Setting up RhodeCode for Private Hosting

RhodeCode is one of the most popular options for hosting your own Mercurial repositories. It installs on Windows and Linux; works with hg, git and svn; offers an automated setup (even under Linux) and allows you to easily manage users and permissions without messing with configuration files and proxy scripts for Hg. Don't get me wrong, Bitbucket is great, but it allows only for 1GB storage (after that they will send you an email daily, and will cap out at 2GB). Since my last project - which was very simple - turned to be around 7GB heavy, I had a serious thought about self-hosting. RhodeCode is free for up to 25 developers which is more then fine in my case.

Posted by Gru on 25 November 2015.

Update 14.03.2017: While the information in this article had been accurate at the time of writing, certain changes have happened in the meantime that make some points obsolete. One of them is the Community edition of RhodeCode, and some commands that call Enterprise are now Community. Please consult RC manual for up to date details.

I will explain the setup on ubuntu server. I usually use CentOS for things like this, but for testing purposes I had an ubuntu handy and tested everything there. There are quite a few possible pitfalls along the way, so fasten your seatbelts!

1. First make sure ubuntu is updated:

sudo apt-get update
sudo apt-get upgrade

2. Download the latest package for RhodeCode; they will require you to register with them and be subscribed to the newsletter (?!). Transfer the package to your server and make it executable:

sudo chmod 775 RhodeCode-installer-linux-*
./RhodeCode-installer-*

3. So far so good, you install the packages by following the prompt and accepting the license. After that you want to check the status:

rccontrol status

4. There seem to be no instances yet, this is fine. First you need to install the VCSServer and then Enterprise on top of that as per here:

rccontrol install VCSServer
rccontrol install Enterprise

5. It's very important to set the IP for enterprise to 0.0.0.0 (Gotcha #1); otherwise you will lock it to a certain IP and since we're talking internet and not intranet sharing we probably can't afford a static IP address. 0.0.0.0 will listen on all IP addresses, which is fine. For now it's important to remember the port Enterprise is running on (mine is 10000). Think of it as a web listener. VCSServer is on 8888 in my setup. After that is done you run rccontrol status again and should see something like this:

- NAME: enterprise-1
- STATUS: RUNNING
- TYPE: Enterprise
- VERSION: 3.7.0
- URL: http://0.0.0.0:10000

- NAME: vcsserver-1
- STATUS: RUNNING
- TYPE: VCSServer
- VERSION: 3.7.0
- URL: http://127.0.0.1:8888

6. From another machine aim your url at the server's IP, like this: http://192.168.100.9, and a pretty page should open. If not, check the firewall on the server. Notice your public repos will be exposed, even without logging in, so private repos are something you'll want to do. Log in with your admin username and password specified during setup. Create a repo, a few users and a group. Add users to a group, and in Repo/Options/Settings/Permissions allow users from that group to be admins on the repo (add the group manually).

7. Each user from the group is identified by email, so gotcha #2 is users have to login before they can push to the repo after creation, if they pulled an imported existing repo.

8. If you want to push an existing repo to the server, one of the users can pull, then completelly replace the contents of the local folder (especially .hg folder) and then push to the server - you'll have your full history on the server. I did it another way, like this:

Zip up the original repo.
Transfer it to the server
Find the new created repo folder in ~/repos
Completelly replace it's contents with the ones extracted from the original repo.
Restart enterprise-1 by going rccontrol restart enterprise-1
Refresh the page and your history will be there. Even the autors of the original commits will be shown as new users if the emails match.

If you're finding this article helpful, consider our asset Dialogical on the Unity Asset store for your game dialogues.

9. OK, so that is fine, you can push and pull and it will work. However, we want it to be done over HTTPS and not HTTP. For that we need another web server that will proxy HTTPS requests to enterprise, and we can use Apache or nginx. I will show configuration with the later.

sudo apt-get install nginx
sudo openssl req -new -x509 -days 9999 -nodes -out host.pem -keyout host.key

Create /etc/nginx/ssl.conf file:

# Cert generation:
# openssl req -new -x509 -days 9999 -nodes -out cert.pem -keyout cert.key    

ssl         on;
ssl_protocols       SSLv3 TLSv1;
ssl_certificate     /etc/nginx/ssl/host.pem;
ssl_certificate_key /etc/nginx/ssl/host.key;

10. Move the certs from the creation folder to the specified /etc/nginx/ssl which you will need to create. You'll have to be using sudo all the time.

11. Create /etc/nginx/proxy.conf file:

proxy_redirect              off;
proxy_set_header            Host $host;
proxy_set_header            X-Url-Scheme $scheme;
proxy_set_header            X-Host $http_host;
proxy_set_header            X-Real-IP $remote_addr;
proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header            Proxy-host $proxy_host;
client_max_body_size        400m;
client_body_buffer_size     128k;
proxy_buffering             off;
proxy_connect_timeout       7200;
proxy_send_timeout          7200;
proxy_read_timeout          7200;
proxy_buffers               8 32k;

Create /etc/nginx/sites-enabled/rhodecode.local file with the following contents; note the last port - that's the port number we remembered during the installation.

server {
    listen          80;
    rewrite        ^ https://$server_name$request_uri? permanent;
}

server {
    listen          443;
    access_log      /home/gojko/log/rhodecode.access.log;
    error_log       /home/gojko/log/rhodecode.error.log;
    include         /etc/nginx/proxy.conf;

    include      /etc/nginx/ssl.conf;

    location / {
         try_files $uri @rhode;
    }

    location @rhode {
         proxy_pass      http://127.0.0.1:10000;
    }
}

Last thing we need to do is tell RhodeCode we're using HTTPS for sure, we do that by editing the conf in ~ /.rccontrol/enterprise-1/rhodecode.ini and setting the following values:

## force https in RhodeCode, fixes https redirects, assumes it's always https
force_https = true

## use Strict-Transport-Security headers
use_htsts = true

12. Restart both enterprise-1 like before and nginx with sudo nginx -s reload

13. You should be able to see the web page with https and you will get 404 error with http.

14. Are we done yet? Not exactly: SourceTree will make a huge fuss about the cert being self signed, and will not allow you to push. There is a bunch of ways to solve this (Hg does not allow self-signed certs by default). In the end this worked for me: In your mercurial.ini file in your user's directory (every machine that accesses the server) you put in the fingerprint like this:

[hostfingerprints]
hg.intevation.org = fa:1f:d9:48:f1:e7:74:30:38:8d:d8:58:b6:94:b8:58:28:7d:8b:d0

However, to get the fingerprint numbers, you need to get it from the web browser. Using Chrome, open the page for RhodeCode; click on the red lock, then Certificate information, tab Details and at the bottom there is a Thumbprint line. Copy/Paste it in mercurial.ini, and don't forget to separate hex pairs with : and not a space

That would be all for now. For homework make the server run rccontrol status command on every startup.

If you're finding this article helpful, consider our asset Dialogical on the Unity Asset store for your game dialogues.

Post Comment

Comments

Marcin Kuzminski 28 Nov 2016 at 21:14 ↑4

Hi, Thanks for a nice writeup. I'd actually like to send you some updates on RhodeCode
- Currently there's no free 25 users version. We launched a Community release which is totally free and open source. You simply install it using rccontrol install Community
- Enterprise version is now enriched and you pey-per-seat
- It's easy to switch between editions
also i'd recommend using rccontrol self-init instead of status to auto-start instances on boot.
Thanks again !

Reply
Ibad Kureshi 21 Sep 2016 at 04:17 ↑3

Hi,
Thanks for this sorted a lot of my problems.
One typo: Instruction 11 should be proxy.conf not ssl.conf (though it would work either way)
In my setup I want incoming requests on 8080 to be ssl encrypted and passed on to localhost:10000. Everything works except when I do any operations within the settings (e.g. add user to repo). At that point my HTTP header gets rewritten to :443 rather than maintaining the 8080.
In apache I would have used proxypass and proxypassreverse to counter act that. Any suggestions for nginx?

Reply
- Gru 21 Sep 2016 at 04:56 ↑3
  
  Hi, and thanks for your interest in my blog.
  Unfortunately, I can't provide any meaningful assistance with your issue. Later I ended up implementing this setup with Apache in a different environment. I would double check the rhodecode.local and rhodecode.ini, or even ask on the Rhodecode site.