Can't navigate to gerrit site with reverse proxy and ssl
Samuel Omlin
After the first installation with gerrit 2.2.2.1 according to this guide (http://gerrit-documentation.googlecode.com/svn/Documentation/2.2.2/install.html), can't point to this gerrit_site (like https://gerrit.example.com) in the browser and told me those messages that is "404 Not Found: The requested URL / was not found on this server". so, any input will be appreciated.
As a side note, here's the whole process for me installing gerrit on ubuntu 10.04 server.
1> Download Gerrit
wget http://gerrit.googlecode.com/files/gerrit-2.2.2.1.war
mv gerrit-2.2.2.1.war gerrit.war
2> Install Gerrit
sudo adduser \
--system \
--shell /bin/bash \
--gecos 'gerrit code review' \
--group \
--disabled-password \
--home /home/gerrit \
gerrit
sudo -u gerrit java -jar gerrit.war init -d /home/gerrit
*** Gerrit Code Review 2.2.2.1
***
*** Git Repositories
***
Location of Git repositories [git]: /home/git/repositories
*** SQL Database
***
Database server type [H2/?]:
*** User Authentication
***
Authentication method [OPENID/?]:
*** Email Delivery
***
SMTP server hostname [localhost]:
SMTP server port [(default)]:
SMTP encryption [NONE/?]:
SMTP username :
*** Container Process
***
Run as [gerrit]:
Java runtime [/usr/lib/jvm/java-6-sun-1.6.0.26/jre]:
Copy gerrit.war to /home/gerrit/bin/gerrit.war [Y/n]?
Copying gerrit.war to /home/gerrit/bin/gerrit.war
*** SSH Daemon
***
Listen on address [*]:
Listen on port [29418]:
Gerrit Code Review is not shipped with Bouncy Castle Crypto v144
If available, Gerrit can take advantage of features
in the library, but will also function without it.
Download and install it now [Y/n]?
Downloading http://www.bouncycastle.org/download/bcprov-jdk16-144.jar ... OK
Checksum bcprov-jdk16-144.jar OK
Generating SSH host key ... rsa... dsa... done
*** HTTP Daemon
***
Behind reverse proxy [y/N]? y
Proxy uses SSL (https://) [y/N]? y
Subdirectory on proxy server [/]:
Listen on address [*]:
Listen on port [8081]:
Canonical URL [https://samuel-laptop/]: https://review.example.com
cat /home/gerrit/etc/gerrit.config
[gerrit]
basePath = /home/git/repositories
canonicalWebUrl = https://review.example.com
[database]
type = H2
database = db/ReviewDB
[auth]
type = OPENID
[sendemail]
smtpServer = localhost
[container]
user = gerrit
javaHome = /usr/lib/jvm/java-6-sun-1.6.0.26/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = proxy-https://*:8081/
[cache]
directory = cache
3> Run Gerrit Daemon
sudo /home/gerrit/bin/gerrit.sh start
4> Configure Apache Server with Reverse Proxy and SSL
sudo a2enmod proxy_http
sudo a2enmod ssl
<VirtualHost *:443>
ServerName review.xbmlabs.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/review.example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/review.example.com.key
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /r/ https://*:8081/r/
ErrorLog /var/log/apache2/review.example.com.error.log
CustomLog /var/log/apache2/review.example.com.access.log combined
</VirtualHost>
Thomas Broyer
On Friday, February 24, 2012 6:38:20 PM UTC+1, somlin wrote:
ProxyPass /r/ https://*:8081/r/
- / instead of /r/ (in both the 'path' and 'url' parts)
- http instead of https: Apache does the SSL work, and then talk unencrypted HTTP with Gerrit
- 127.0.0.1 instead of *
somlin
Thanks for your suggestion.
And the 1nd (/ instead of /r/ in both the 'path' and 'url' parts) and
3rd (127.0.0.1 instead of *) advices are adopted, simply because i
still would like to keep https:// alive. So, the vhost configuration
with apache2 as well as the gerrit.config (in my case, located at /
home/gerrit/etc/) for gerrit site are modified as below:
==> VHost for Gerrit Site
<VirtualHost *:443>
ServerName review.example.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/review.example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/review.example.com.key
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPassReverse / https://127.0.0.1:8081/
ErrorLog /var/log/apache2/review.example.com.error.log
CustomLog /var/log/apache2/review.example.com.access.log combined
</VirtualHost>
basePath = /home/git/repositories
canonicalWebUrl = https://review.example.com
[database]
type = H2
database = db/ReviewDB
[auth]
type = OPENID
[sendemail]
smtpServer = localhost
[container]
user = gerrit
javaHome = /usr/lib/jvm/java-6-sun-1.6.0.26/jre
[sshd]
listenAddress = *:29418
[httpd]
[cache]
directory = cache
After getting through these steps above, restart apache2 and gerrit
separately from the command line to take effect immediately after
modification. But, still failed to navigate to https://review.example.com
and got some messages from broswer saying "502 Bad Gateway: The proxy
server received an invalid response from an upstream server".
And then, check out this error log (/var/log/apache2/
review.example.com.error.log) defined in the vhost configuration for
gerrit telling me:
[Sun Feb 26 10:31:34 2012] [error] (502)Unknown error 502: proxy: pass
request body failed to 127.0.0.1:8081 (127.0.0.1)
[Sun Feb 26 10:31:34 2012] [error] proxy: pass request body failed to
127.0.0.1:8081 (127.0.0.1) from 127.0.0.1 ()
Still can't solve this issue as mentioned above although searching for
it from internet. So, any ideas on that??
On Feb 25, 4:49 pm, Thomas Broyer <t.bro...@gmail.com> wrote:
> On Friday, February 24, 2012 6:38:20 PM UTC+1, somlin wrote:
>
> > ProxyPass /r/ https://*:8081/r/
>
> I believe it should be:
> ProxyPass /http://127.0.0.1:8081/
>
> That is:
>
> - http instead of https: Apache does the SSL work, and then talk
> unencrypted HTTP with Gerrit
> - 127.0.0.1 instead of *
Shawn Pearce
> cat /home/gerrit/etc/gerrit.config
> [gerrit]
> basePath = /home/git/repositories
> canonicalWebUrl = https://review.example.com
> listenUrl = proxy-https://*:8081/
> 4> Configure Apache Server with Reverse Proxy and SSL
The ProxyPass and httpd.listenUrl have to agree. If you want Gerrit to
be at https://host/r/ then you need to write:
gerrit.config:
[gerrit]
canonicalWebUrl = https://review.example.com/r/
[httpd]
listenUrl = proxy-https://*:8081/r/
apache:
ProxyPass /r/ https://*:8081/r/
Conversely, if you don't want the /r/ there and want Gerrit on just /
(so it "owns" the hostname) then drop the /r/ everywhere:
gerrit.config:
[gerrit]
canonicalWebUrl = https://review.example.com/
[httpd]
listenUrl = proxy-https://*:8081/
apache:
ProxyPass / https://*:8081/
somlin
After following your 2nd suggestion that is replace ip address like
127.0.0.1 with * as well as configure path like "/" instead of "/r/",
firefox was complaining that the proxy sever could not handle the
request "https://review.example.com" and telling me that the reason is
DNS lookup failure for: *. And then, check out the error log for
gerrit site, saying the same as firefox:
[error] [client 127.0.0.1] proxy: DNS lookup failure for: * returned
by /favicon.ico.
Therefore, I have to turn to the origin workaround as described in my
last post. Then, it looks like i can fix the issue as mentioned above.
Unfortunately, however, the evil ever appearing in my last post still
shows itself up to me, which is "proxy: pass request body failed to
127.0.0.1:8081 (127.0.0.1) from 127.0.0.1 () ".
So, any ideas on that?
(As a side note, i really can navigate to http://review.example.com:8081
or http://127.0.0.1:8081 instead of http://review.example.com or
http://127.0.0.1. In addition, URL always fails as long as prefixing
https://, whether it is postfixed with the port 8081 or not. So, this
has already indicated that GerritCodeReview daemon (called gerrit.sh
located at /home/gerrit/bin/) has no support for https, right? In
other words, this daemon can speak http only, not including https?
But, actually this setting for https has been configured in /home/
gerrit/etc/gerrit.config. Strange enough! So, what about you?)
On Feb 27, 4:35 am, Shawn Pearce <s...@google.com> wrote:
> On Fri, Feb 24, 2012 at 09:38, Samuel Omlin <samuel.om...@gmail.com> wrote:
> > cat /home/gerrit/etc/gerrit.config
> > [gerrit]
> > basePath = /home/git/repositories
> > canonicalWebUrl =https://review.example.com
> > [httpd]
> > listenUrl = proxy-https://*:8081/
> ..
> > 4> Configure Apache Server with Reverse Proxy and SSL
> > ProxyPass /r/ https://*:8081/r/
>
> The ProxyPass and httpd.listenUrl have to agree. If you want Gerrit to
> be athttps://host/r/then you need to write:
>
> gerrit.config:
> [gerrit]
> canonicalWebUrl =https://review.example.com/r/
> [httpd]
> listenUrl = proxy-https://*:8081/r/
>
> apache:
> ProxyPass /r/ https://*:8081/r/
>
> Conversely, if you don't want the /r/ there and want Gerrit on just /
> (so it "owns" the hostname) then drop the /r/ everywhere:
>
> gerrit.config:
> [gerrit]
> canonicalWebUrl =https://review.example.com/
somlin
thank you for your suggestion.
According to your 2nd advice that is "http instead of https", now I
can point to the link like https://review.example.com. here's the
final modification in the configuration for VHost:
ProxyPass / http://127.0.0.1:8081/.
>
> > ProxyPass /r/ https://*:8081/r/
>
> I believe it should be:
> - http instead of https: Apache does the SSL work, and then talk
> unencrypted HTTP with Gerrit
Samuel Omlin
thank you for your reply.
As you guess, I really would like to do what you suggested. And, at last, I can set up gerrit site on my ubuntu server with links like https://review.example.com. For more details on that, please take a look at here http://groups.google.com/group/repo-discuss/browse_thread/thread/9aa1cfa662c6b9c1/29dff069eb7c0047?tvc=2#29dff069eb7c0047.
I'm not an apache expert, but I suspect you need to add the host to
which you want to forward the requests to the ProxyPass statement,
e.g.
if you have proxy-https://*:8081/ and canonicalWebUrl
=https://review.example.com/ in gerrit.config, use
ProxyPass / https://your.gerrit.host.or.ip:8081/
if you have proxy-https://*:8081/r/ and canonicalWebUrl
=https://review.example.com/r/ in gerrit.config, use
ProxyPass /r/ https://your.gerrit.host.or.ip:8081/r/
Regards,
--Christopher
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en