1 Deployment
Stefan Naumann edited this page 1 year ago

Running the application safely

mvoCI is a continuous-integration server and therefore does not limit what is executed. Running the application with the wrong privileges may result in compromised machines, loss of data or maybe even broken hardware.

This wiki article seeks to identify possible loopholes to be aware of, when running mvoCI on your own hardware.

Starting mvoCI


SystemD allows for chrooting an application and running it with its own user. It is highly recommended to do that with mvoCI, so it cannot do any harm. The following example .service file depicts a possible scenario (it's a modified file from the Gitea-project).


# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
ExecStart=/home/mvoci/mvoci --web
Environment=USER=mvoci HOME=/home/mvoci
# If you want to bind Gitea to a port below 1024 uncomment
# the two values below


Configuring the Webserver (Reverse Proxy)

In some scenarios it is needed to reverse proxy the traffic to / from mvoCI through a webserver, for example, when you want to have ci.<yourdomainnamehere>.<st> as the CIs domain name. Also when requiring HTTPS it may be useful.

You may want to add the following to your virtual-servers configuration:

<VirtualHost *:80>
    <Proxy *>
         Order allow,deny
         Allow from all

    ProxyPass /mvoci http://localhost:4042        # Note: no trailing slash after either /mvoci or port
    ProxyPassReverse /mvoci http://localhost:4042 # Note: no trailing slash after either /mvoci or port

Then you can create a new virtual host and redirect to /mvoci

<VirtualHost *:80>
	ServerName mvoci.example.org
	Redirect permanent / https://www.example.org/mvoci

Note, that unencrypted traffic from mvoCI needs to be prohibited to go outside. You can set the configuration variable http_address to localhost.