ReverseProxy + Full site protected + REST API
215 views
Skip to first unread message
Jorge Ruesga
Dec 25, 2017, 4:05:40 PM12/25/17
to Repo and Gerrit Discussion
Hi,
I have a question about HTTP Authentication (with reverse proxy) when a full site is protected, that in this case is impossible to login on an authenticated REST API entrypoint.
Basically, I created a gerrit server behind an Apache2 which protect access to "/" throught Basic Auth to try to resolve an issue I have on my android app (https://github.com/jruesga/rview/issues/59). Below is the configuration I have used and I just compiled the lastest code from master (dd7d86c) to test.
======= apache2 ==============
<VirtualHost *:80>
ServerAdmin admin@vmgerrit2
ServerName vmgerrit2
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
ErrorLog /var/log/apache2/gerrit.error.log
CustomLog /var/log/apache2/gerrit.access.log combined
<Location "/">
AuthType Basic
AuthName "Gerrit Code Review"
Require valid-user
AuthUserFile /etc/apache2/passwd/passwd.users
</Location>
<Proxy *>
Require all granted
</Proxy>
AllowEncodedSlashes On
ProxyPass / http://127.0.0.1:8081/ nocanon
ProxyPassReverse / http://127.0.0.1:8081/
</VirtualHost>
======= gerrit conf ==============
[gerrit]
basePath = /opt/gerrit/repo
serverId = 181c8fd7-3a1b-47b0-a85c-e435a044e46b
canonicalWebUrl = http://192.168.0.190/
ui = polygerrit
enableGwtUi = true
[database]
type = h2
database = /opt/gerrit/server/db/ReviewDB
[noteDb "changes"]
disableReviewDb = true
primaryStorage = note db
read = true
sequence = true
write = true
[index]
type = LUCENE
[auth]
type = HTTP
[receive]
enableSignedPush = true
[sendemail]
smtpServer = localhost
[container]
user = jruesga
javaHome = /usr/lib/jvm/java-8-oracle/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = http://*:8081/
[cache]
directory = cache
With the attached configuration, when I can access correctly with a test user on the web site (apache request the basic authentication and pass it to gerrit), and works correctly with an unauthenticated rest api url (http://192.168.0.9090:8080/config/server/version), but got "[2017-12-25 21:03:50,736] [HTTP-73] WARN com.google.gerrit.httpd.ProjectBasicAuthFilter : Authentication from 127.0.0.1 failed for test1: password does not match the one stored in Gerrit" when request an authenticated entrypoint (http://192.168.0.9090:8080/a/config/server/version).
Digging into the code (https://gerrit.googlesource.com/gerrit/+/master/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java#149) I see that ProjectBasicAuthFilter tries to match the information of the "Authorization" header againts a valid username and password, but it is impossible it matches because that headers has the password used to login in Apache, which is totally different from the "HTTP password" obtained from account settings to use in the REST API, so basically it is impossible to use authenticated entrypoints with this configuration.
Wasn't authenticated requests (https://gerrit.googlesource.com/gerrit/+/master/java/com/google/gerrit/httpd/GitOverHttpModule.java#59) don't be filter through ProjectBasicAuthFilter? Or at least doesn't ProjectBasicAuthFilter check for Git only urls? Or am I missed something?
Thanks in advance.
I have a question about HTTP Authentication (with reverse proxy) when a full site is protected, that in this case is impossible to login on an authenticated REST API entrypoint.
Basically, I created a gerrit server behind an Apache2 which protect access to "/" throught Basic Auth to try to resolve an issue I have on my android app (https://github.com/jruesga/rview/issues/59). Below is the configuration I have used and I just compiled the lastest code from master (dd7d86c) to test.
======= apache2 ==============
<VirtualHost *:80>
ServerAdmin admin@vmgerrit2
ServerName vmgerrit2
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
ErrorLog /var/log/apache2/gerrit.error.log
CustomLog /var/log/apache2/gerrit.access.log combined
<Location "/">
AuthType Basic
AuthName "Gerrit Code Review"
Require valid-user
AuthUserFile /etc/apache2/passwd/passwd.users
</Location>
<Proxy *>
Require all granted
</Proxy>
AllowEncodedSlashes On
ProxyPass / http://127.0.0.1:8081/ nocanon
ProxyPassReverse / http://127.0.0.1:8081/
</VirtualHost>
======= gerrit conf ==============
[gerrit]
basePath = /opt/gerrit/repo
serverId = 181c8fd7-3a1b-47b0-a85c-e435a044e46b
canonicalWebUrl = http://192.168.0.190/
ui = polygerrit
enableGwtUi = true
[database]
type = h2
database = /opt/gerrit/server/db/ReviewDB
[noteDb "changes"]
disableReviewDb = true
primaryStorage = note db
read = true
sequence = true
write = true
[index]
type = LUCENE
[auth]
type = HTTP
[receive]
enableSignedPush = true
[sendemail]
smtpServer = localhost
[container]
user = jruesga
javaHome = /usr/lib/jvm/java-8-oracle/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = http://*:8081/
[cache]
directory = cache
With the attached configuration, when I can access correctly with a test user on the web site (apache request the basic authentication and pass it to gerrit), and works correctly with an unauthenticated rest api url (http://192.168.0.9090:8080/config/server/version), but got "[2017-12-25 21:03:50,736] [HTTP-73] WARN com.google.gerrit.httpd.ProjectBasicAuthFilter : Authentication from 127.0.0.1 failed for test1: password does not match the one stored in Gerrit" when request an authenticated entrypoint (http://192.168.0.9090:8080/a/config/server/version).
Digging into the code (https://gerrit.googlesource.com/gerrit/+/master/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java#149) I see that ProjectBasicAuthFilter tries to match the information of the "Authorization" header againts a valid username and password, but it is impossible it matches because that headers has the password used to login in Apache, which is totally different from the "HTTP password" obtained from account settings to use in the REST API, so basically it is impossible to use authenticated entrypoints with this configuration.
Wasn't authenticated requests (https://gerrit.googlesource.com/gerrit/+/master/java/com/google/gerrit/httpd/GitOverHttpModule.java#59) don't be filter through ProjectBasicAuthFilter? Or at least doesn't ProjectBasicAuthFilter check for Git only urls? Or am I missed something?
Thanks in advance.
Gert van Dijk
Dec 26, 2017, 7:10:01 AM12/26/17
to Repo and Gerrit Discussion
I agree that with auth.type set to HTTP, you would expect Gerrit to disable the internal HTTP Basic authentication for the REST API. For me with 2.14.6 this actually works (HTTP_LDAP, but should be the same). I also don't see any option for users to generate HTTP passwords anymore. Do you still see that in the user profile settings or not?
Also, for Git-over-HTTP requests you may want to set auth.trustContainerAuth to true. This will make Gerrit skip internal authentication for that as well.
Jorge Ruesga
Dec 26, 2017, 7:38:03 AM12/26/17
to Repo and Gerrit Discussion
Yes, with HTTP, I'm still seeing the http password menu in settings and being able to generate it.
Jorge Ruesga
Dec 26, 2017, 7:52:04 AM12/26/17
to Repo and Gerrit Discussion
Anyway, thanks. I didn't realize about auth.trustContainerAuth property.
Reply all
Reply to author
Forward
0 new messages