Hi,
I have a question about HTTP Authentication (with reverse proxy) when a full site is protected, that in this case is impossible to login on an authenticated REST API entrypoint.
Basically, I created a gerrit server behind an Apache2 which protect access to "/" throught Basic Auth to try to resolve an issue I have on my android app (
https://github.com/jruesga/rview/issues/59). Below is the configuration I have used and I just compiled the lastest code from master (dd7d86c) to test.
======= apache2 ==============
<VirtualHost *:80>
ServerAdmin admin@vmgerrit2
ServerName vmgerrit2
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
ErrorLog /var/log/apache2/gerrit.error.log
CustomLog /var/log/apache2/gerrit.access.log combined
<Location "/">
AuthType Basic
AuthName "Gerrit Code Review"
Require valid-user
AuthUserFile /etc/apache2/passwd/passwd.users
</Location>
<Proxy *>
Require all granted
</Proxy>
AllowEncodedSlashes On
ProxyPass / http://127.0.0.1:8081/ nocanon
ProxyPassReverse / http://127.0.0.1:8081/
</VirtualHost>======= gerrit conf ==============
[gerrit]
basePath = /opt/gerrit/repo
serverId = 181c8fd7-3a1b-47b0-a85c-e435a044e46b
canonicalWebUrl = http://192.168.0.190/
ui = polygerrit
enableGwtUi = true
[database]
type = h2
database = /opt/gerrit/server/db/ReviewDB
[noteDb "changes"]
disableReviewDb = true
primaryStorage = note db
read = true
sequence = true
write = true
[index]
type = LUCENE
[auth]
type = HTTP
[receive]
enableSignedPush = true
[sendemail]
smtpServer = localhost
[container]
user = jruesga
javaHome = /usr/lib/jvm/java-8-oracle/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = http://*:8081/
[cache]
directory = cacheWith the attached configuration, when I can access correctly with a test user on the web site (apache request the basic authentication and pass it to gerrit), and works correctly with an unauthenticated rest api url (
http://192.168.0.9090:8080/config/server/version), but got "[2017-12-25 21:03:50,736] [HTTP-73] WARN com.google.gerrit.httpd.ProjectBasicAuthFilter : Authentication from 127.0.0.1 failed for test1: password does not match the one stored in Gerrit" when request an authenticated entrypoint (
http://192.168.0.9090:8080/a/config/server/version).
Digging into the code (
https://gerrit.googlesource.com/gerrit/+/master/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java#149) I see that ProjectBasicAuthFilter tries to match the information of the "Authorization" header againts a valid username and password, but it is impossible it matches because that headers has the password used to login in Apache, which is totally different from the "HTTP password" obtained from account settings to use in the REST API, so basically it is impossible to use authenticated entrypoints with this configuration.
Wasn't authenticated requests (
https://gerrit.googlesource.com/gerrit/+/master/java/com/google/gerrit/httpd/GitOverHttpModule.java#59) don't be filter through
ProjectBasicAuthFilter? Or at least doesn't
ProjectBasicAuthFilter check for Git only urls? Or am I missed something?
Thanks in advance.