Bitnami Phabricator Installer

NOTE: Before running the commands shown on this page, you should load the Bitnami stack environment by executing the installdir/use_APPNAME script (Linux and Mac OS X) or by clicking the shortcut in the Start Menu under "Start -> Bitnami APPNAME Stack -> Application console" (Windows). Learn more.

NOTE: When running the commands shown on this page, replace the installdir placeholder with the full installation directory for your Bitnami stack.

IMPORTANT: Phabricator requires you to access the application using a specific domain. This domain is the public IP address for the server on which it is installed.

Description

Phabricator is a collection of open source web applications that help software companies build better software.

First steps with the Bitnami Phabricator Stack

Welcome to your new Bitnami application! Here are a few questions (and answers!) you might need when first starting with your application.

What are the system requirements?

Before you download and install your application, check that your system meets these requirements.

How do I install the Bitnami Phabricator Stack?

Windows, OS X and Linux installer

Download the executable file for the Bitnami Phabricator Stack from the Bitnami website.
Run the downloaded file:
- On Linux, give the installer executable permissions and run the installation file in the console.
- On other platforms, double-click the installer and follow the instructions shown.

Check the FAQ instructions on how to download and install a Bitnami Stack for more details.

The application will be installed to the following default directories:

Operating System	Directory
Windows	C:\Bitnami\APPNAME-VERSION
Mac OS X	/Applications/APPNAME-VERSION
Linux	/opt/APPNAME-VERSION (running as root user)

OS X VM

Download the OS X VM file for the Bitnami Phabricator Stack from the Bitnami website.
Begin the installation process by double-clicking the image file and dragging the WordPress OS X VM icon to the Applications folder.
Launch the VM by double-clicking the icon in the Applications folder.

What credentials do I need?

You need application credentials, consisting of a username and password. These credentials allow you to log in to your new Bitnami application.

What is the administrator username set for me to log in to the application for the first time?

For Windows, Linux and OS X installers, the username was configured by you when you first installed the application.
For OS X VMs, the username can be obtained by clicking the Bitnami badge at the bottom right corner of the application welcome page.

What is the administrator password?

For Windows, Linux and OS X installers, the password was configured by you when you first installed the application.
For OS X VMs, the password can be obtained by clicking the Bitnami badge at the bottom right corner of the application welcome page.

How to start or stop the services?

Linux

Bitnami native installers include a graphical tool to manage services. This tool is named manager-linux-x64.run on Linux and is located in the installation directory. To use this tool, double-click the file and then use the graphical interface to start, stop or restart services. Server log messages can be checked in the "Server Events" tab.

The native installer also includes a command-line script to start, stop and restart applications, named ctlscript.sh. This script can be found in the installation directory and accepts the options start, stop, restart, and status. To use it, log in to the server console and execute it following the examples below:

Call it without any service names to start all services:
```
  $ sudo installdir/ctlscript.sh start
```

Use it to restart a specific service only by passing the service name as argument - for example, mysql, postgresql or apache:

  $ sudo installdir/ctlscript.sh restart mysql
  $ sudo installdir/ctlscript.sh restart postgresql
  $ sudo installdir/ctlscript.sh restart apache

Obtain current status of all services:
```
  $ installdir/ctlscript.sh status
```

The list of available services varies depending on the required components for each application.

Mac OS X

Bitnami native installers include a graphical tool to manage services. This tool is named manager-osx on Mac OS X and is located in the installation directory. To use this tool, double-click the file and then use the graphical interface to start, stop or restart services. Server log messages can be checked in the "Server Events" tab.

Call it without any service names to start all services:
```
$ sudo installdir/ctlscript.sh start
```
Use it to restart a specific service only by passing the service name as argument - for example, mysql or apache:
```
 $ sudo installdir/ctlscript.sh restart mysql
 $ sudo installdir/ctlscript.sh restart apache
```
Obtain current status of all services:
```
 $ installdir/ctlscript.sh status
```

The list of available services varies depending on the required components for each application.

NOTE: If you are using the stack manager for Mac OS X-VM, please check the following blog post to learn how to manage services from its graphical tool.

Windows

Bitnami native installers include a graphical tool to manage services. This tool is named manager-windows.exe on Windows and is located in the installation directory. To use this tool, double-click the file and then use the graphical interface to start, stop or restart services. Server log messages can be checked in the "Server Events" tab.

The Windows native installer creates shortcuts to start and stop services created in the Start Menu, under "Programs -> Bitnami APPNAME Stack -> Bitnami Service". Servers can also be managed from the Windows "Services" control panel. Services are named using the format APPNAMESERVICENAME, where APPNAME is a placeholder for the application name and SERVICENAME is a placeholder for the service name. For example, the native installer for the Bitnami WordPress Stack installs services named wordpressApache and wordpressMySQL.

These services will be automatically started during boot. To modify this behaviour, refer to the section on disabling services on Windows.

How to configure outbound email settings?

You can configure the email settings by changing the following properties. Here is an example using a Gmail account. Replace USERNAME and PASSWORD with your Gmail account username and password respectively.

phpmailer.smtp-host (eg. smtp.gmail.com)
phpmailer.smtp-port (eg.  465)
phpmailer.smtp-protocol (eg.  ssl)
phpmailer.smtp-user (eg.  USERNAME@gmail.com)
phpmailer.smtp-password (eg. PASSWORD)

You can change the value of these properties through the Phabricator application ("Config -> PHPMailer" menu) or by running the command:

$ installdir/apps/phabricator/htdocs/bin/config set property value

where property has to be one of the above and value the corresponding value. The above example shows how configure Phabricator with an Gmail account.

For advanced configuration, refer to the official email configuration article.

To configure the application to use other third-party SMTP services for outgoing email, such as SendGrid or Mandrill, refer to the FAQ.

NOTE: If you are using Gmail as the outbound email server and have experienced issues trying to send emails correctly, check the How to troubleshoot Gmail SMTP issues to learn the causes of these issues and how to solve them.

How to create a full backup of Phabricator?

The Bitnami Phabricator Stack is self-contained and the simplest option for performing a backup is to copy or compress the Bitnami stack installation directory. To do so in a safe manner, you will need to stop all servers, so this method may not be appropriate if you have people accessing the application continuously.

NOTE: If you want to create only a database backup, refer to these instructions for MySQL and PostgreSQL.

Backup on Linux and Mac OS X

Follow these steps:

Change to the directory in which you wish to save your backup.
```
 $ cd /your/directory
```
Stop all servers.
```
 $ sudo installdir/ctlscript.sh stop
```

Create a compressed file with the stack contents.

 $ sudo tar -pczvf application-backup.tar.gz installdir

Start all servers.
```
 $ sudo installdir/ctlscript.sh start
```
Download or transfer the application-backup.tar.gz file to a safe location.

You should now download or transfer the application-backup.tar.gz file to a safe location.

Backup on Windows

Follow these steps:

Stop all servers using the shortcuts in the Start Menu or the graphical manager tool.
Create a compressed file with the stack contents. You can use a graphical tool like 7-Zip or WinZip or just right-click the folder, click "Send to", and select the "Compressed (zipped) folder" option.
Download or transfer the compressed file to a safe location.
Start all servers using the shortcuts in the Start Menu or the graphical manager tool.

Restore on Linux and Mac OS X

Follow these steps:

Change to the directory containing your backup:
```
$ cd /your/directory
```
Stop all servers.
```
$ sudo installdir/ctlscript.sh stop
```
Move the current stack to a different location:
```
$ sudo mv installdir /tmp/bitnami-backup
```
Uncompress the backup file to the original directory:
```
$ sudo tar -pxzvf application-backup.tar.gz -C /
```
Start all servers.
```
$ sudo installdir/ctlscript.sh start
```

IMPORTANT: When restoring, remember to maintain the original permissions for the files and folders. For example, if you originally installed the stack as the root user on Linux, make sure that the restored files are owned by root as well.

Restore on Windows

Change to the directory containing your backup:
```
   $ cd /your/directory
```
Stop all servers using the shortcuts in the Start Menu or the graphical manager tool.
Uninstall the previous services by executing the following command:
```
    $ serviceinstall.bat
```
Create a safe folder named Backups in the desktop and move the current stack to it. Remember to replace PATH with the right location of your folder:
```
    $ move installdir \PATH\Backups
```
Uncompress the backup file using a tool like 7-Zip or Winzip or just double-click the .zip file to uncompress it, and move it to the original directory.
Install services by running the following commands from an elevated command prompt:
```
  $ cd installdir
  $ serviceinstall.bat INSTALL
```
Start all servers using the shortcuts in the Start Menu or the graphical manager tool.

How to upgrade Phabricator?

It is strongly recommended to create a backup before starting the update process. If you have important data, create and try to restore a backup to ensure that everything works properly.

You can upgrade the application only without modifying any other stack components. Phabricator uses two additional components, libphutil and arcanist, which are already included and can be updated too. Follow the steps below:

Stop the servers:
```
 $ installdir/ctlscript.sh stop
```

Upgrade libphutil:

 $ cd installdir/apps/phabricator/libphutil
 $ git pull

Upgrade Arcanist:

 $ cd installdir/apps/phabricator/arcanist
 $ git pull

Upgrade Phabricator. Ensure that MySQL is running before executing these commands:

 $ cd installdir/apps/phabricator/htdocs
 $ git pull
 $ installdir/ctlscript.sh start mysql
 $ installdir/apps/phabricator/htdocs/bin/storage upgrade

Start servers:
```
 $ installdir/ctlscript.sh start
```

How to create an SSL certificate?

OpenSSL is required to create an SSL certificate. A certificate request can then be sent to a certificate authority (CA) to get it signed into a certificate, or if you have your own certificate authority, you may sign it yourself, or you can use a self-signed certificate (because you just want a test certificate or because you are setting up your own CA).

Follow the steps below for your platform.

Linux and Mac OS X

NOTE: OpenSSL will typically already be installed on Linux and Mac OS X. If not installed, install it manually using your operating system's package manager.

Follow the steps below:

Generate a new private key:

 $ sudo openssl genrsa -out installdir/apache2/conf/server.key 2048

Create a certificate:
```
 $ sudo openssl req -new -key installdir/apache2/conf/server.key -out installdir/apache2/conf/cert.csr
```
IMPORTANT: Enter the server domain name when the above command asks for the "Common Name".
Send cert.csr to the certificate authority. When the certificate authority completes their checks (and probably received payment from you), they will hand over your new certificate to you.

Until the certificate is received, create a temporary self-signed certificate:

 $ sudo openssl x509 -in installdir/apache2/conf/cert.csr -out installdir/apache2/conf/server.crt -req -signkey installdir/apache2/conf/server.key -days 365

Back up your private key in a safe location after generating a password-protected version as follows:
```
 $ sudo openssl rsa -des3 -in installdir/apache2/conf/server.key -out privkey.pem
```
Note that if you use this encrypted key in the Apache configuration file, it will be necessary to enter the password manually every time Apache starts. Regenerate the key without password protection from this file as follows:
```
 $ sudo openssl rsa -in privkey.pem -out installdir/apache2/conf/server.key
```

Windows

NOTE: OpenSSL is not typically installed on Windows. Before following the steps below, download and install a binary distribution of OpenSSL.

Follow the steps below once OpenSSL is installed:

Set the OPENSSL_CONF environment variable to the location of your OpenSSL configuration file. Typically, this file is located in the bin/ subdirectory of your OpenSSL installation directory. Replace the OPENSSL-DIRECTORY placeholder in the command below with the correct location.
```
 $ set OPENSSL_CONF=C:\OPENSSL-DIRECTORY\bin\openssl.cfg
```
Change to the bin/ sub-directory of the OpenSSL installation directory. Replace the OPENSSL-DIRECTORY placeholder in the command below with the correct location.
```
 $ cd C:\OPENSSL-DIRECTORY\bin
```

Generate a new private key:

 $ openssl genrsa -out installdir/apache2/conf/server.key 2048

Create a certificate:
```
 $ openssl req -new -key installdir/apache2/conf/server.key -out installdir/apache2/conf/cert.csr
```
IMPORTANT: Enter the server domain name when the above command asks for the "Common Name".
Send cert.csr to the certificate authority. When the certificate authority completes their checks (and probably received payment from you), they will hand over your new certificate to you.

Until the certificate is received, create a temporary self-signed certificate:

 $ openssl x509 -in installdir/apache2/conf/cert.csr -out installdir/apache2/conf/server.crt -req -signkey installdir/apache2/conf/server.key -days 365

Back up your private key in a safe location after generating a password-protected version as follows:
```
 $ openssl rsa -des3 -in installdir/apache2/conf/server.key -out privkey.pem
```
Note that if you use this encrypted key in the Apache configuration file, it will be necessary to enter the password manually every time Apache starts. Regenerate the key without password protection from this file as follows:
```
 $ openssl rsa -in privkey.pem -out installdir/apache2/conf/server.key
```

Find more information about certificates at http://www.openssl.org.

How to enable HTTPS support with SSL certificates?

TIP: If you wish to use a Let's Encrypt certificate, you will find specific instructions for enabling HTTPS support with Let's Encrypt SSL certificates in our Let's Encrypt guide.

NOTE: The steps below assume that you are using a custom domain name and that you have already configured the custom domain name to point to your cloud server.

Bitnami images come with SSL support already pre-configured and with a dummy certificate in place. Although this dummy certificate is fine for testing and development purposes, you will usually want to use a valid SSL certificate for production use. You can either generate this on your own (explained here) or you can purchase one from a commercial certificate authority.

Once you obtain the certificate and certificate key files, you will need to update your server to use them. Follow these steps to activate SSL support:

Use the table below to identify the correct locations for your certificate and configuration files.

Variable	Value
Current application URL	https://[custom-domain]/
	Example: https://my-domain.com/ or https://my-domain.com/appname
Apache configuration file	installdir/apache2/conf/bitnami/bitnami.conf
Certificate file	installdir/apache2/conf/server.crt
Certificate key file	installdir/apache2/conf/server.key
CA certificate bundle file (if present)	installdir/apache2/conf/server-ca.crt

Copy your SSL certificate and certificate key file to the specified locations.

NOTE: If you use different names for your certificate and key files, you should reconfigure the SSLCertificateFile and SSLCertificateKeyFile directives in the corresponding Apache configuration file to reflect the correct file names.

If your certificate authority has also provided you with a PEM-encoded Certificate Authority (CA) bundle, you must copy it to the correct location in the previous table. Then, modify the Apache configuration file to include the following line below the SSLCertificateKeyFile directive. Choose the correct directive based on your scenario and Apache version:

Variable	Value
Apache configuration file	installdir/apache2/conf/bitnami/bitnami.conf
Directive to include (Apache v2.4.8+)	SSLCACertificateFile "installdir/apache2/conf/server-ca.crt"
Directive to include (Apache < v2.4.8)	SSLCertificateChainFile "installdir/apache2/conf/server-ca.crt"

NOTE: If you use a different name for your CA certificate bundle, you should reconfigure the SSLCertificateChainFile or SSLCACertificateFile directives in the corresponding Apache configuration file to reflect the correct file name.

Once you have copied all the server certificate files, you may make them readable by the root user only with the following commands:
```
 $ sudo chown root:root installdir/apache2/conf/server*

 $ sudo chmod 600 installdir/apache2/conf/server*
```
Open port 443 in the server firewall. Refer to the FAQ for more information.
Restart the Apache server.

You should now be able to access your application using an HTTPS URL.

How to force HTTPS redirection with Apache?

Add the following lines in the default Apache virtual host configuration file at installdir/apache2/conf/bitnami/bitnami.conf, inside the default VirtualHost directive, so that it looks like this:

<VirtualHost _default_:80>
  DocumentRoot "installdir/apache2/htdocs"
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
  ...
</VirtualHost>

After modifying the Apache configuration files:

Open port 443 in the server firewall. Refer to the FAQ for more information.
Restart Apache to apply the changes.

How to debug Apache errors?

Once Apache starts, it will create two log files at installdir/apache2/logs/access_log and installdir/apache2/logs/error_log respectively.

The access_log file is used to track client requests. When a client requests a document from the server, Apache records several parameters associated with the request in this file, such as: the IP address of the client, the document requested, the HTTP status code, and the current time.
The error_log file is used to record important events. This file includes error messages, startup messages, and any other significant events in the life cycle of the server. This is the first place to look when you run into a problem when using Apache.

If no error is found, you will see a message similar to:

Syntax OK

How to find the MySQL database credentials?

Database username: root.
Database password: The same as the application password. Find out how to obtain application credentials.

How to connect to the MySQL database?

You can connect to the MySQL database from the same computer where it is installed with the mysql client tool.

$ mysql -u root -p

You will be prompted to enter the root user password. This is the same as the application password.

How to debug errors in your database?

The main log file is created at installdir/mysql/data/mysqld.log on the MySQL database server host.

How to change the MySQL root password?

You can modify the MySQL password using the following command at the shell prompt. Replace the NEW_PASSWORD placeholder with the actual password you wish to set.

$ installdir/mysql/bin/mysqladmin -p -u root password NEW_PASSWORD

How to reset the MySQL root password?

If you don't remember your MySQL root password, you can follow the steps below to reset it to a new value:

Create a file in /home/bitnami/mysql-init with the content shown below (replace NEW_PASSWORD with the password you wish to use):
```
 UPDATE mysql.user SET Password=PASSWORD('NEW_PASSWORD') WHERE User='root';
 FLUSH PRIVILEGES;
```
If your stack ships MySQL v5.7.x, use the following content instead of that shown above:
```
 UPDATE mysql.user SET authentication_string=PASSWORD('NEW_PASSWORD') WHERE User='root';
 FLUSH PRIVILEGES;
```
TIP: Check the MySQL version with the command installdir/mysql/bin/mysqladmin --version or installdir/mysql/bin/mysqld --version.

Stop the MySQL server:

 $ sudo installdir/ctlscript.sh stop mysql

Start MySQL with the following command:

 $ sudo installdir/mysql/bin/mysqld_safe --pid-file=installdir/mysql/data/mysqld.pid --datadir=installdir/mysql/data --init-file=/home/bitnami/mysql-init 2> /dev/null &

Restart the MySQL server:

 $ sudo installdir/ctlscript.sh restart mysql

Remove the script:
```
 $ rm /home/bitnami/mysql-init
```

How to change the MySQL root password in Windows?

You can modify the MySQL password using the following command at the shell prompt. Replace the NEW_PASSWORD placeholder with the actual password you wish to set.

installdir\mysql\bin\mysqladmin.exe -p -u root password NEW_PASSWORD

How to reset the MySQL root password in Windows?

If you don't remember your MySQL root password, you can follow the steps below to reset it to a new value:

Stop the MySQL server using the graphic manager tool. Refer to the how to start or stop the services section.
Check the MySQL version:

installdir\mysql\bin\mysqladmin.exe –version
Create a file named mysql-init.txt with the content shown below depending on your MySQL version (replace NEW_PASSWORD with the password you wish to use):
- MySQL 5.6.x or earlier:
```
 UPDATE mysql.user SET Password=PASSWORD('NEW_PASSWORD') 
 WHERE User='root';
 FLUSH PRIVILEGES;
```
- MySQL 5.7.x or later:
```
 ALTER USER 'root'@'localhost' IDENTIFIED BY 'NEW_PASSWORD'; 
```
Start MySQL server with the following command. Remember to replace PATH with the location in which you have saved the mysql-init.txt file:
```
 installdir " installdir\mysql\bin\mysqld.exe" --defaults-file=" installdir\mysql\my.ini" --init-file="\PATH\mysql-init.txt" --console
```
- The --init file option is used by the server for executing the content of the mysql-init.txt file at startup, it will change each root account password.
- The --defaults-file option is specified since you have installed MySQL using the Bitnami installer.
- The --console option (optional) has been added in order to show the server output at the console window rather than in the log file.
After some minutes, hit Ctrl-C to force the shutdown.
Restart the MySQL server from the graphic manager tool.
After the server has restarted successfully, delete the mysql-init.txt file.

How to access phpMyAdmin?

You should be able to access phpMyAdmin directly, by browsing to http://127.0.0.1/phpmyadmin.

The username is root for phpMyAdmin, and the password is the one specified by you during the installation process.

How to modify PHP settings for Apache?

The PHP configuration file allows you to configure the modules enabled, the email settings or the size of the upload files. It is located at installdir/php/etc/php.ini.

For example, to modify the default upload limit for PHP, update the PHP configuration file following these instructions.

After modifying the PHP configuration file, restart both Apache and PHP-FPM for the changes to take effect:

$ sudo installdir/ctlscript.sh restart apache
$ sudo installdir/ctlscript.sh restart php-fpm

How to modify the allowed limit for uploaded files in Apache?

Modify the following options in the installdir/php/etc/php.ini file to increase the allowed size for uploads:

; Maximum size of POST data that PHP will accept.
post_max_size = 16M

; Maximum allowed size for uploaded files.
upload_max_filesize = 16M

Restart PHP-FPM and Apache for the changes to take effect.

$ sudo installdir/ctlscript.sh restart apache
$ sudo installdir/ctlscript.sh restart php-fpm

How to configure and enable Conpherence?

To enable Conpherence, follow these steps:

Install Node.js and npm (if not already installed) using the official installation instructions.

Set the Node.js environment variable:

 $ export NODE_PATH=/usr/lib/node_modules

Install ws globally:
```
 $ sudo npm install -g ws
```

Start the Aphlict service:

 $ installdir/apps/phabricator/htdocs/bin/aphlict start --config installdir/apps/phabricator/htdocs/conf/aphlict/aphlict.default.json

Log in to Phabricator as an administrator and navigate to the "Configuration -> Core Settings -> Notifications" section.
Modify the notification.servers value by entering the following configuration, ensuring the IP-ADDRESS placeholder reflects the IP address of the server hosting Phabricator. Click the "Save Config Entry" button once done.
```
[ { "type": "client", "host": "IP-ADDRESS", "port": 22280, "protocol": "http" }, { "type": "admin", "host": "127.0.0.1", "port": 22281, "protocol": "http" } ]
```
Here's what the result should look like:
Open port 22280 in the server firewall. Refer to the FAQ for more information on how to do this.

Real-time notifications should now be enabled.

How to configure an external repository in Phabricator?

Phabricator supports Git, Mercurial and Subversions protocols. You can check the documentation for advanced configuration.

To configure an existing GitHub repository with Phabricator, follow these steps:

Log in to Phabricator as an administrator.
Select the "Diffusion" tab in the menu.
On the resulting page, click the "Create repository" link in the top right corner.
Create a Git, Mercurial or Subversion repository. This example will use a Github repository.
Enter a human-readable name for the repository and an internal "callsign".
On the repository details page, select the "URIs" option in the left navigation bar and click the "Add New URI" button.
Enter the external repository's clone URL in the "URI" field and set the "I/O Type" to "Observe". You can obtain the clone URL from the repository's Github page. Click the "Create Repository URI" button to create the new URL.
If the remote Github repository is not public and requires credentials for access, click the "Set Credential" button on the URL detail page.
In the resulting dialog, click the "Add New Credential" button. Enter the username and password for the repository. Click the "Create Credential" button once done to save the new credentials.
By default, the repository will be visible to all users and editable by administrators. If you wish to change these access policies, from the repository details page, select the "Policies" option in the left navigation bar and click the "Edit" button.
Modify the policies as needed and click "Save Changes" to save the changes.
On the repository details page, select the "Basics" option in the left navigation bar and choose the "Activate Repository" from the "Actions" button to begin importing the repository. Confirm the activation in the subsequent dialog.

If all goes well, your repository will be imported. You can check the status of the import from the "Basics" section of the repository details page, as shown below:

Phabricator will now continuously and automatically synchronize with the remote Github repository and display commits and changes as they happen.

You can also access the repository later from the "Diffusion" tab, which will show you a list of active repositories and the latest commit in each. Clicking the repository name will display detailed information on the repository.

How to create a hosted repository in Phabricator?

Using HTTP authentication

By default, Phabricator disables HTTP authentication, so enable it by following these steps:

 $ sudo installdir/apps/phabricator/htdocs/bin/config set diffusion.allow-http-auth true

Restart Phabricator so the new setting comes into effect.
```
 $ sudo installdir/ctlscript.sh restart phabricator
```
Log in to Phabricator as an administrator.
Click the user icon in the top navigation bar and then the "Settings" menu item.
Select the "Personal Account Settings" menu item.
On the resulting page, select the "Authentication -> VCS Password" menu item.
Enter and verify a new VCS password. Click "Change Password" to save the password.

To configure a new GitHub repository hosted in Phabricator with HTTP authentication, follow these steps:

Click the Phabricator logo in the top navigation bar.
Select the "Diffusion" tab in the left navigation menu.
On the resulting page, click the "Create repository" link in the top right corner.
Create a new hosted repository by selecting the repository type - in this case, Git.
Enter a human-readable name for the repository and an internal "callsign".
From the repository details page, select the "Policies" option in the left navigation bar and click the "Edit" button. Define the access policies for the repository by specifying which groups can view, edit and push to it.
On the repository details page, select the "Basics" option in the left navigation bar and choose the "Activate Repository" from the "Actions" button. Confirm the activation in the subsequent dialog.

If all goes well, your repository will be created. You can select the "Status" menu item to confirm. You should see a success page like the one below.

Browse to the "URIs" page from the repository details page to obtain the repository clone URL.

Using SSH authentication

NOTE: The Bitnami Phabricator Stack requires OpenSSHD 6.2 or newer. If your version of SSH is older than this, please upgrade to a newer version before following the instructions in this guide.

Step 1: Add a Special VCS User Account

Phabricator needs a user account that repository users will connect over SSH as. You must first create this user account and give it a few tweaks to work with Phabricator. In this guide, the user account is called vcs-user, although you can use a different user name if you wish (but if you do so, remember to update it in all the commands shown below).

Follow the steps below:

Log in to your server console as usual.
Create the new user account.
```
 $ sudo adduser vcs-user
```
Give the user the same privileges as the user account the Phabricator daemons are running as. Usually, this is the same account that was used to install the Bitnami Phabricator Stack. Execute the command below:
```
 $ sudo visudo
```

Add the line below to the end of the file and save your changes:

 vcs-user ALL=(USERNAME) SETENV: NOPASSWD: installdir/git/bin/git-upload-pack, installdir/git/bin/git-receive-pack

Edit the /etc/shadow file and within the file, find the line for the new vcs-user account and replace the password field (the second field) with the letters NP, as shown in the image below.

Step 2: Configure Phabricator

Next, you must set two important configuration variables in Phabricator. The phd.user variable defines the name of the user the daemons run as, while the diffusion.ssh-user variable sets the name of the user for SSH connections.

Follow the steps below for your platform.

Log in to your server console as usual.
Run the following commands to set the necessary variables. Note that the phd.user variable should be set to the name of the user account the Phabricator daemons are running as (usually, the same account that the Bitnami Phabricator Stack was installed under).
```
 $ cd installdir/apps/phabricator/htdocs/
 $ sudo ./bin/config set phd.user USERNAME
 $ sudo ./bin/config set diffusion.ssh-user vcs-user
```

Restart Phabricator for the changes to take effect.

 $ sudo installdir/ctlscript.sh restart phabricator

Step 3: Open a New Firewall Port For SSH

Phabricator uses a highly restricted version of SSH running on port 22. Therefore, before you can use SSH authentication with Phabricator, you must move your existing SSH server to a different port, such as port 222, so that you can continue to log in to the server console for other tasks.

Refer to the documentation for your firewall to open port 222 for SSH server access. For example, if you are using iptables, you could use the following command:

$ sudo iptables -A INPUT -p tcp --dport 222 -j ACCEPT

Step 4: Test SSH Access on the New Port

Next, run a separate instance of the SSH server on port 222 and verify that you can log in, before transferring it permanently. This is an important step to ensure that you do not inadvertently get locked out of your server.

Log in to your server console as usual.
Run the following command to start the SSH server on port 222:
```
 $ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config -p 222
```

This will run a separate instance of the SSH server on port 222. You should now try logging in to the server console, remembering to specify the port number as 222. If you are able to successfully log in, proceed to the next section below.

Step 5: Move Your SSH Server to the New Port

The steps below will permanently transfer your SSH server to run on port 222.

Log in to your server console as usual.
Edit the SSH server configuration file at /etc/ssh/sshd_config:
```
 $ sudo vi /etc/ssh/sshd_config
```
Within the file, find the line containing the Port directive and update it to use port 222, as below:
```
 Port 222
```
Save the file.
Restart the SSH server.
```
 $ sudo service ssh restart
```

You should now try logging in to the server console again, remembering to specify the port number as 222. If you are able to successfully log in, proceed to the next section.

Step 6: Start Phabricator's Restricted SSH Server

The steps below will start Phabricator's restricted SSH server on the original SSH port, port 22.

Log in to your server console as usual.
Copy the installdir/apps/phabricator/htdocs/resources/sshd/phabricator-ssh-hook.sh file to the /usr/share directory.
```
 $ sudo cp installdir/apps/phabricator/htdocs/resources/sshd/phabricator-ssh-hook.sh /usr/share/
```
Edit the /usr/share/phabricator-ssh-hook.sh file and update the values of the VCSUSER and ROOT variables as follows:
```
 VCSUSER="vcs-user"
 ROOT="installdir/apps/phabricator/htdocs"
```

Modify the permissions of /usr/share/phabricator-ssh-hook.sh as follows:

 $ sudo chown root /usr/share/phabricator-ssh-hook.sh
 $ sudo chmod 755 /usr/share/phabricator-ssh-hook.sh

Copy Phabricator's restricted SSH server configuration file to your /etc/ssh directory:

 $ sudo cp installdir/apps/phabricator/htdocs/resources/sshd/sshd_config.phabricator.example /etc/ssh/sshd_config.phabricator

Edit the /etc/ssh/sshd_config.phabricator file and modify the AuthorizedKeysCommand, AuthorizedKeysCommandUser, Port and AllowUsers directives so that they look like this:
```
 AuthorizedKeysCommand /usr/share/phabricator-ssh-hook.sh
 AuthorizedKeysCommandUser vcs-user
 AllowUsers vcs-user
 Port 22
```

Run the Phabricator SSH server as follows:

 $ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator

It is also necessary to make the PHP binary available in the default path for the vcs-user account. Use the following command to create the necessary link.
```
 $ sudo ln -s installdir/php/bin/php /usr/bin/php
```

Step 7: Add Public Keys to Phabricator

This is a good time to add your users' public SSH keys to Phabricator so that they can authenticate themselves over SSH. To do this, follow the steps below:

Log in to Phabricator as an administrator.
Click the user icon in the top navigation bar and then the "Settings" menu item.
Select the "Personal Account Settings" menu item.
On the resulting page, select the "Authentication -> SSH Public Keys" menu item.
Select the "SSH Key Actions -> Upload Public Key" menu item.
Enter the name and content of the public key.
Click "Upload Public Key" to save the new public key to the system.

Repeat the last three steps for each user to be authenticated over SSH.

Step 8: Test SSH Authentication

You can now run a quick test to see if everything is working correctly. To do this:

Execute the following command:

 $ echo {} | ssh vcs-user@localhost conduit conduit.ping

If everything is correctly configured, the server response should look like the example below:

    {"result":"my-hostname","error_code":null,"error_info":null}

If you see a different response, see the Troubleshooting section below.

Step 9: Configure a Self-Hosted Repository with SSH Authentication

To configure a new GitHub repository hosted in Phabricator with SSH authentication, follow these steps:

Click the Phabricator logo in the top navigation bar.
Select the "Diffusion" tab in the left navigation menu.
On the resulting page, click the "Create repository" link in the top right corner.
Create a new hosted repository by selecting the repository type - in this case, Git.
Enter a human-readable name for the repository and an internal "callsign".
From the repository details page, select the "Policies" option in the left navigation bar and click the "Edit" button. Define the access policies for the repository by specifying which groups can view, edit and push to it.
On the repository details page, select the "Basics" option in the left navigation bar and choose the "Activate Repository" from the "Actions" button. Confirm the activation in the subsequent dialog.

If all goes well, your repository will be created. You can select the "Status" menu item to confirm. You should see a success page like the one below.

To obtain the repository clone URL, access the repository detail page from the "Diffusion" tab, which contains the complete clone URL.

Users whose public keys are stored in Phabricator should now be able to clone the repository using a command like:

$ git clone clone-url

Troubleshooting

The quickest way to troubleshoot authentication issues is to run Phabricator's restricted SSH server in debug mode and view the error log it generates. To do this, first ensure it is not running (or kill the existing running process) and then replace the last command in Step 6 with this one:

  $ sudo /usr/sbin/sshd -d -d -d -f /etc/ssh/sshd_config.phabricator &

This will start Phabricator's SSH server in debug mode and display a running log of error messages on the console. You can now test SSH access as described in Step 8 and watch the log to access more detailed error information. Common errors include incorrect key file permissions, invalid file paths in configuration files or missing binaries.

Please also refer to the Troubleshooting section of the Diffusion user guide for more troubleshooting steps and ideas.

How to enable SSL?

NOTE: Ensure that the Apache server is already configured to enable SSL connections.

Phabricator serves static resources using the URL configured in the phabricator.base-uri property. Set this property to reflect the new HTTPS URL by running the following command and replacing the URL placeholder with the correct HTTPS URL:

$ sudo installdir/apps/phabricator/htdocs/bin/config set phabricator.base-uri URL

If not using a CDN to serve static resources, also execute the following command:

$ sudo installdir/apps/phabricator/htdocs/bin/config delete security.alternate-file-domain

The bnconfig tool automatically configures Phabricator's IP address or domain on each server reboot. Once configured, remove this tool to avoid any change in the application. Refer to the bnconfig page for more information.

$ mv installdir/apps/phabricator/bnconfig <installdir>/apps/phabricator/bnconfig.disabled

How to install the Sprint extension on Phabricator?

To install the Sprint extension on Phabricator, follow these steps:

Download the extension from https://github.com/wikimedia/phabricator-extensions-Sprint.

 $ sudo git clone https://github.com/wikimedia/phabricator-extensions-Sprint.git ./sprint

Edit the permissions of the directory.

 $ sudo chown bitnami:daemon -R ./sprint/

Run the the following commands.

 $ cd installdir/apps/phabricator/htdocs/bin
 $ sudo ./config set load-libraries '{"sprint":"installdir/apps/phabricator/sprint/src"}'

Create a symlink to the htdocs/ directory.

 $ sudo ln -s installdir/apps/phabricator/sprint/rsrc/webroot-static  installdir/apps/phabricator/htdocs/webroot/rsrc/sprint