Deploy your Bitnami Phabricator Stack on CenturyLink Cloud now! Launch Now

IMPORTANT: Phabricator requires you to access the application using a specific domain. This domain is the public IP address for the cloud server.

Description

Phabricator is a collection of open source web applications that help software companies build better software.

First steps with the Bitnami Phabricator Stack

Welcome to your new Bitnami application running on CenturyLink Cloud! Here are a few questions (and answers!) you might need when first starting with your application.

What credentials do I need?

You need two sets of credentials:

  • The application credentials that allow you to log in to your new Bitnami application. These credentials consist of a username and password.
  • The server credentials that allow you to log in to your CenturyLink Cloud server using an SSH client and execute commands on the server using the command line. These credentials consist of an SSH username and key.

What is the administrator username set for me to log in to the application for the first time?

Username: user

What SSH username should I use for secure shell access to my application?

SSH username: bitnami

What are the default ports?

A port is an endpoint of communication in an operating system that identifies a specific process or a type of service. Bitnami stacks include several services or servers that require a port.

Remember that if you need to open some ports you can follow the instructions given in the FAQ to learn how to open the server ports for remote access.

Port 22 is the default port for SSH connections.

Bitnami opens some ports for the main servers. These are the ports opened by default: 80, 443.

How to start or stop the services?

Each Bitnami stack includes a control script that lets you easily stop, start and restart services. The script is located at /opt/bitnami/ctlscript.sh. Call it without any service name arguments to start all services:

$ sudo /opt/bitnami/ctlscript.sh start

Or use it to restart a single service, such as Apache only, by passing the service name as argument:

$ sudo /opt/bitnami/ctlscript.sh restart apache

Use this script to stop all services:

$ sudo /opt/bitnami/ctlscript.sh stop

Restart the services by running the script without any arguments:

$ sudo /opt/bitnami/ctlscript.sh restart

Obtain a list of available services and operations by running the script without any arguments:

$ sudo /opt/bitnami/ctlscript.sh

How to configure outbound email settings?

You can configure the email settings by changing the following properties. Here is an example using a Gmail account. Replace USERNAME and PASSWORD with your Gmail account username and password respectively.

phpmailer.smtp-host (eg. smtp.gmail.com)
phpmailer.smtp-port (eg.  465)
phpmailer.smtp-protocol (eg.  ssl)
phpmailer.smtp-user (eg.  USERNAME@gmail.com)
phpmailer.smtp-password (eg. PASSWORD)

You can change the value of these properties through the Phabricator application ("Config -> PHPMailer" menu) or by running the command:

$ /opt/bitnami/apps/phabricator/htdocs/bin/config set property value

where property has to be one of the above and value the corresponding value. The above example shows how configure Phabricator with an Gmail account.

For advanced configuration, refer to the official email configuration article.

To configure the application to use other third-party SMTP services for outgoing email, such as SendGrid or Mandrill, refer to the FAQ.

Troubleshooting Gmail SMTP issues

If you are using Gmail as the outbound email server and you are not able to send email correctly, Google may be blocking sign-in attempts from your apps or devices. Depending on whether or not you use Google Apps, the steps to correct this will differ.

For Google Apps users

If you are a Google Apps user, you will need your administrator to allow users to change the policy for less secure apps. If you are a Google Apps administrator, follow these steps:

  • Browse to the Google Apps administration panel.

  • Click on "Security" and then "Basic settings".

  • Look for the section "Less secure apps" and then click on "Go to settings for less secure apps".

  • Select "Allow users to manage their access to less secure apps".

For other Google users

If you do not use Google Apps, follow the steps in the following sections, depending on whether 2-step verification has been enabled on the account or not.

If 2-step verification has not been enabled on the account, follow these steps:

  • Browse to the "Less secure apps" page and log in using the account you are having problems with. This option is typically required by many popular email clients, such as Outlook and Thunderbird, and should not be considered unsafe.

  • Select the "Turn on" option.

    Security settings

If 2-step verification has been enabled on the account, you have to generate an app password. Follow these steps:

  • Browse to the "App passwords" page.

  • Click "Select app" and choose the app you're using.

  • Click "Select device" and choose the device you're using.

  • Click the "Generate" button.

  • Enter the app password on your device.

  • Click the "Done" button.

Here are other options you may try:

  • Browse to the web version of Gmail and sign in to your account. Once you're signed in, try to enable access for the application again.

  • Browse to the "Unlock Captcha" function page and sign in with your Gmail username and password.

  • Disable IMAP from the Gmail web server interface and enable it again.

    IMAP settings

How to create a full backup of Phabricator?

Backup

The Bitnami Phabricator Stack is self-contained and the simplest option for performing a backup is to copy or compress the Bitnami stack installation directory. To do so in a safe manner, you will need to stop all servers, so this method may not be appropriate if you have people accessing the application continuously.

Follow these steps:

  • Change to the directory in which you wish to save your backup:

      $ cd /your/directory
    
  • Stop all servers:

      $ sudo /opt/bitnami/ctlscript.sh stop
    
  • Create a compressed file with the stack contents:

      $ sudo tar -pczvf application-backup.tar.gz /opt/bitnami
    
  • Restart all servers:

      $ sudo /opt/bitnami/ctlscript.sh start
    

You should now download or transfer the application-backup.tar.gz file to a safe location.

Restore

Follow these steps:

  • Change to the directory containing your backup:

      $ cd /your/directory
    
  • Stop all servers:

      $ sudo /opt/bitnami/ctlscript.sh stop
    
  • Move the current stack to a different location:

      $ sudo mv /opt/bitnami /tmp/bitnami-backup
    
  • Uncompress the backup file to the original directoryv

      $ sudo tar -pxzvf application-backup.tar.gz -C /
    
  • Start all servers:

      $ sudo /opt/bitnami/ctlscript.sh start
    

If you want to create only a database backup, refer to these instructions for MySQL and PostgreSQL.

How to upgrade Phabricator?

It is strongly recommended to create a backup before starting the update process. If you have important data, create and try to restore a backup to ensure that everything works properly.

You can upgrade the application only without modifying any other stack components. Phabricator uses two additional components, libphutil and arcanist, which are already included and can be updated too. Follow the steps below:

  • Stop the servers:

     $ /opt/bitnami/ctlscript.sh stop
    
  • Upgrade libphutil:

     $ cd /opt/bitnami/apps/phabricator/libphutil
     $ git pull
    
  • Upgrade Arcanist:

     $ cd /opt/bitnami/apps/phabricator/arcanist
     $ git pull
    
  • Upgrade Phabricator. Ensure that MySQL is running before executing these commands:

     $ cd /opt/bitnami/apps/phabricator/htdocs
     $ git pull
     $ /opt/bitnami/ctlscript.sh start mysql
     $ /opt/bitnami/apps/phabricator/htdocs/bin/storage upgrade
    
  • Start servers:

     $ /opt/bitnami/ctlscript.sh start
    

How to create an SSL certificate?

OpenSSL is required to create an SSL certificate. A certificate request can then be sent to a certificate authority (CA) to get it signed into a certificate, or if you have your own certificate authority, you may sign it yourself, or you can use a self-signed certificate (because you just want a test certificate or because you are setting up your own CA).

Follow the steps below:

  • Generate a new private key:

     $ sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 2048
    
  • Create a certificate:

     $ sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
    
    IMPORTANT: Enter the server domain name when the above command asks for the "Common Name".
  • Send cert.csr to the certificate authority. When the certificate authority completes their checks (and probably received payment from you), they will hand over your new certificate to you.

  • Until the certificate is received, create a temporary self-signed certificate:

     $ sudo openssl x509 -in /opt/bitnami/apache2/conf/cert.csr -out /opt/bitnami/apache2/conf/server.crt -req -signkey /opt/bitnami/apache2/conf/server.key -days 365
    
  • Back up your private key in a safe location after generating a password-protected version as follows:

     $ sudo openssl rsa -des3 -in /opt/bitnami/apache2/conf/server.key -out privkey.pem
    

    Note that if you use this encrypted key in the Apache configuration file, it will be necessary to enter the password manually every time Apache starts. Regenerate the key without password protection from this file as follows:

     $ sudo openssl rsa -in privkey.pem -out /opt/bitnami/apache2/conf/server.key
    

Find more information about certificates at http://www.openssl.org.

How to enable HTTPS support with SSL certificates?

NOTE: The steps below assume that you are using a custom domain name and that you have already configured the custom domain name to point to your cloud server.

Bitnami images come with SSL support already pre-configured and with a dummy certificate in place. Although this dummy certificate is fine for testing and development purposes, you will usually want to use a valid SSL certificate for production use. You can either generate this on your own (explained here) or you can purchase one from a commercial certificate authority.

Once you obtain the certificate and certificate key files, you will need to update your server to use them. Follow these steps to activate SSL support:

  • Use the table below to identify the correct locations for your certificate and configuration files.

    Variable Value
    Current application URL https://[custom-domain]/
      Example: https://my-domain.com/ or https://my-domain.com/appname
    Apache configuration file /opt/bitnami/apache2/conf/bitnami/bitnami.conf
    Certificate file /opt/bitnami/apache2/conf/server.crt
    Certificate key file /opt/bitnami/apache2/conf/server.key
    CA certificate bundle file (if present) /opt/bitnami/apache2/conf/server-ca.crt
  • Copy your SSL certificate and certificate key file to the specified locations.

    NOTE: If you use different names for your certificate and key files, you should reconfigure the SSLCertificateFile and SSLCertificateKeyFile directives in the corresponding Apache configuration file to reflect the correct file names.
  • If your certificate authority has also provided you with a PEM-encoded Certificate Authority (CA) bundle, you must copy it to the correct location in the previous table. Then, modify the Apache configuration file to include the following line below the SSLCertificateKeyFile directive. Choose the correct directive based on your scenario and Apache version:

    Variable Value
    Apache configuration file /opt/bitnami/apache2/conf/bitnami/bitnami.conf
    Directive to include (Apache v2.4.8+) SSLCACertificateFile "/opt/bitnami/apache2/conf/server-ca.crt"
    Directive to include (Apache < v2.4.8) SSLCertificateChainFile "/opt/bitnami/apache2/conf/server-ca.crt"
    NOTE: If you use a different name for your CA certificate bundle, you should reconfigure the SSLCertificateChainFile or SSLCACertificateFile directives in the corresponding Apache configuration file to reflect the correct file name.
  • Once you have copied all the server certificate files, you may make them readable by the root user only with the following commands:

     $ sudo chown root:root /opt/bitnami/apache2/conf/server*
    
     $ sudo chmod 600 /opt/bitnami/apache2/conf/server*
    
  • Open port 443 in the server firewall. Refer to the FAQ for more information.

  • Restart the Apache server.

You should now be able to access your application using an HTTPS URL.

How to force HTTPS redirection with Apache?

Add the following to the top of the /opt/bitnami/apps/phabricator/conf/httpd-prefix.conf file:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

After modifying the Apache configuration files:

  • Open port 443 in the server firewall. Refer to the FAQ for more information.

  • Restart Apache to apply the changes.

How to debug Apache errors?

Once Apache starts, it will create two log files at /opt/bitnami/apache2/logs/access_log and /opt/bitnami/apache2/logs/error_log respectively.

  • The access_log file is used to track client requests. When a client requests a document from the server, Apache records several parameters associated with the request in this file, such as: the IP address of the client, the document requested, the HTTP status code, and the current time.

  • The error_log file is used to record important events. This file includes error messages, startup messages, and any other significant events in the life cycle of the server. This is the first place to look when you run into a problem when using Apache.

If no error is found, you will see a message similar to:

Syntax OK

How to find the MySQL database credentials?

How to connect to the MySQL database?

You can connect to the MySQL database from the same computer where it is installed with the mysql client tool.

$ mysql -u root -p

You will be prompted to enter the root user password. This is the same as the application password.

How to debug errors in your database?

The main log file is created at /opt/bitnami/mysql/data/mysqld.log on the MySQL database server host.

How to change the MySQL root password?

You can modify the MySQL password using the following command at the shell prompt. Replace the NEW_PASSWORD placeholder with the actual password you wish to set.

$ /opt/bitnami/mysql/bin/mysqladmin -p -u root password NEW_PASSWORD

How to reset the MySQL root password?

If you don't remember your MySQL root password, you can follow the steps below to reset it to a new value:

  • Create a file in /home/bitnami/mysql-init with the content shown below (replace NEW_PASSWORD with the password you wish to use):

     UPDATE mysql.user SET Password=PASSWORD('NEW_PASSWORD') WHERE User='root';
     FLUSH PRIVILEGES;
    

    If your stack ships MySQL v5.7.x, use the following content instead of that shown above:

     UPDATE mysql.user SET authentication_string=PASSWORD('NEW_PASSWORD') WHERE User='root';
     FLUSH PRIVILEGES;
    
    TIP: Check the MySQL version with the command /opt/bitnami/mysql/bin/mysqladmin --version or /opt/bitnami/mysql/bin/mysqld --version.
  • Stop the MySQL server:

     $ sudo /opt/bitnami/ctlscript.sh stop mysql
    
  • Start MySQL with the following command:

     $ sudo /opt/bitnami/mysql/bin/mysqld_safe --pid-file=/opt/bitnami/mysql/data/mysqld.pid --datadir=/opt/bitnami/mysql/data --init-file=/home/bitnami/mysql-init 2> /dev/null &
    
  • Restart the MySQL server:

     $ sudo /opt/bitnami/ctlscript.sh restart mysql
    
  • Remove the script:

     $ rm /home/bitnami/mysql-init
    

How to access phpMyAdmin?

For security reasons, phpMyAdmin is accessible only when using 127.0.0.1 as the hostname. To access it from a remote system, you must create an SSH tunnel that routes requests to the Web server from 127.0.0.1. This implies that you must be able to connect to your server over SSH in order to access these applications remotely.

IMPORTANT: Before following the steps below, ensure that your Web and database servers are running.
NOTE: The steps below suggest using port 8888 for the SSH tunnel. If this port is already in use by another application on your local machine, replace it with any other port number greater than 1024 and modify the steps below accordingly. Similarly, if you have enabled Varnish, your stack's Web server might be running on port 81. In this case, modify the steps below to use port 81 instead of port 80 for the tunnel endpoint.

Accessing phpMyAdmin on Windows

Watch the following video to learn how to easily access phpMyAdmin on Windows through an SSH tunnel:

In order to access phpMyAdmin via SSH tunnel you need an SSH client. In the instructions below we have selected PuTTY, a free SSH client for Windows and UNIX platforms. The first step is having PuTTY configured. Please, check how to configure it in the section how to connect to the server through SSH using an SSH client on Windows.

Once you have your SSH client correctly configured and you tested that you can successfully access to your instance via SSH, you need to create an SSH tunnel in order to access phpMyAdmin. For doing so, follow these steps:

  • In the "Connection -> SSH -> Tunnels" section, add a new forwarded port by introducing the following values:

    • Source port: 8888
    • Destination: localhost:80

    This will create a secure tunnel by forwarding a port (the "destination port") on the remote server to a port (the "source port") on the local host (127.0.0.1 or localhost).

  • Click the "Add" button to add the secure tunnel configuration to the session. (You'll see the added port in the list of "Forwarded ports").

    PuTTY configuration

  • In the "Session" section, save your changes by clicking the "Save" button.
  • Click the "Open" button to open an SSH session to the server. The SSH session will now include a secure SSH tunnel between the two specified ports.
  • Access the phpMyAdmin console through the secure SSH tunnel you created, by browsing to http://127.0.0.1:8888/phpmyadmin.
  • Log in to phpMyAdmin by using the following credentials:

    • Username: root
    • Password: application password. (Refer to our FAQ to learn how to find your application credentials).

Here is an example of what you should see:

Access phpMyAdmin

If you are unable to access phpMyAdmin, verify that the SSH tunnel was created by checking the PuTTY event log (accessible via the "Event Log" menu):

PuTTY configuration

Accessing phpMyAdmin on Linux and Mac OS X

To access the application using your Web browser, create an SSH tunnel, as described below.

  • Open a new terminal window on your local system (for example, using "Finder -> Applications -> Utilities -> Terminal" in Mac OS X or the Dash in Ubuntu).
  • Run the following command, remembering to replace SERVER-IP with the public IP address or hostname of your server. Enter your SSH password when prompted.

       $ ssh -N -L 8888:127.0.0.1:80 bitnami@SERVER-IP
    
NOTE: If successful, the above command will create an SSH tunnel but will not display any output on the server console.
  • Access the phpMyAdmin console through the secure SSH tunnel you created, by browsing to http://127.0.0.1:8888/phpmyadmin.
  • Log in to phpMyAdmin by using the following credentials:

    • Username: root
    • Password: application password. (Refer to our FAQ to learn how to find your application credentials).

Here is an example of what you should see:

Access phpMyAdmin

How to modify PHP settings?

The PHP configuration file allows you to configure the modules enabled, the email settings or the size of the upload files. It is located at /opt/bitnami/php/etc/php.ini.

For example, to modify the default upload limit for PHP, update the PHP configuration file following these instructions.

After modifying the PHP configuration file, restart both Apache and PHP-FPM for the changes to take effect:

$ sudo /opt/bitnami/ctlscript.sh restart apache
$ sudo /opt/bitnami/ctlscript.sh restart php-fpm

How to modify the allowed limit for uploaded files?

Modify the following options in the /opt/bitnami/php/etc/php.ini file to increase the allowed size for uploads:

; Maximum size of POST data that PHP will accept.
post_max_size = 16M

; Maximum allowed size for uploaded files.
upload_max_filesize = 16M

Restart PHP-FPM and Apache for the changes to take effect.

$ sudo /opt/bitnami/ctlscript.sh restart apache
$ sudo /opt/bitnami/ctlscript.sh restart php-fpm    

How to upload files to the server with SFTP?

Although you can use any SFTP/SCP client to transfer files to your server, the link below explains how to configure FileZilla (Windows, Linux and Mac OS X), WinSCP (Windows) and Cyberduck (Mac OS X). It is required to use your server's private SSH key to configure the SFTP client properly. Choose your preferred application and follow the steps in the link below to connect to the server through SFTP.

How to upload files to the server

How to configure and enable Conpherence?

To enable Conpherence, follow these steps:

  • Install Node.js and npm (if not already installed) using the official installation instructions.

  • Set the Node.js environment variable:

     $ export NODE_PATH=/usr/lib/node_modules
    
  • Install ws globally:

     $ sudo npm install -g ws
    
  • Start the Aphlict service:

     $ /opt/bitnami/apps/phabricator/htdocs/bin/aphlict start --config /opt/bitnami/apps/phabricator/htdocs/conf/aphlict/aphlict.default.json
    
  • Log in to Phabricator as an administrator and navigate to the "Configuration -> Core Settings -> Notifications" section.

  • Modify the notification.servers value by entering the following configuration, ensuring the IP-ADDRESS placeholder reflects the IP address of the server hosting Phabricator. Click the "Save Config Entry" button once done.

    [ { "type": "client", "host": "IP-ADDRESS", "port": 22280, "protocol": "http" }, { "type": "admin", "host": "127.0.0.1", "port": 22281, "protocol": "http" } ]
    

    Here's what the result should look like:

    Server configuration

  • Open port 22280 in the server firewall. Refer to the FAQ for more information on how to do this.

Real-time notifications should now be enabled.

How to configure an external repository in Phabricator?

Phabricator supports Git, Mercurial and Subversions protocols. You can check the documentation for advanced configuration.

To configure an existing GitHub repository with Phabricator, follow these steps:

  • Log in to Phabricator as an administrator.

  • Select the "Diffusion" tab in the menu.

  • On the resulting page, click the "Create repository" link in the top right corner.

    External repository configuration

  • Create a Git, Mercurial or Subversion repository. This example will use a Github repository.

    External repository configuration

  • Enter a human-readable name for the repository and an internal "callsign".

    External repository configuration

  • On the repository details page, select the "URIs" option in the left navigation bar and click the "Add New URI" button.

    External repository configuration

  • Enter the external repository's clone URL in the "URI" field and set the "I/O Type" to "Observe". You can obtain the clone URL from the repository's Github page. Click the "Create Repository URL" button to create the new URL.

    External repository configuration

  • If the remote Github repository is not public and requires credentials for access, click the "Set Credential" button on the URL detail page.

    External repository configuration

  • In the resulting dialog, click "Add Credential" and enter the username and password for the repository. Click the "Create Credential" button once done to save the new credentials.

    External repository configuration

  • By default, the repository will be visible to all users and editable by administrators. If you wish to change these access policies, from the repository details page, select the "Policies" option in the left navigation bar and click the "Edit Policies" button.

    External repository configuration

  • Modify the policies as needed and click "Save Changes" to save the changes.

    External repository configuration

  • On the repository details page, choose the "Activate Repository" option to begin importing the repository.

    External repository configuration

If all goes well, your repository will be imported and when you select the "Status" option in the left navigation bar, you will see a success page like the one below.

External repository configuration

Phabricator will now continuously and automatically synchronize with the remote Github repository and display commits and changes as they happen.

You can also access the repository later from the "Diffusion" tab, which will show you a list of active repositories and the latest commit in each. Clicking the repository name will display detailed information on the repository.

External repository configuration

How to create a hosted repository in Phabricator?

Using HTTP authentication

By default, Phabricator disables HTTP authentication, so enable it by following these steps:

  • Log in to the server console and run the command below:

     $ sudo /opt/bitnami/apps/phabricator/htdocs/bin/config set diffusion.allow-http-auth true
    
  • Restart Phabricator so the new setting comes into effect.

     $ sudo /opt/bitnami/ctlscript.sh restart phabricator
    
  • Log in to Phabricator as an administrator.

  • Click the settings icon in the top navigation bar, next to the logout icon.

  • Select the "Personal Account Settings" menu item.

  • On the resulting page, select the "Authentication -> VCS Password" menu item.

  • Enter and verify a new VCS password. Click "Change Password" to save the password.

    Password configuration

To configure a new GitHub repository hosted in Phabricator with HTTP authentication, follow these steps:

  • Click the Phabricator logo in the top navigation bar.

  • Select the "Diffusion" tab in the left navigation menu.

  • On the resulting page, click the "Create repository" link in the top right corner.

    Hosted repository configuration

  • Create a new hosted repository by selecting the repository type - in this case, Git.

    Hosted repository configuration

  • Enter a human-readable name for the repository and an internal "callsign".

    Hosted repository configuration

  • On the repository details page, select the "Policies" menu item and define the access policies for the repository by specifying which groups can view, edit and push to it.

    Hosted repository configuration

  • On the repository details page, choose the "Activate Repository" option to create your repository and confirm activation in the resulting dialog.

    Hosted repository configuration

If all goes well, your repository will be created. You can select the "Status" menu item to confirm. You should see a success page like the one below.

Hosted repository configuration

Browse to the "URIs" page from the repository details page to obtain the repository clone URL.

Hosted repository configuration

Using SSH authentication

Step 1: Add a Special VCS User Account

Phabricator needs a user account that repository users will connect over SSH as. You must first create this user account and give it a few tweaks to work with Phabricator. In this guide, the user account is called vcs-user, although you can use a different user name if you wish (but if you do so, remember to update it in all the commands shown below).

Follow the steps below:

  • Log in to your server console as usual.

  • Create the new user account.

     $ sudo adduser vcs-user
    
  • Give the user the same privileges as the daemon user, which is the user the Phabricator daemons run as by default in the Bitnami Phabricator Stack. Execute the command below:

     $ sudo visudo
    
  • Add the line below to the end of the file and save your changes:

     vcs-user ALL=(daemon) SETENV: NOPASSWD: /opt/bitnami/git/bin/git-upload-pack, /opt/bitnami/git/bin/git-receive-pack
    
  • Edit the /etc/shadow file and within the file, find the line for the new vcs-user account and replace the password field (the second field) with the letters NP, as shown in the image below.

    Account configuration

Step 2: Configure Phabricator

Next, you must set two important configuration variables in Phabricator. The phd.user variable defines the name of the user the daemons run as, while the diffusion.ssh-user variable sets the name of the user for SSH connections.

Follow the steps below for your platform.

  • Log in to your server console as usual.

  • Run the following commands to set the necessary variables:

     $ cd /opt/bitnami/apps/phabricator/htdocs/
     $ sudo ./bin/config set phd.user daemon
     $ sudo ./bin/config set diffusion.ssh-user vcs-user
    
  • Restart Phabricator for the changes to take effect.

     $ sudo /opt/bitnami/ctlscript.sh restart phabricator
    
Step 3: Open a New Firewall Port For SSH

Phabricator uses a highly restricted version of SSH running on port 22. Therefore, before you can use SSH authentication with Phabricator, you must move your existing SSH server to a different port, such as port 222, so that you can continue to log in to the server console for other tasks. Refer to the FAQ for more information on opening port 222.

Step 4: Test SSH Access on the New Port

Next, run a separate instance of the SSH server on port 222 and verify that you can log in, before transferring it permanently. This is an important step to ensure that you do not inadvertently get locked out of your server.

  • Log in to your server console as usual.

  • Run the following command to create a necessary SSH key:

     $ sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
    
  • Run the following command to start the SSH server on port 222:

     $ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config -p 222
    

This will run a separate instance of the SSH server on port 222. You should now try logging in to the server console, remembering to specify the port number as 222. If you are able to successfully log in, proceed to the next section below.

Step 5: Move Your SSH Server to the New Port

The steps below will permanently transfer your SSH server to run on port 222.

  • Log in to your server console as usual.

  • Edit the SSH server configuration file at /etc/ssh/sshd_config:

     $ sudo vi /etc/ssh/sshd_config
    
  • Within the file, find the line containing the Port directive and update it to use port 222, as below:

     Port 222
    

    Port configuration

  • Save the file.

  • Restart the SSH server.

     $ sudo service ssh restart
    

You should now try logging in to the server console again, remembering to specify the port number as 222. If you are able to successfully log in, proceed to the next section.

Step 6: Start Phabricator's Restricted SSH Server

The steps below will start Phabricator's restricted SSH server on the original SSH port, port 22.

  • Log in to your server console as usual.

  • Copy the /opt/bitnami/apps/phabricator/htdocs/resources/sshd/phabricator-ssh-hook.sh file to the /usr/share directory.

     $ sudo cp /opt/bitnami/apps/phabricator/htdocs/resources/sshd/phabricator-ssh-hook.sh /usr/share/
    
  • Edit the /usr/share/phabricator-ssh-hook.sh file and update the values of the VCSUSER and ROOT variables as follows:

     VCSUSER="vcs-user"
     ROOT="/opt/bitnami/apps/phabricator/htdocs"
    
  • Modify the permissions of /usr/share/phabricator-ssh-hook.sh as follows:

     $ sudo chown root /usr/share/phabricator-ssh-hook.sh
     $ sudo chmod 755 /usr/share/phabricator-ssh-hook.sh
    
  • Copy Phabricator's restricted SSH server configuration file to your /etc/ssh directory:

     $ sudo cp /opt/bitnami/apps/phabricator/htdocs/resources/sshd/sshd_config.phabricator.example /etc/ssh/sshd_config.phabricator
    
  • Edit the /etc/ssh/sshd_config.phabricator file and modify the AuthorizedKeysCommand, AuthorizedKeysCommandUser, Port and AllowUsers directives so that they look like this:

     AuthorizedKeysCommand /usr/share/phabricator-ssh-hook.sh
     AuthorizedKeysCommandUser vcs-user
     AllowUsers vcs-user
     Port 22
    
  • Run the Phabricator SSH server as follows:

     $ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator
    
  • It is also necessary to make the PHP binary available in the default path for the vcs-user account. Use the following command to create the necessary link.

     $ sudo ln -s /opt/bitnami/php/bin/php /usr/bin/php
    
Step 7: Add Public Keys to Phabricator

This is a good time to add your users' public SSH keys to Phabricator so that they can authenticate themselves over SSH. To do this, follow the steps below:

  • Log in to Phabricator as an administrator.

  • Click the settings icon in the top navigation bar, next to the logout icon.

  • Select the "Personal Account Settings" menu item.

  • On the resulting page, select the "Authentication -> SSH Public Keys" menu item.

  • Select the "SSH Key Actions -> Upload Public Key" menu item.

  • Enter the name and content of the public key.

  • Click "Upload Public Key" to save the new public key to the system.

    Public key configuration

Repeat the last three steps for each user to be authenticated over SSH.

Step 8: Test SSH Authentication

You can now run a quick test to see if everything is working correctly. To do this:

  • Log in to the server console as one of the users whose public key you just uploaded.

  • Execute the following command:

     $ echo {} | ssh vcs-user@localhost conduit conduit.ping
    

If everything is correctly configured, the server response should look like the example below:

    {"result":"my-hostname","error_code":null,"error_info":null}

SSH test

If you see a different response, see the Troubleshooting section below.

Step 9: Configure a Self-Hosted Repository with SSH Authentication

To configure a new GitHub repository hosted in Phabricator with SSH authentication, follow these steps:

  • Click the Phabricator logo in the top navigation bar.

  • Select the "Diffusion" tab in the left navigation menu.

  • On the resulting page, click the "Create repository" link in the top right corner.

    Hosted repository configuration

  • Create a new hosted repository by selecting the repository type - in this case, Git.

    Hosted repository configuration

  • Enter a human-readable name for the repository and an internal "callsign".

    Hosted repository configuration

  • On the repository details page, select the "Policies" menu item and define the access policies for the repository by specifying which groups can view, edit and push to it.

    Hosted repository configuration

  • On the repository details page, choose the "Activate Repository" option to create your repository and confirm activation in the resulting dialog.

    Hosted repository configuration

If all goes well, your repository will be created. You can select the "Status" menu item to confirm. You should see a success page like the one below.

Hosted repository configuration

To obtain the repository clone URL, access the repository detail page from the "Diffusion" tab, which contains the complete clone URL.

Hosted repository configuration

Users whose public keys are stored in Phabricator should now be able to clone the repository using a command like:

$ git clone clone-url
Troubleshooting

The quickest way to troubleshoot authentication issues is to run Phabricator's restricted SSH server in debug mode and view the error log it generates. To do this, first ensure it is not running (or kill the existing running process) and then replace the last command in Step 6 with this one:

    $ sudo /usr/sbin/sshd -d -d -d -f /etc/ssh/sshd_config.phabricator &

This will start Phabricator's SSH server in debug mode and display a running log of error messages on the console. You can now test SSH access as described in Step 8 and watch the log to access more detailed error information. Common errors include incorrect key file permissions, invalid file paths in configuration files or missing binaries.

Please also refer to the Troubleshooting section of the Diffusion user guide for more troubleshooting steps and ideas.

How to enable SSL?

NOTE: Ensure that the Apache server is already configured to enable SSL connections.

Phabricator serves static resources using the URL configured in the phabricator.base-uri property. Set this property to reflect the new HTTPS URL by running the following command and replacing the URL placeholder with the correct HTTPS URL:

$ sudo /opt/bitnami/apps/phabricator/htdocs/bin/config set phabricator.base-uri URL

If not using a CDN to serve static resources, also execute the following command:

$ sudo /opt/bitnami/apps/phabricator/htdocs/bin/config delete security.alternate-file-domain 

The bnconfig tool automatically configures Phabricator's IP address or domain on each server reboot. Once configured, remove this tool to avoid any change in the application. Refer to the bnconfig page for more information.

$ mv /opt/bitnami/apps/phabricator/bnconfig <installdir>/apps/phabricator/bnconfig.disabled

How to install the Sprint extension on Phabricator?

To install the Sprint extension on Phabricator, follow these steps:

  • Log in to the server console and navigate to the Phabricator directory.

     $ cd /opt/bitnami/apps/phabricator
    
  • Download the extension from https://github.com/wikimedia/phabricator-extensions-Sprint.

     $ sudo git clone https://github.com/wikimedia/phabricator-extensions-Sprint.git ./sprint
    
  • Edit the permissions of the directory.

     $ sudo chown bitnami:daemon -R ./sprint/
    
  • Run the the following commands.

     $ cd /opt/bitnami/apps/phabricator/htdocs/bin
     $ sudo ./config set load-libraries '{"sprint":"/opt/bitnami/apps/phabricator/sprint/src"}'
    
  • Create a symlink to the htdocs/ directory.

     $ sudo ln -s /opt/bitnami/apps/phabricator/sprint/rsrc/webroot-static  /opt/bitnami/apps/phabricator/htdocs/webroot/rsrc/sprint
    
centurylink

Bitnami Documentation