issue with HTTPS reverse-proxy, web.enforceHttpBasicAuthentication=true and no client certs
699 views
Skip to first unread message
Charles Bueche
Sep 29, 2014, 9:18:32 AM9/29/14
to git...@googlegroups.com
Hi,
I have a gitblit GO 1.6.0 running fine, with LDAP authentication to a back-end. I use web.enforceHttpBasicAuthentication=true to make it use BasicAuth. So far so good, it works fine, on both HTTP and HTTPS.
Now I want to configure a reverse-proxy in front of it. That proxy contains a SSO framework that generate the needed BasicAuth. If I do proxy-pass HTTPS to HTTP this way, it works:
ProxyPassReverse /gitblit/ http://giti.back:8080/gitblit/
But if I do proxy HTTPS to HTTPS this way it fails:
ProxyPass /gitblit/ https://giti.back:8443/gitblit/
ProxyPassReverse /gitblit/ https://giti.back:8443/gitblit/
In the log of the Apache reverse-proxy instance, I see this:
[Mon Sep 29 15:12:07.256030 2014] [ssl:warn] [pid 26069] AH02268: Proxy client certificate callback: (gate.stuff:443) downstream server wanted client certificate but none are configured
[Mon Sep 29 15:12:07.275560 2014] [proxy:error] [pid 26069] (502)Unknown error 502: [client 1xxxxxx:53523] AH01084: pass request body failed to 100.100.100.115:8443 (giti.back), referer: https://gate.stuff/gitblit/repositories/;jsessionid=qbkhqzjya5pjjtcm
[Mon Sep 29 15:12:07.275759 2014] [proxy:error] [pid 26069] [client 1xxxxxxx:53523] AH00898: Error during SSL Handshake with remote server returned by /gitblit/summary/gerty-int.git, referer: https://gate.back/gitblit/repositories/;jsessionid= qbkhqzjya5pjjtcm
[Mon Sep 29 15:12:07.275883 2014] [proxy_http:error] [pid 26069] [client 1xxxxxxxxxx:53523] AH01097: pass request body failed to 100.100.100.115:8443 (giti.back) from 1xxxxxxxxx (), referer: https://gate.stuff/gitblit/repositories/;jsessionid= qbkhqzjya5pjjtcm
I think the reason is the "requireClientCertificates behavior" mentioned in gitblit.properties :
# If serving over https (recommended) you might consider requiring clients to
# authenticate with ssl certificates. If enabled, only https clients with the
# a valid client certificate will be able to access Gitblit.
#
# If disabled, client certificate authentication is optional and will be tried
# first before falling-back to form authentication or basic authentication.
#
# Requiring client certificates to access any of Gitblit may be too extreme,
# consider this carefully.
#
# SINCE 1.2.0
# RESTART REQUIRED
server.requireClientCertificates = false
So how can either:
- configure my reverse-proxy to ignore giblit's request for a client-cert
- or better, configure gitblit never to ask for client cert ?
TIA,
Charles
James Moger
Sep 29, 2014, 9:23:49 AM9/29/14
to git...@googlegroups.com
Why do you need to reverse proxy both http & https?
Can't your front end terminate the https and connect http to Gitblit?
-JCan't your front end terminate the https and connect http to Gitblit?
--
You received this message because you are subscribed to the Google Groups "gitblit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gitblit+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Charles Bueche
Sep 30, 2014, 5:10:33 AM9/30/14
to git...@googlegroups.com
Hi James,
This is what I do now as a workaround.
However, considering the traffic from rev-proxy to gitblit carry a BasicAuth header, I'm somewhat uncomfortable with it.
Regs,
Charles
Reply all
Reply to author
Forward
0 new messages