Gerrit with dual IP

275 views
Skip to first unread message

Liu Zheng

unread,
Dec 25, 2011, 8:12:06 PM12/25/11
to Repo and Gerrit Discussion
Hi, I hope I am not bothering you. We have a team of 20 and some of
them can only access the company's local network. Still we want to
share our work use gerrit. So we are using a server with dual physical
net card and dual IP , one for LAN for our team using and another for
outside support. Now we are able to access gerrit with the LAN IP, but
I can't access from the outside IP.

Could someone can told me if gerrit can listen on dual IP? If yes how
should I config my gerrit; can anyone suggest some idea for my team
instead dule IP?

Thanks!

Liu

Magnus Bäck

unread,
Dec 27, 2011, 2:37:55 AM12/27/11
to Repo and Gerrit Discussion
On Monday, December 26, 2011 at 02:12 CET,
Liu Zheng <xm...@malata.com> wrote:

What's the value of the httpd.listenUrl configuration variable
in gerrit.config? Make sure the hostname part is "*" rather than
a specific hostname:

[httpd]
listenUrl = http://*:8080/

--
Magnus Bäck Opinions are my own and do not necessarily
SW Configuration Manager represent the ones of my employer, etc.
Sony Ericsson

Liu Zheng

unread,
Dec 27, 2011, 3:11:38 AM12/27/11
to repo-d...@googlegroups.com
Hi, Magnus:

My listenUrl is set as :
[httpd]
    listenUrl = proxy-http://*:8020/
I am using the HTTP authentication with apache2 server by using 8012 port proxy. We also running Redmine on 8011 port, and it is working well on both IP.

Magnus Bäck

unread,
Dec 27, 2011, 3:41:39 AM12/27/11
to repo-d...@googlegroups.com
On Tuesday, December 27, 2011 at 09:11 CET,
Liu Zheng <xm...@malata.com> wrote:

> > What's the value of the httpd.listenUrl configuration variable
> > in gerrit.config? Make sure the hostname part is "*" rather than
> > a specific hostname:
> >
> > [httpd]
> > listenUrl = http://*:8080/
>

> My listenUrl is set as :
>
> [httpd]
> listenUrl = proxy-http://*:8020/
>
> I am using the HTTP authentication with apache2 server by using 8012
> port proxy. We also running Redmine on 8011 port, and it is working
> well on both IP.

So Gerrit should be listening on all interfaces on port 8020, but that's
irrelevant since it's Apache that's serving the requests via port 8012.
It doesn't sound like Apache is listening on all interfaces then. Does
your VirtualHost line say

<VirtualHost hostname:8012>

when it should be

<VirtualHost *:8012>

?

Shawn Pearce

unread,
Dec 27, 2011, 10:18:44 AM12/27/11
to Liu Zheng, Repo and Gerrit Discussion
On Sun, Dec 25, 2011 at 17:12, Liu Zheng <xm...@malata.com> wrote:
> Could someone can told me if gerrit can listen on dual IP? If yes how
> should I config my gerrit; can anyone suggest some idea for my team
> instead dule IP?

Aside from the http interface, you may also want to look at the
sshd.listenAddress setting. * will match all IPs on the host. Or you
can list IPs specifically using one or more listenAddress variables in
the file, e.g.:

[sshd]
listenAddress = lan-host1:29418
listenAddress = wan-host2:29418

Jason Axelson

unread,
Dec 27, 2011, 2:57:01 PM12/27/11
to Shawn Pearce, Liu Zheng, Repo and Gerrit Discussion
Hi,

In the past I've also tried something similar to this setup, although
I had two hostnames and one IP (one was reverse-proxied). What is the
recommended setting for gerrit.canonicalWebUrl?

I encountered an issue where I could access gerrit (2.2.1) fine with
an alternate url but as soon as I logged in (via openid) it would
redirect me to the canonical web url.

Jason

> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en

Shawn Pearce

unread,
Dec 27, 2011, 4:13:11 PM12/27/11
to Jason Axelson, Liu Zheng, Repo and Gerrit Discussion
On Tue, Dec 27, 2011 at 11:57, Jason Axelson <jaxe...@referentia.com> wrote:
> In the past I've also tried something similar to this setup, although
> I had two hostnames and one IP (one was reverse-proxied). What is the
> recommended setting for gerrit.canonicalWebUrl?

The hostname everyone can reach the server under, and that you prefer
them to use.

> I encountered an issue where I could access gerrit (2.2.1) fine with
> an alternate url but as soon as I logged in (via openid) it would
> redirect me to the canonical web url.

With OpenID the canonicalWebUrl is more important than for other
authentication types. Some OpenID providers generate a different token
for each hostname that is used. If the server is available by 2
different hostnames, the user will get 2 different accounts, one for
each host name they arrive at the server through.

canonicalWebUrl is usually used to redirect to a single common host
name so that OpenID always generates the same account. The AOSP Gerrit
server used to be available under multiple CNAMEs in DNS, but we had a
single canonical host name that the SSL certificate was issued for,
and that we used for the OpenID redirect process, ensuring users only
got 1 account.

Liu Zheng

unread,
Dec 27, 2011, 8:16:52 PM12/27/11
to repo-d...@googlegroups.com
Hi, Mangus:

My apache VirtualHost line is
"<VirtualHost *:8012>"
And I don't think it's the apache reason. I stop apache service and
try to access gerrit direct from 8020 port, and I can access from the
LAN IP through it will me a "Configuration error" response; but the
the WAN IP didn't even give me any response. So I guess it is
something I am wrong configure the gerrit?
[gerrit]
    basePath = /users/gerrit/repository
[database]
    type = H2
    hostname = localhost
    database = reviewdb
    username = gerrit2
[auth]
    type = HTTP
[sendemail]
    smtpServer = localhost
[container]
    user = gerrit2
    javaHome = /usr/lib/jvm/java-6-sun-1.6.0.22/jre
[sshd]
    listenAddress = *:29418

[httpd]
    listenUrl = proxy-http://*:8020/
[cache]
    directory = cache

Shawn Pearce

unread,
Dec 28, 2011, 11:24:05 AM12/28/11
to Liu Zheng, repo-d...@googlegroups.com
On Tue, Dec 27, 2011 at 17:16, Liu Zheng <xm...@malata.com> wrote:
> My apache VirtualHost line is
>
> "<VirtualHost *:8012>"
>
> And I don't think it's the apache reason. I stop apache service and
> try to access gerrit direct from 8020 port, and I can access from the
> LAN IP through it will me a "Configuration error" response; but the
> the WAN IP didn't even give me any response. So I guess it is
> something I am wrong configure the gerrit?

If your Apache is being used to supply authentication data to Gerrit,
you should reconfigure Gerrit so it is only available by 127.0.0.1 and
restrict login to that server to only the Gerrit administrators.
Gerrit is trustring whatever the HTTP request says. If a remote user
can connect to Gerrit and tell it a username, Gerrit will trust this
thinking it was already validated by Apache, and permit the client to
act as whatever user they asked to impersonate.

Jason Axelson

unread,
Dec 28, 2011, 5:13:03 PM12/28/11
to Shawn Pearce, Liu Zheng, Repo and Gerrit Discussion
On Tue, Dec 27, 2011 at 11:13 AM, Shawn Pearce <s...@google.com> wrote:
>> I encountered an issue where I could access gerrit (2.2.1) fine with
>> an alternate url but as soon as I logged in (via openid) it would
>> redirect me to the canonical web url.
>
> With OpenID the canonicalWebUrl is more important than for other
> authentication types. Some OpenID providers generate a different token
> for each hostname that is used. If the server is available by 2
> different hostnames, the user will get 2 different accounts, one for
> each host name they arrive at the server through.
>
> canonicalWebUrl is usually used to redirect to a single common host
> name so that OpenID always generates the same account. The AOSP Gerrit
> server used to be available under multiple CNAMEs in DNS, but we had a
> single canonical host name that the SSL certificate was issued for,
> and that we used for the OpenID redirect process, ensuring users only
> got 1 account.

Thanks for the info! This exactly explains the problem I was seeing
and gives me ideas for how to migrate to a new hostname.

Jason

Reply all
Reply to author
Forward
0 new messages