gerrit in jetty 9 behind apache reverse proxy

[Krešimir Tonković]

Hi,

I have installed the gerrit war in our common jetty 9 instance and it works fine. Apache handles https and reverse-proxies to jetty using http.

This however only works if I set in gerrit.conf 

canonicalWebUrl = http://myserver.com/gerrit/

This however is not the real url that is visible from outside. It should start with https, and expectedly, this creates problems with authentication and bad urls being used in emails.

If I set it to https, every page issues a redirect (302) to https://localhost:8080/gerrit.

Full gerrit.conf:

[gerrit]

        basePath = /data/git

        canonicalWebUrl = http://myserver.com/gerrit/

[auth] 

        type = OPENID

[sendemail]

        smtpServer = localhost

[sshd] 

        listenAddress = *:29418

[cache]

        directory = cache

There is no httpd and no database section because gerrit is installed in our own jetty 9 instance which also manages the datasource.

Apache configuration:

<IfModule mod_ssl.c>

<VirtualHost *:443>

        ServerName myserver.com

        ServerAdmin webmaster@localhost

        ProxyRequests Off

        ProxyVia Off

        ProxyPassReverseCookieDomain localhost myserver.com

        RequestHeader set X-Forwarded-Proto "https" env=HTTPS

        Redirect /gerrit /gerrit/

        ProxyPass /gerrit/ http://localhost:8080/gerrit/ retry=0

        ProxyPassReverse /gerrit/ http://localhost:8080/gerrit/

I think apache configuration is good because it works well with some other software in the same setup.

Any pointers?

Thanks,

Kresimir

[Krešimir Tonković]

Additional info: the redirect is not 302 but 301. Here is the request (from chrome console):

Request URL:https://myserver.com/gerrit/

Request Method:GET

Status Code:301 Moved Permanently

Request Headers:

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Encoding:gzip,deflate,sdch

Accept-Language:en,en-US;q=0.8,hr;q=0.6

Connection:keep-alive

Cookie: [removed]

Host:myserver.com

User-Agent:Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.114 Safari/537.36

Response Headers

Connection:Keep-Alive

Content-Length:0

Date:Wed, 13 Nov 2013 10:40:38 GMT

Keep-Alive:timeout=5, max=100

Location:https://localhost:8080/gerrit/

Server:Jetty(9.0.2.v20130417)

The last line indicates that the redirect comes from jetty, not from apache. 

Gerrit is version 2.5.4.

Thanks,

Kresimir

[Shawn Pearce]

Gerrit is doing the redirect because Jetty is telling it the
connection is insecure.

Look at the Jetty docs on how to tell Jetty to trust the Apache did
the SSL handling.

> --
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Krešimir Tonković]

Found in gerrit.war this file: WEB-INF/extra/jetty7/jetty_sslproxy.xml

As per instructions in the file

1. added in apache config:
   RequestHeader set X-Forwarded-Scheme https
2. Copied WEB-INF/extra/jetty7/jetty_sslproxy.xml to {$jetty.home}/etc
   
3. In {$jetty.home}/start.ini added:
   
   OPTIONS=rewrite
   etc/jetty-rewrite.xml
   etc/jetty_sslproxy.xml
4. in gerrit.conf changed canonicalWebUrl to https://myserver.com/gerrit/
   

Now everything works fine.

It would be nice to have gerrit log some debugging info into the container's log. I actually found the above file while looking for log4j.xml or config for whatever logging framework is used.

Thanks,

Kresimir

[Piotr Morgwai Kotarbiński]

Hello all,

I have a similar setup like Kresimir and have been experiencing similar problems (the same I guess) since I switched from jetty-8 to jetty-9.
When using jetty-8 the only additional configuration to jetty that was needed was to add

<Set name="forwarded">true</Set>

directive to SelectChannelConnector in jetty.xml as described here:
https://wiki.eclipse.org/Jetty/Tutorial/Apache
and here:
https://wiki.eclipse.org/Jetty/Howto/Configure_mod_proxy
to make jetty change scheme to https: no ugly, complicated rewriting rules needed.

Unfortunately this does not work anymore in jetty-9 because of the reasons described here:
http://dev.eclipse.org/mhonarc/lists/jetty-users/msg05428.html

However I noticed that when I use gerrit-9.2.6 with its embedded jetty instance behind my apache then it works fine. So I wonder whether gerrit with embeded jetty is also using rewriting rules similar to these described by Kresimir or if the gerrit team was able to find a better way. I was trying to investigate it myself, but I couldn't figure out where the config for the embedded jetty instance is stored, so I decided to try my luck by asking here instead ;)

Many thanks

  Morgwai

[Piotr Morgwai Kotarbiński]

solved:
in ${jetty.base}/etc/jetty.xml uncomment the following fragment:

    <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
      (...)
      <!-- Uncomment to enable handling of X-Forwarded- style headers
      <Call name="addCustomizer">
        <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
      </Call>
      -->
    </New>

and it all automagically works fine :)
(if you don't have jetty.xml file or even etc folder in your ${jetty.base} then just copy one from ${jetty.home} )
More details here: http://dev.eclipse.org/mhonarc/lists/jetty-users/msg05430.html

Cheers all!