Unable to get ldap and reverse proxy working at the same time
Will Wagner
I'm testing out a gerrit 2.15.1 installation to see how it works.
Initially I just had gerrit.war running the web server directly and I used ldap for authentication. This all worked great.
I then wanted to change to use apache as a reverse proxy so that it would do all the ssl handling, provide certificate etc. This all worked fine until I logged out and tried to log back in. Now when I sign in after typing in credentials to gerrit login box I get a page saying "HTTP method POST is not supported by this URL"
Should this configuration work? In my config I have
auth.type = LDAP
httpd.listenUrl = proxy-https://127.0.0.1:8081/r/
So instead of logging in via gerrit I tried to make it so that apache would handle authentication. I followed the instructions for HTTP Basic Authentication in the documentation. Now when I try to hit the gerrit URL apache asks for credentials. After that though gerrit seems to be stuck in an infinite loop redirecting the browser between https://gerrit/ and https://gerrit/login
Any help on getting this workig much appreciated.
Will
Sven Selberg
Will Wagner
What does your Apache config look like?
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName gerrit.office.carallon.com
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *>
Require all granted
</Proxy>
AllowEncodedSlashes On
ProxyPass / http://127.0.0.1:8081/r/ nocanon
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/ssl/certs/office.carallon.com_2018.pem
SSLCertificateKeyFile /etc/ssl/private/office.carallon.com.key
SSLCACertificateFile /etc/ssl/certs/RapidSSL_CA_2018.pem
<Location /login/>
AuthBasicProvider ldap
AuthType Basic
AuthLDAPURL "*******" NONE
AuthLDAPBindDN "**********"
AuthLDAPBindPassword "*******"
Require valid-user
</Location>
</VirtualHost>
</IfModule>
Duft Markus
Hey,
We’re using LDAP auth with multiple providers in apache. Config looks something like the attached… J Some things are for sure specific to our setup, I’ll leave it to you to filter that out :D
The sample.conf.template is the template for files included by the ‘IncludeOptional ${AUTH_CFGROOT}/*.conf’
With this config you will ALSO need this in gerrit.config:
[auth]
type = HTTP
cookieSecure = true
# when using LDAP on apache
httpHeader = X-LDAP-USER
httpEmailHeader = X-LDAP-MAIL
httpDisplaynameHeader = X-LDAP-CN
httpExternalIdHeader = X-LDAP-DN
Hope that helps J Some more hints are in the comments in the files.
Cheers,
Markus
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
Sven Selberg
Will Wagner
Out of interest do you think I should be trying to make it work as I initially started out with apache just providing a https proxy and authentication in gerrit just by ldal, or should I be getting apache to do authentication and setting gerrit to use http authentication.
I guess I'll try the suggestions from sven next. Seems like the main bit I'm missing is setting the request headers
Will Wagner
Thanks for the sample configs. As far as I can tell the two keys bit are the ProxyReversePass (as Sven pointed out) and the RequestHeader entries. Unfortunately I've tried those and it still appears to be doing an infinite redirect between the main page and the login page.
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Will Wagner
Anyone got any suggestions on how to configure this as it seems the gerrit docs don't include everything you need.
Thanks
Will
Matthias Sohn
So I couldn't get reverse proxy with apache working, sadly had to go back to just running direct from gerrit which will be fine for evaluation.
Anyone got any suggestions on how to configure this as it seems the gerrit docs don't include everything you need.
Will Wagner
Duft Markus
I think one issue could be the locations you configured. In our config we’re requesting proxy auth on /, whereas you hooked auth on /login as far as I saw.
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
