set up gerrit with http authentication

apache http gerrit

27,934

Solution 1

Okay. Actually I was creating a virtual host on port 8081 and my Jetty (that comes along with gerrit) was also listening to the same port,my configuration remained almost the same but these are the additional steps :-

Add a new port to your selinux (which has some basic ports defined initially) or you can disable it if security is not an issue.
tell httpd to listen to this port(in my case i added 8082) ,so add the line listen <port-no> in your http conf file

Change the virtual host to your port number now your virtualhost is set on port 8082

<VirtualHost *:8082>
    ServerName localhost

    ProxyRequests Off
    ProxyVia Off
    ProxyPreserveHost On

    <Proxy *>
          Order deny,allow
          Allow from all
    </Proxy>
    <Location "/login/">
          AuthType Basic
          AuthName "Gerrit Code Review"
          AuthBasicProvider file
          AuthUserFile /usr/local/apache/passwd/passwords
          Require valid-user
    </Location>

    ProxyPass / http://localhost:8081/
</VirtualHost>

change the canonical url to port 8082 (so that it redirects it to same port)
finally restart the apache and Gerrit (access your-host:8082).

Solution 2

Gerrit it expecting the authentication to be provided. It does not allow anonymous access when you use HTTP authentication.

For this to work you need to authenticate at the root and your Location block should look like this:

<Location "/">
  AuthType Basic
  AuthName "Gerrit Code Review"
  AuthBasicProvider file
  AuthUserFile /usr/local/apache/passwd/passwords
  Require valid-user
</Location>

Solution 3

There are a few issues with your configuration:

Apache and try to listen on the same port 8081, this is not possible
You ProxyPass is not the best, it will create some small issues. These issues are:
1. Unable to to create projects names with a slash in it like: main/sub
2. When reviewing files the check mark will not appear next to the file to show it as reviewed, again this is related to the forward slash not being properly processed
It is most common to use a subfolder and not the root, I guess that works better with the reverse proxy

This is my recommended configuration for you:

    <VirtualHost *:80>
        ServerName localhost

        ProxyRequests Off
        ProxyVia Off
        ProxyPreserveHost On

        <Proxy *>
              Order deny,allow
              Allow from all
        </Proxy>

        <Location "/">
            AuthType Basic
            AuthName "Gerrit Code Review"
            AuthBasicProvider file
            AuthUserFile /usr/local/apache/passwd/passwords
            Require valid-user
        </Location>

        AllowEncodedSlashes On
        ProxyPass /r http://localhost:8081/r nocanon
    </VirtualHost>

Ofcourse don't forget to amend the gerrit.config, the canonicalWebUrl is what you type in the address bar, not what apache uses to find gerrit.

[gerrit]
    basePath = git
    canonicalWebUrl = http://localhost:8082/r

To prevent the apache default page from showing add a index.php in your root folder that will redirect your browser to the sub path:

<?php
    header('Location: http://localhost:8082/r/');
?>

27,934

Author by

shubham

Updated on March 13, 2020

Comments

shubham about 4 years

I am trying to configure gerrit with http baisc authentication , my httpd config is

<VirtualHost *:8081>
    ServerName localhost

    ProxyRequests Off
    ProxyVia Off
    ProxyPreserveHost On

    <Proxy *>
          Order deny,allow
          Allow from all
    </Proxy>

<Location "/login/">
AuthType Basic
AuthName "Gerrit Code Review"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
</Location>
ProxyPass / http://localhost:8081/
</VirtualHost>

and my gerrit.config is

[gerrit]
        basePath = git
        canonicalWebUrl = http://localhost:8081/
[database]
        type = mysql
        hostname = localhost
        database = reviewdb
        username = gerrit
[auth]
        type = HTTP
[sendemail]
        smtpServer = localhost
        smtpUser = gerrit
[container]
        user = gerrit
        javaHome = /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
[sshd]
        listenAddress = *:29418
[httpd]
        listenUrl = proxy-http://*:8081/
[cache]
        directory = cache

i am not sure where am i going wrong but the accessing http://x.x.x.x:8081 says

The HTTP server did not provide the username in the Authorization header when it forwarded the request to Gerrit Code Review.

If the HTTP server is Apache HTTPd, check the proxy configuration includes an authorization directive with the proper location, ensuring it ends with '/':

my gerrit runs on the inbuild jetty countainer and my OS is centos 6.4

where am i going wrong.?

shubham almost 11 years

i have configured according to above but i have to set it on port 8082 only, because i have some other service hosted on port 80, any how when i am going on localhost:8082 it is showing the test page of apache , where am i going wrong?
uncletall almost 11 years

Did you use a sub folder? There is a difference between localhost:8082/r and localhost:8082/r, the second will forward, the first doesn't I think. I my case I actually added a index.php file in the root (/var/www/index.php) that redirects to the sub path, I added it above.
shubham almost 11 years

why are we using "/r/" I mean ,in my original configuration I used /login/ because gerrit requires authorization headder on mygerrit:8081/login anyhow changing it to /r/ didnot solve the issue.
shubham almost 11 years

shouldn't there be a reverse proxy set in this case,actually i m new to apache configuration so i have least idea of these, i want to add project with slashes in it but dont know how to get along with that. right now it gives an 404 error on project name with slashes
uncletall almost 11 years

The reverse proxy setting is not needed because you specify the canonicalWebUrl, this will be used by Gerrit. Ok, I didn't update the canonicalWebUrl to the 8082 port. And for the location, you do not need to specify the /r/, you can just use /. This is only for the authentication. As you are using HTTP authentication the /login/ becomes obsolete as their is no anonymous access anymore, right?
uncletall almost 11 years

you mention mygerrit:8081? In that case you canonicalWebUrl should be mygerrit:8081/r and not localhost
shubham almost 11 years

let us continue this discussion in chat
Boris Strandjev about 10 years

Thank you your configuration worked for me as long as checkout goes. However I am not albe to push getting errors of the kind Authentication failed for...
$fracz$

fracz over 9 years

If you are switching to HTTP from OpenId, Gerrit will not create the account_external_ids automatically if the username from HTTP matches the one that have been used with OpenID. It will display short "Forbidden" message after authentication. To fix this, insert a row that matches your user into account_external_ids table with external_id equal to gerrit:username.