to the server block configuration for your site (e.g.,/etc/nginx/conf.d/localtransporter.space.conf
).Example:
sudo nano /etc/nginx/conf.d/localtransporter.space.conf
-
Add the following rule to block access to the
.env
file:Insert this block inside your server block configuration:server { # Other server settings... location ~ /\\.env { deny all; return 404; } # Other location blocks...}
-
Save and exit the file:After adding the rule, save and close the configuration file.
-
Test your Nginx configuration:Before restarting Nginx, you should test the configuration for syntax errors:
sudo nginx -t
If the syntax is correct, you will see a message like:
nginx: configuration file /etc/nginx/nginx.conf test is successful
-
Restart Nginx to apply the changes:
sudo systemctl restart nginx
How it works:
- The
location ~ /\\.env
block matches any requests for files that start with.env
. - The
deny all;
directive denies access to the.env
file. - The
return 404;
ensures that the server returns a “404 Not Found” response, making it appear as if the file doesn’t exist.
By following these steps, you ensure that your .env
file will not be accessible through the browser, even if someone tries to access it directly.
Sending Files to Live (smp staging)
cp -r /Users/spiffy/Documents/nsgandolf/dit-dah/gandolf-smp-dit-dah/build/* root@195.35.32.187:/usr/share/nginx/html/localtransporter.space/cp -r /Users/spiffy/Documents/nsgandolf/dit-dah/sitenameh/build/* root@195.35.32.187:/usr/share/nginx/html/localtransporter.space/ or spiffydesign.com/ or dit-dah.click
Other setting for gandolf
The project was built assuming it is hosted at the server root. You can control this with the homepage field in your package.json.For example, add this to build it for GitHub Pages:
“homepage” : “http://myname.github.io/myapp“,
The build folder is ready to be deployed. You may serve it with a static server:
npm install -g serve serve -s build
Server Settings
Nginx
sudo nginx -t // test changes sudo systemctl restart nginx // apply changes
dit-dah.click.conf gitlab.conf localtransporter.space.conf php-fpm.conf
sudo nano /etc/nginx/conf.d/localtransporter.space.conf
/etc/nginx/conf.d/dit-dah.click.conf
# HTTP - Redirect all traffic to HTTPSserver { listen 80; server_name dit-dah.click www.dit-dah.click; location /.well-known/acme-challenge/ { allow all; } return 301 https://$host$request_uri; # Redirect to HTTPS}# HTTPS - Serve the site over HTTPSserver { listen 443 ssl; server_name dit-dah.click www.dit-dah.click; ssl_certificate /etc/letsencrypt/live/dit-dah.click/fullchain.pem; # SSL Certificate ssl_certificate_key /etc/letsencrypt/live/dit-dah.click/privkey.pem; # SSL Key include /etc/letsencrypt/options-ssl-nginx.conf; # SSL Options ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; root /usr/share/nginx/html/dit-dah.click; # Define the document root index index.html; location / { try_files $uri /index.html; # Support for React routing } # Block access to sensitive files and directories location ~ /\\.git { deny all; } location ~ /\\.env { deny all; } location ~* \\.(bak|conf|ini|log)$ { deny all; } location ~ /\\.(htaccess|htpasswd|git|svn) { deny all; } location ~* \\.(swp|swo|bak|tmp|~)$ { deny all; } access_log /var/log/nginx/ditdah_access.log; error_log /var/log/nginx/ditdah_error.log;}
spiffydesign / pages attempt v1
gitlab.rb
##! Define to enable GitLab Pagespages_external_url “https://pages.spiffydesign.com“gitlab_pages[‘enable’] = truegitlab_pages[‘external_http’] = [‘127.0.0.1:8090’]gitlab_pages[‘external_https’] = [‘127.0.0.1:8091’]gitlab_pages[‘root_cert’] = “/etc/letsencrypt/live/pages.spiffydesign.com/fullchain.pem”gitlab_pages[‘root_key’] = “/etc/letsencrypt/live/pages.spiffydesign.com/privkey.pem”
# GitLab frontend - spiffydesign.comupstream gitlab-workhorse { server 127.0.0.1:8181 fail_timeout=0;}# GitLab Pages backend - pages.spiffydesign.comupstream gitlab-pages { server 127.0.0.1:8090 fail_timeout=0; # GitLab Pages running on port 8090}# Main GitLab instance at spiffydesign.com (HTTP to HTTPS redirect)server { listen 80; server_name spiffydesign.com www.spiffydesign.com; location / { return 301 https://$host$request_uri; # Redirect HTTP to HTTPS }}# Main GitLab instance at spiffydesign.com (HTTPS)server { listen 443 ssl; server_name spiffydesign.com www.spiffydesign.com; ssl_certificate /etc/letsencrypt/live/spiffydesign.com/fullchain.pem; # Correct SSL certificate for spiffydesign.com ssl_certificate_key /etc/letsencrypt/live/spiffydesign.com/privkey.pem; # Correct key for spiffydesign.com include /etc/letsencrypt/options-ssl-nginx.conf; # Let's Encrypt SSL options ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://gitlab-workhorse; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Content-Type-Options nosniff; } access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; # Block access to sensitive files and directories location ~ /\\.git { deny all; } location ~ /\\.env { deny all; } location ~* \\.(bak|conf|ini|log)$ { deny all; } location ~ /\\.(htaccess|htpasswd|git|svn) { deny all; } location ~* \\.(swp|swo|bak|tmp|~)$ { deny all; }}# GitLab Pages at pages.spiffydesign.com (HTTP to HTTPS redirect)server { listen 80; server_name pages.spiffydesign.com; location / { return 301 https://$host$request_uri; # Redirect HTTP to HTTPS }}# GitLab Pages at pages.spiffydesign.com (HTTPS)server { listen 443 ssl; server_name pages.spiffydesign.com; ssl_certificate /etc/letsencrypt/live/pages.spiffydesign.com/fullchain.pem; # standalone certificate ssl_certificate_key /etc/letsencrypt/live/pages.spiffydesign.com/privkey.pem; # standalone certificate include /etc/letsencrypt/options-ssl-nginx.conf; # Let's Encrypt SSL options ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass https://127.0.0.1:8091; # Forward HTTPS traffic to GitLab Pages running on port 8091 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } access_log /var/log/nginx/gitlabpages_access.log; error_log /var/log/nginx/gitlabpages_error.log;}
simpler – but was showing content as default on all sites – and pages.spiffydesign.com was nly showing this
GNU nano 5.6.1 dit-dah.click.conf# React Frontend - dit-dah.clickserver { listen 80; server_name dit-dah.click www.dit-dah.click; root /usr/share/nginx/html/dit-dah.click; index index.html; location / { try_files $uri /index.html; # Make sure this is here to support React routing } location /.well-known/acme-challenge/ { allow all; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/dit-dah.click/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/dit-dah.click/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot # Block access to sensitive files and directories location ~ /\\.git { deny all; } location ~ /\\.env { deny all; } location ~* \\.(bak|conf|ini|log)$ { deny all; } location ~ /\\.(htaccess|htpasswd|git|svn) { deny all; } location ~* \\.(swp|swo|bak|tmp|~)$ { deny all; } access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log;}
gitlab.conf – with pags – with SSL rerun
# GitLab Pages backend - pages.spiffydesign.comupstream gitlab-pages { server 127.0.0.1:8090 fail_timeout=0; # GitLab Pages running on port 8090}# Main GitLab instance at spiffydesign.comserver { if ($host = www.spiffydesign.com) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = spiffydesign.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name spiffydesign.com www.spiffydesign.com; location / { return 301 https://$host$request_uri; # Redirect HTTP to HTTPS }}server { listen 443 ssl; server_name spiffydesign.com www.spiffydesign.com; ssl_certificate /etc/letsencrypt/live/spiffydesign.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/spiffydesign.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot location / { proxy_pass http://gitlab-workhorse; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Content-Type-Options nosniff; } access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; # Block access to sensitive files and directories location ~ /\\.git { deny all; } location ~ /\\.env { deny all; } location ~* \\.(bak|conf|ini|log)$ { deny all; } location ~ /\\.(htaccess|htpasswd|git|svn) { deny all; } location ~* \\.(swp|swo|bak|tmp|~)$ { deny all; }}# GitLab Pages at pages.spiffydesign.comserver { if ($host = pages.spiffydesign.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name pages.spiffydesign.com; location / { return 301 https://$host$request_uri; # Redirect HTTP to HTTPS }}server { listen 443 ssl; server_name pages.spiffydesign.com; ssl_certificate /etc/letsencrypt/live/spiffydesign.com/fullchain.pem; # managed by Certbot # Reuse SSL certificate ssl_certificate_key /etc/letsencrypt/live/spiffydesign.com/privkey.pem; # managed by Certbot # Reuse SSL certificate include /etc/letsencrypt/options-ssl-nginx.conf; # Let's Encrypt SSL options ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://gitlab-pages; # Proxy to the GitLab Pages service running on port 8090 proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } access_log /var/log/nginx/pages_access.log; error_log /var/log/nginx/pages_error.log;}
/etc/nginx/conf.d/gitlab.conf (spiffydesign.com – with pages)
# GitLab frontend - spiffydesign.comupstream gitlab-workhorse { server 127.0.0.1:8181 fail_timeout=0;}# GitLab Pages backend - pages.spiffydesign.comupstream gitlab-pages { server 127.0.0.1:8090 fail_timeout=0; # GitLab Pages running on port 8090}# Main GitLab instance at spiffydesign.comserver { listen 80; server_name spiffydesign.com www.spiffydesign.com; location / { return 301 https://$host$request_uri; # Redirect HTTP to HTTPS }}server { listen 443 ssl; server_name spiffydesign.com www.spiffydesign.com; ssl_certificate /etc/letsencrypt/live/spiffydesign.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/spiffydesign.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot location / { proxy_pass http://gitlab-workhorse; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Content-Type-Options nosniff; } access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; # Block access to sensitive files and directories location ~ /\\.git { deny all; } location ~ /\\.env { deny all; } location ~* \\.(bak|conf|ini|log)$ { deny all; } location ~ /\\.(htaccess|htpasswd|git|svn) { deny all; } location ~* \\.(swp|swo|bak|tmp|~)$ { deny all; }}# GitLab Pages at pages.spiffydesign.comserver { listen 80; server_name pages.spiffydesign.com; location / { return 301 https://$host$request_uri; # Redirect HTTP to HTTPS }}server { listen 443 ssl; server_name pages.spiffydesign.com; ssl_certificate /etc/letsencrypt/live/spiffydesign.com/fullchain.pem; # Reuse SSL certificate ssl_certificate_key /etc/letsencrypt/live/spiffydesign.com/privkey.pem; # Reuse SSL certificate include /etc/letsencrypt/options-ssl-nginx.conf; # Let's Encrypt SSL options ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://gitlab-pages; # Proxy to the GitLab Pages service running on port 8090 proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } access_log /var/log/nginx/pages_access.log; error_log /var/log/nginx/pages_error.log;}
/etc/nginx/conf.d/gitlab.conf (spiffydesign.com) – SIMPLE _ PRE PAGES
# GitLab frontend - spiffydesign.comupstream gitlab-workhorse { server 127.0.0.1:8181 fail_timeout=0;}server { listen 80; server_name spiffydesign.com www.spiffydesign.com; location / { return 301 https://$host$request_uri; # Redirect HTTP to HTTPS }}server { listen 443 ssl; server_name spiffydesign.com www.spiffydesign.com; ssl_certificate /etc/letsencrypt/live/spiffydesign.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/spiffydesign.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot location / { proxy_pass http://gitlab-workhorse; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header X-Content-Type-Options nosniff; } access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; # Block access to sensitive files and directories location ~ /\\.git { deny all; } location ~ /\\.env { deny all; } location ~* \\.(bak|conf|ini|log)$ { deny all; } location ~ /\\.(htaccess|htpasswd|git|svn) { deny all; } location ~* \\.(swp|swo|bak|tmp|~)$ { deny all; } access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log;}
localtransporter.space
server { listen 80; server_name localtransporter.space www.localtransporter.space; root /usr/share/nginx/html/localtransporter.space; # Adjust this to your build directory index index.html; location / { try_files $uri /index.html; } # SSL Configuration listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/localtransporter.space/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/localtransporter.space/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # Block access to sensitive files and directories location ~ /\\.git { deny all; } location ~ /\\.env { deny all; return 404; } location ~* \\.(bak|conf|ini|log)$ { deny all; } location ~ /\\.(htaccess|htpasswd|git|svn) { deny all; } location ~* \\.(swp|swo|bak|tmp|~)$ { deny all; } access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log;}
test nginx (after changes)
sudo nginx -tRESPONSE:nginx: the configuration file /etc/nginx/nginx.conf syntax is oknginx: configuration file /etc/nginx/nginx.conf test is successful
restart nginx (apply changes)
sudo systemctl restart nginxORsudo nginx -s reload // reload nginx
Gitlab
Config
sudo nano /etc/gitlab/gitlab.rb// then run to reconfiguresudo gitlab-ctl reconfigure
Basic Setup
It looks like you’re diving into setting up a self-hosted GitLab instance. Based on your earlier context, you’re planning to host GitLab on a subdomain (glab.dit-dah.click
) and use it for managing your projects, including React and Laravel apps. You’re also managing the server manually without a control panel, which gives you flexibility in setup.
Here’s a general guide to get your self-hosted GitLab instance running:
1. Set Up GitLab on AlmaLinux
Since you’re using AlmaLinux, GitLab provides official installation instructions for RHEL-based distributions, which work for AlmaLinux.
Install the Dependencies:
sudo yum install -y curl policycoreutils openssh-server perlsudo systemctl enable sshdsudo systemctl start sshdsudo firewall-cmd --permanent --add-service=httpsudo firewall-cmd --permanent --add-service=httpssudo firewall-cmd --reload
Install GitLab:
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bashsudo EXTERNAL_URL="http://glab.dit-dah.click" yum install -y gitlab-ce
You’ll replace glab.dit-dah.click
with your domain/subdomain.
Configure GitLab:
- After installation, you can edit
/etc/gitlab/gitlab.rb
to tweak any configurations. For example, if you want to run GitLab over HTTPS:
sudo nano /etc/gitlab/gitlab.rb
Add or update:
external_url "https://glab.dit-dah.click"
Then reconfigure GitLab:
sudo gitlab-ctl reconfigure
2. SSL Setup (Optional)
If you want to use HTTPS, consider using Let’s Encrypt for SSL certificates:
- Modify the GitLab configuration:
external_url "https://glab.dit-dah.click"letsencrypt['enable'] = true
- Run the reconfiguration:
sudo gitlab-ctl reconfigure
3. Setting Up DNS
Make sure your DNS provider has an A
record pointing glab.dit-dah.click
to your server’s IP address.
4. User Management
You’ve already created admin users, but for a larger team, you can manage roles directly from the GitLab web interface, creating repositories, assigning permissions, and setting up continuous integration and deployment (CI/CD).
5. Backup & Restore (Optional)
You can also configure regular backups for your GitLab instance to avoid data loss:
sudo gitlab-rake gitlab:backup:create
Backups will be stored in /var/opt/gitlab/backups
.
6. CI/CD Pipeline Setup
You can configure GitLab CI/CD pipelines using .gitlab-ci.yml
in each of your projects. Here’s a basic example for a Laravel and React setup:
Laravel .gitlab-ci.yml
:
stages: - install - testinstall: stage: install script: - composer installtest: stage: test script: - ./vendor/bin/phpunit
React .gitlab-ci.yml
:
stages: - buildbuild: stage: build script: - npm install - npm run build
7. Optimizing Performance
To improve performance, you can tweak memory settings or configure Redis and PostgreSQL for better efficiency, especially if your team and repository sizes grow.
Let me know if you need help with any specific configurations or further steps on this setup!
Error Logs
Here are the common CLI commands and paths to access error logs for various services on a typical Linux server:
1. NGINX Error Logs
To access NGINX error logs:
# View NGINX error logsudo tail -f /var/log/nginx/error.log# View NGINX access logsudo tail -f /var/log/nginx/access.log
You can replace tail -f
with just cat
or less
if you want to view the entire log:
sudo cat /var/log/nginx/error.log
If you have custom log paths defined in your NGINX configuration (as in your case for GitLab Pages), use those paths:
# For GitLabsudo tail -f /var/log/nginx/gitlab_error.log# For GitLab Pagessudo tail -f /var/log/nginx/pages_error.log
2. GitLab Logs
GitLab logs are stored in the following directories:
- GitLab general logs:
sudo gitlab-ctl tail
You can also specify which logs you want to view:
# GitLab Rails application logssudo gitlab-ctl tail gitlab-rails# GitLab Workhorse logssudo gitlab-ctl tail gitlab-workhorse# GitLab NGINX logssudo gitlab-ctl tail nginx# GitLab Pages logssudo gitlab-ctl tail gitlab-pages# GitLab Sidekiq logssudo gitlab-ctl tail sidekiq
3. DNS Logs
DNS logs vary depending on which DNS service you’re using. If you’re using BIND as your DNS server, check logs with:
# BIND DNS server logs (if applicable)sudo tail -f /var/log/syslog | grep named
For systemd-resolved (which is common on newer Linux systems):
# DNS resolver logs via systemdsudo journalctl -u systemd-resolved
For DNSMasq (if you’re using it):
# DNSMasq logssudo tail -f /var/log/syslog | grep dnsmasq
4. PHP Error Logs
PHP logs can usually be found in the following locations, but it depends on your PHP configuration:
# PHP-FPM error logs (for PHP-FPM installations)sudo tail -f /var/log/php7.4-fpm.log # Replace with your PHP version# PHP error log (for Apache or other setups)sudo tail -f /var/log/php_errors.log
You can find the exact location of the PHP error log by checking the php.ini
configuration file:
# Find the PHP error log location in php.iniphp -i | grep error_log
5. Database Error Logs
MySQL / MariaDB:
# For MariaDB or MySQL error logssudo tail -f /var/log/mysql/error.log # Sometimes stored at /var/log/mysqld.log
PostgreSQL:
# PostgreSQL logs (assuming default location)sudo tail -f /var/log/postgresql/postgresql-12-main.log # Adjust the version and path if needed
Summary of Commands:
# NGINX error logssudo tail -f /var/log/nginx/error.log# GitLab logssudo gitlab-ctl tail# DNS logs (BIND)sudo tail -f /var/log/syslog | grep named# PHP logssudo tail -f /var/log/php_errors.log# MySQL/MariaDB error logssudo tail -f /var/log/mysql/error.log
These commands will help you monitor logs and troubleshoot errors across the different services on your server. Let me know if you need more details for specific configurations!
pages.spiffydesign.com – ssl stuff
Your configuration is combining both spiffydesign.com
and pages.spiffydesign.com
in a single NGINX config file, which is fine. However, it’s important to make sure each domain is properly routed and that certificates are managed correctly for both.
Let’s address your questions:
1. Should you break up the configuration into separate files?
While you can keep both spiffydesign.com
and pages.spiffydesign.com
in the same config file, it’s not necessary to split them unless you want to organize the configurations separately. NGINX can handle multiple server blocks in a single file, but if it makes management easier for you, you can split them up into separate config files, each handling one domain.
For example, you could have:
/etc/nginx/sites-available/spiffydesign.conf
/etc/nginx/sites-available/pages.spiffydesign.conf
If you split them, make sure to symlink them to sites-enabled
:
sudo ln -s /etc/nginx/sites-available/spiffydesign.conf /etc/nginx/sites-enabled/sudo ln -s /etc/nginx/sites-available/pages.spiffydesign.conf /etc/nginx/sites-enabled/
Whether you keep them together or separate, they should function the same.
2. Why is there a proxy_pass http://gitlab-pages
in the location block?
The proxy_pass http://gitlab-pages
line is used to forward requests to the GitLab Pages service running on your server at port 8090.
In this block:
upstream gitlab-pages { server 127.0.0.1:8090 fail_timeout=0; # GitLab Pages running on port 8090}server { listen 443 ssl; server_name pages.spiffydesign.com; ssl_certificate /etc/letsencrypt/live/spiffydesign.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/spiffydesign.com/privkey.pem; location / { proxy_pass http://gitlab-pages; # Proxy to GitLab Pages running on 8090 proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }}
The proxy_pass
line tells NGINX to forward traffic for pages.spiffydesign.com
to the GitLab Pages service listening on port 8090.
proxy_pass http://gitlab-pages;
: Forwards requests to the internal service on port 8090.proxy_set_header Host $host;
: Ensures the originalHost
header is forwarded so that GitLab Pages knows the correct domain being requested.proxy_set_header X-Forwarded-Proto $scheme;
: Passes the protocol (HTTP/HTTPS) along to the backend service, which helps GitLab Pages understand whether the request was secure.
Issues you’re experiencing:
-
SSL Error (
ERR_CERT_COMMON_NAME_INVALID
): This happens because the wrong SSL certificate is being presented (e.g., the certificate forspiffydesign.com
is used instead ofpages.spiffydesign.com
).-
You’re already reusing the same certificate for
spiffydesign.com
andpages.spiffydesign.com
, which should be fine as long as both domains are included in the certificate. -
Check the certificate using:
sudo certbot certificates
Ensure that both
spiffydesign.com
andpages.spiffydesign.com
are listed in the certificate. -
If they’re not, you can re-issue the certificate with both domains:
sudo certbot --nginx -d spiffydesign.com -d pages.spiffydesign.com
-
-
Pages showing content from
dit-dah.click
: This could be because NGINX is defaulting to another server block (likedit-dah.click
) if it doesn’t find a matchingserver_name
. Ensure all domains have their own server blocks and are properly separated.
Fixing the SSL certificate issue:
-
Verify the SSL certificates:
-
Run
sudo certbot certificates
to see which domains are covered by your SSL certificates. -
If
pages.spiffydesign.com
is not included in the certificate, re-issue it with both domains:sudo certbot --nginx -d spiffydesign.com -d pages.spiffydesign.com
-
-
Ensure proper server blocks for all domains:
- Make sure that each domain (
spiffydesign.com
,pages.spiffydesign.com
,dit-dah.click
) has its own dedicated server block with its ownserver_name
and proper routing. This prevents NGINX from defaulting to another domain when one is misconfigured.
- Make sure that each domain (
-
Test the configuration:After making changes, test the NGINX configuration:
sudo nginx -t # Check for syntax errorssudo systemctl reload nginx # Reload NGINX if everything is correct
By ensuring your SSL certificates are correct and properly routing each domain in its own server block, the issues you’re experiencing should be resolved. Let me know how it goes or if you need further assistance!
Firewalld
zone=publicpublic (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client https ssh ports: 8181/tcp 80/tcp 443/tcp 443/udp 21/tcp 53/tcp 53/udp 22/tcp 110/tcp 143/tcp 993/tcp 995/tcp 40110/tcp 5050/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Updated
[root@spiffydesign conf.d]# sudo firewall-cmd --list-all --zone=publicpublic (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client https ssh ports: 8181/tcp 80/tcp 443/tcp 443/udp 53/tcp 53/udp 22/tcp 110/tcp 143/tcp 993/tcp 995/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Useful Commands
sudo firewall-cmd --list-all --zone=publicsudo firewall-cmd --remove-port=21/tcp --zone=public --permanent # Remove FTP port if not neededsudo firewall-cmd --add-port=21/tcp --zone=public --permanent # Remove FTP port if not neededsudo firewall-cmd --reload
firewalld rules are generally set by zone, which applies to the entire server or specific network interfaces rather than by individual URLs (domains).
• By default, your server’s public zone manages traffic for all network interfaces or IP addresses on the server.
• This means that all services (like HTTP, HTTPS, SSH) allowed in the public zone apply to all domains (e.g., dit-dah.click, localtransporter.space, spiffydesign.com) hosted on the same server, unless specific configurations are made for different zones or interfaces.
If you need more granular control, you could:
• Assign different network interfaces to different zones.
• Use firewalld rich rules to allow or block traffic based on IP addresses, ports, or protocols on a more specific level.
packet forwarding
Packet forwarding refers to the ability of a machine (in this case, your server) to forward network traffic from one network interface to another. It’s typically used in scenarios where the server acts as a router or gateway, meaning it receives traffic on one interface and forwards it to another.
For example:
• If your server has multiple network interfaces (e.g., eth0, eth2) and is connected to different networks, packet forwarding allows the server to pass traffic between these networks.
• If you use your server to route traffic between different subnets or networks, or if it’s configured as a gateway for other devices, packet forwarding is essential.
When to Disable Packet Forwarding:
• Single-NIC servers (common setup): If your server only has one network interface (e.g., eth0) and isn’t routing traffic between different networks, packet forwarding is unnecessary.
• Security: Enabling packet forwarding when it’s not needed can expose your server to additional risks, such as being used in a man-in-the-middle attack or facilitating traffic forwarding that you don’t intend.
TURNING IT OFF –
sudo firewall-cmd --zone=public --remove-forward --permanentsudo firewall-cmd --reload
But by default, firewall rules in the public zone cover all traffic, including your multiple domains on the server.
Here are the basic commands for managing firewalld
on your server:
1. Check the Status of firewalld:
sudo firewall-cmd --state
This will show if the firewall is running (running
) or not.
2. Start/Stop/Restart firewalld:
-
Start:
sudo systemctl start firewalld
-
Stop:
sudo systemctl stop firewalld
-
Restart:
sudo systemctl restart firewalld
3. Enable/Disable firewalld to Start at Boot:
-
Enable:
sudo systemctl enable firewalld
-
Disable:
sudo systemctl disable firewalld
4. List All Active Zones and Rules:
sudo firewall-cmd --list-all
This shows the default zone and lists active services, ports, protocols, and rules.
5. Add/Remove/Allow Ports:
-
Allow a Port (Permanent):
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
-
Remove a Port:
sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent
6. Add/Remove Services:
-
Add a Service (Permanent):
sudo firewall-cmd --zone=public --add-service=http --permanent
-
Remove a Service:
sudo firewall-cmd --zone=public --remove-service=http --permanent
7. Reload firewalld:
After making changes, you need to reload firewalld to apply the changes:
sudo firewall-cmd --reload
8. List Open Ports:
sudo firewall-cmd --list-ports
9. Check Zone Information:
-
View Default Zone:
sudo firewall-cmd --get-default-zone
-
List all Zones:
sudo firewall-cmd --get-zones
-
View Zone Settings:
sudo firewall-cmd --zone=public --list-all
10. Allow/Block IP Address:
-
Allow a specific IP:
sudo firewall-cmd --zone=public --add-rich-rule="rule family='ipv4' source address='192.168.1.100' accept" --permanent
-
Block a specific IP:
sudo firewall-cmd --zone=public --add-rich-rule="rule family='ipv4' source address='192.168.1.100' drop" --permanent
11. Check Firewall Rules:
sudo firewall-cmd --list-all --zone=public
These commands should cover most of the tasks you’ll need to manage firewalld
on your server.
Gitlab runner
For GitLab Runners, you can set up three types of runners depending on your needs:
- Instance Runners: These runners are available to all projects and groups in your GitLab instance.
- Group Runners: These are shared runners across all projects within a specific group.
- Project Runners: These are runners specifically assigned to a single project.
Here’s how you can register GitLab runners:
1. Registering an Instance Runner (for all projects)
As an administrator, you can set up an instance runner that will be available to all projects within your self-hosted GitLab instance.
-
Install the GitLab Runner:On your server (or another server that will act as the runner), install the GitLab Runner:
curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64sudo chmod +x /usr/local/bin/gitlab-runnersudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bashsudo /usr/local/bin/gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runnersudo /usr/local/bin/gitlab-runner registersudo /usr/local/bin/gitlab-runner start
-
Get the registration token:
- Go to your GitLab Admin Area (
spiffydesign.com/admin/runners
). - Copy the Instance Runner registration token.
- Go to your GitLab Admin Area (
-
Register the runner:
sudo gitlab-runner register
- GitLab URL:
https://spiffydesign.com/
- Token: Paste the instance runner token from step 2.
- Description: Add a description for the runner (e.g., “General Instance Runner”).
- Tags: Add tags to help identify which jobs this runner should pick up.
- Executor: Choose an executor (e.g., shell, docker, etc.). Docker is commonly used for isolation.
- GitLab URL:
Once registered, this runner will be available for all projects in the instance.
2. Registering a Project Runner (for a specific project)
-
Go to your project settings:
- Navigate to your project in GitLab, then go to
Settings > CI/CD > Runners
. - Under Project Runners, you’ll see a button to get a registration token for that specific project.
- Navigate to your project in GitLab, then go to
-
Install and register the runner:The process is the same as the instance runner:
sudo gitlab-runner register
- GitLab URL:
https://spiffydesign.com/
- Token: Use the project-specific registration token.
- Executor: Choose the executor as per your requirement.
- GitLab URL:
The runner will only be available for that specific project.
3. Assigning Runners to Groups
If you want to set up Group Runners, you’ll need to create a group first and assign the runner to that group. This allows all projects in the group to share the runner.
To create a Group Runner, follow the same process as registering an instance runner, but get the registration token from the Group Settings page instead.
4. Verify Runner Registration
Once the runner is registered, you can verify it in your GitLab interface:
- Go to the project or admin area where you registered the runner.
- Check if the runner appears in the Runners section and if it’s marked as
online
.
Let me know if you need further details on setting up specific executors like Docker or troubleshooting issues with your runners!
Full complete backup
sudo tar -czvf /home/backup/full_server_backup_$(date +%Y%m%d).tar.gz /etc/nginx /var/www /home /etc/letsencrypt /etc/systemd/system /etc/ssh /etc/gitlab /opt/gitlab
GITLAB
sudo gitlab-backup create
The backup file will be saved in /var/opt/gitlab/backups/ by default. You can copy this file to your backup directory:
sudo cp /var/opt/gitlab/backups/* /home/backup/
NGINX
sudo tar -czvf /home/backup/nginx_conf_backup_$(date +%Y%m%d).tar.gz /etc/nginx
SSL
sudo tar -czvf /home/backup/ssl_certificates_backup_$(date +%Y%m%d).tar.gz /etc/letsencrypt
GRAB IT
scp root@195.35.32.187:/home/backup/full_server_backup_20240922.tar.gz /Users/spiffy/Desktop/somefolder/
To create a full backup of the entire server, including all websites (spiffydesign.com
, dit-dah.click
, localtransporter.space
), GitLab, and all configuration files, you’ll need to back up the following:
- Files & Directories: For each website’s files and application data (e.g., HTML, CSS, JS, config files).
- Databases: Any MySQL, MariaDB, or PostgreSQL databases.
- GitLab Backup: GitLab repositories, configuration, and data.
- Nginx/Apache configuration: Your web server configurations.
- SSL Certificates: Any SSL certificates and their private keys.
- System Configuration: Any OS-level configurations, such as firewall rules, crontab jobs, and environment variables.
Here’s a step-by-step guide to creating a complete backup of your server:
1. Backup Files & Directories
You’ll need to back up the entire /var/www/
directory (or wherever your web files are located) along with other key directories, such as configuration files.
sudo tar -czvf /backup/full_server_backup_$(date +%Y%m%d).tar.gz /etc/nginx /etc/apache2 /var/www /home /etc/letsencrypt /etc/systemd/system /etc/ssh /etc/gitlab /opt/gitlab
This will create a .tar.gz
archive of critical directories and configurations:
/etc/nginx
or/etc/apache2
: Nginx or Apache configuration files./var/www
: Web application files./home
: Any user-specific files or projects./etc/letsencrypt
: SSL certificates and keys./etc/systemd/system
: System services configuration./etc/ssh
: SSH configuration (important for server access)./etc/gitlab
and/opt/gitlab
: GitLab configuration and installation files.
Make sure to adjust the paths based on your system’s configuration.
2. Backup Databases
For MySQL/MariaDB:
To back up MySQL or MariaDB databases:
mysqldump -u root -p --all-databases > /backup/mysql_backup_$(date +%Y%m%d).sql
For PostgreSQL (if used by GitLab or other applications):
sudo -u postgres pg_dumpall > /backup/postgresql_backup_$(date +%Y%m%d).sql
This will create SQL dump files that you can later restore.
3. GitLab Backup
GitLab provides a built-in command to create a backup of repositories, uploads, and GitLab settings:
sudo gitlab-backup create
The backup file will be saved in /var/opt/gitlab/backups/
by default. You can copy this file to your backup directory:
sudo cp /var/opt/gitlab/backups/* /backup/
Additionally, you should back up the GitLab secrets (important for encryption keys, etc.):
sudo cp /etc/gitlab/gitlab-secrets.json /backup/
4. Backup Web Server Configurations
Back up Nginx or Apache configurations. You may have done this already if you included /etc/nginx
or /etc/apache2
in the tarball.
For Nginx:
sudo tar -czvf /backup/nginx_conf_backup_$(date +%Y%m%d).tar.gz /etc/nginx
For Apache:
sudo tar -czvf /backup/apache_conf_backup_$(date +%Y%m%d).tar.gz /etc/apache2
5. Backup SSL Certificates
Your SSL certificates (from Let’s Encrypt or other sources) should also be backed up. Usually, they are located in /etc/letsencrypt
if using Let’s Encrypt:
sudo tar -czvf /backup/ssl_certificates_backup_$(date +%Y%m%d).tar.gz /etc/letsencrypt
6. Backup System Configuration (Optional)
If you’ve customized other parts of your system (such as firewall rules, crontab entries, or environment variables), it’s a good idea to back them up as well.
Backup crontab:
sudo crontab -l > /backup/root_crontab_backup_$(date +%Y%m%d).txt
Backup Firewall rules:
For iptables:
sudo iptables-save > /backup/firewall_backup_$(date +%Y%m%d).conf
7. Automate Backups (Optional)
You can automate this process using a cron job:
sudo crontab -e
Add the following line to schedule a daily backup at 2 AM:
0 2 * * * /path/to/backup_script.sh
Make sure to write your backup script with all the commands mentioned above.
8. Backup Storage
Make sure to store your backup files on an external drive or cloud storage to prevent data loss if your server fails. You can use rsync
or scp
to copy the backup files to another location.
Example with rsync
:
rsync -avz /backup/ user@remote-server:/remote-backup/
9. Restore Backup (In Case of Failure)
To restore the backup, you’ll need to reverse the process:
- Extract the tarball to the correct locations.
- Restore the databases using
mysql
orpsql
. - Restore GitLab using its restore command:
gitlab-backup restore
. - Reconfigure Nginx or Apache and SSL certificates.
This process will give you a complete backup of your server, including the websites, databases, GitLab instance, and all necessary configuration files.